Microsoft Security Operations Analyst Exam Ref SC-200 Certification Guide by Trevor Stuart & Joe Anich

Author:Trevor Stuart & Joe Anich
Language: eng
Format: epub
Publisher: Packt
Published: 2022-12-15T00:00:00+00:00

Figure 6.4 – Alert management page

From this pane, you can see quite a bit of useful detail. We will get into incident linking later on in this chapter, but for now, we will cover alert management as a whole.

Alert suppression

So, how would you want to potentially suppress alerts? There might be situations that arise where you have already verified an alert, or know of a business process that proves that the alert present is one that is of standard operations. In these scenarios, having the ability to suppress alerts will be super handy for you and your team. What is really cool is the fact that Microsoft Defender for Endpoint will allow you to create suppression rules for any alerts that are known within your environment to be safe – these can be known tools, processes, or procedures in your environment. Many times, people refer to these as false positives – once you onboard devices at large in your enterprise, you will commonly see multiple alerts that are coming into your queue, some valid, but many that are false positives. Do not worry! This is expected. As mentioned before, Microsoft Defender for Endpoint (MDE) uses User Entity Behavioral Analytics (UEBA) and ML to give you a better understanding of what requires your immediate attention, and with this comes a potential for a learning period for your environment specifically. This is frequently seen in alerts being generated that are not true alerts. Alert suppression will help in this scenario, not only to remove the alert from your queue, but also to train the model in terms of what is normal and what is abnormal in your enterprise.

Suppression rules can be created from any existing alerts, and not only can they be created, but they can also be disabled and re-enabled as you see fit for your environment. One thing to remember is the fact that suppression rules will take effect as soon as you create the rule, but this means only going forward. Any existing alerts that would be grouped into this suppression will not be impacted, so you must go in and clear any existing alerts that correlate to this. Simple enough!

Whenever you create an alert suppression, you will have two different contexts:

Suppress alert on this device

Suppress alert in my organization

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.