Exclude Entities from Microsoft Defender Identity Alerts
Docs and Sources
Description | Link |
---|---|
Exclusions in Microsoft Defender for Identity | MDI Exclusions |
Microsoft Defender offers various built in Detection Rules. This Rules also alert you for valid scenarios, for example Domain Controllers doing dcsyn or Accounts running remote code. You can exclude this users, devices and ip adresses from specific rules or from all the rules. Here is how:
Exclusions in the Microsoft 365 Defender Portal
Exclusions by Rule
Navigate to:
Microsoft 365 Defender portal -> Settings -> Identities -> Excluded Entities -> Exclusions by detection rule
Select the Rule, you want to add Exclusions. You have the following options:
Select the Entities you want to exclude and click save
Confirm that the newly added Entities show up in the Overview
The newly added Entities should be excluded in future alerts.
Global Exclusions
Navigate to:
Microsoft 365 Defender portal-> Settings -> Identities -> Excluded Entities -> Global Excluded Entities
Add Entities here, that should be excluded from all Defender Identity Alerts.