Nov 01 2023 10:05 AM
Goal - how to stop dlp alerts before reaching to the tables. Not interested in using any automation or playbooks.
There is a single data connector which has defender suite alerts. Even If, no dlp alerts and incidents are enabled, it reaches to alert and incidents. No analytics rules are enabled.
We have separate team for SOC and DLP under different organization, and every team needs to see their own alerts. How do we stop them reaching to the tables in Sentinel?
Nov 01 2023 11:16 AM
From your description it sounds like you are getting these alerts from the Microsoft 365 Defender connector.
The only way I know is to use an Automation Rule to action these. You could take an Action of "Change Status" to "Closed" as an example, adding a comments or even a Tag.
Nov 01 2023 11:56 AM
Nov 01 2023 12:14 PM
@wonder_wolf if its from M365 it's not the same as Purview. Personally I'd look at some of them and assess if you want to drop them in Sentinel. They will still be in the source system.
Nov 01 2023 02:30 PM
Nov 02 2023 03:02 AM
Nov 16 2023 06:42 AM
Nov 16 2023 07:34 AM
Dec 29 2023 10:15 AM - edited Dec 29 2023 10:20 AM
I have received suggestion of filtering at LAW table level by SME. Have you had experience doing that? To my knowledge, DCRs are only good for IaaS level/AMA agent level filtering?