Home Exclude Identities from Microsoft Defender Identity Alerts
Post
Cancel

Exclude Identities from Microsoft Defender Identity Alerts

Exclude Entities from Microsoft Defender Identity Alerts

Docs and Sources

DescriptionLink
Exclusions in Microsoft Defender for IdentityMDI Exclusions
  

Microsoft Defender offers various built in Detection Rules. This Rules also alert you for valid scenarios, for example Domain Controllers doing dcsyn or Accounts running remote code. You can exclude this users, devices and ip adresses from specific rules or from all the rules. Here is how:


Exclusions in the Microsoft 365 Defender Portal

Exclusions by Rule

Navigate to:
Microsoft 365 Defender portal -> Settings -> Identities -> Excluded Entities -> Exclusions by detection rule

Select the Rule, you want to add Exclusions. You have the following options:

Exclusion Options

Select the Entities you want to exclude and click save

Confirm that the newly added Entities show up in the Overview

Exclusions Overview

The newly added Entities should be excluded in future alerts.


Global Exclusions

Navigate to:
Microsoft 365 Defender portal-> Settings -> Identities -> Excluded Entities -> Global Excluded Entities

Add Entities here, that should be excluded from all Defender Identity Alerts.


This post is licensed under CC BY 4.0 by the author.