Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to configure Microsoft Defender for Identity detection exclusions in Microsoft Defender XDR.
Microsoft Defender for Identity enables the exclusion of specific IP addresses, computers, domains, or users from a number of detections.
For example, a DNS Reconnaissance alert could be triggered by a security scanner that uses DNS as a scanning mechanism. Creating an exclusion helps Microsoft Defender for Identity ignore such scanners and reduce false positives.
Note
We recommend that you tune an alert instead of using exclusions. Alert tuning rules allow more granular conditions than exclusions, and allow you to review the alerts, which were tuned.
Among the most common domains with Suspicious communication over DNS alerts, we observed the domains that were most frequently excluded from the alert. These domains are added to the exclusions list by default, but you have the option to remove them.
How to add detection exclusions
Note
When replacing an existing exclusion with an alert tuning rule, identify the detection associated with the excluded entity and map it to the corresponding detector in alert tuning. After creating the tuning rule, verify that the detector appears under Alert tuning in the Microsoft Defender portal to ensure that the intended alert scope is preserved.
Sign in to the Microsoft Defender portal
Go to System > Settings and then Identities.
Select Excluded entities. You can set exclusions using two methods: Exclusions by detection rule and Global excluded entities.
Exclusions by detection rule
Select Exclusions by detection rule.
For each detection you want to configure, do the following steps:
Select a detection rule from the list.
View the detection rule details.
To add an exclusion, select the Excluded entities button.
Choose the exclusion type. Different excluded entities are available for each rule. They include users, devices, domains, and IP addresses. In this example, the choices are Exclude devices and Exclude IP addresses.
After choosing the exclusion type, select the + button to add the exclusion.
Select + Add to add the excluded entity to the list.
Select Exclude IP addresses (in this example) to complete the exclusion.
Once you've added exclusions, you can export the list or remove the exclusions by returning to the Excluded entities button. In this example, we've returned to Exclude devices. To export the list, select the down arrow button.
To delete an exclusion, select the exclusion and select the trash icon.
Global excluded entities
You can now also configure exclusions by Global excluded entities. Global exclusions allow you to define certain entities (IP addresses, subnets, devices, or domains) to be excluded across all of the detections Microsoft Defender for Identity has. So for example, if you exclude a device, it will only apply to those detections that have device identification as part of the detection.
Select Global excluded entities to see the categories of entities that you can exclude.
Choose an exclusion type. In this example, we selected Exclude domains.
A pane opens where you can add a domain to be excluded. Add the domain you want to exclude.
The domain is added to the list. Select Exclude domains to complete the exclusion.
You'll then see the domain in the list of entities to be excluded from all detection rules. You can export the list, or remove the entities by choosing them and selecting the Remove button.
