Configure detection exclusions
Microsoft Defender for Identity enables the exclusion of specific IP addresses, computers, or users from a number of detections.
For example, a DNS Reconnaissance exclusion could be a security scanner that uses DNS as a scanning mechanism. The exclusion helps Defender for Identity ignore such scanners.
How to add detection exclusions
There are two ways you can manually exclude users, computers, or IP addresses for a detection. You can either do so on the Configuration page under Exclusions, or directly from the security alert.
From the Configuration page
To configure exclusions from the configuration page, do the following:
In the Defender for Identity portal, select Configuration.
Under Detection, select Exclusions.
For each detection that you want to configure, do the following:
- Enter an IP address, computer, or user account to be excluded from the detection
- Click the plus icon (+).
The user or computer field is searchable and will autofill with entities in your network. For more information, see the security alert guide.
From a security alert
To configure exclusions from a security alert, do the following:
In the Defender for Identity portal, select Timeline.
Identify an alert on an activity for a user, computer, or IP address that is allowed to perform the particular activity.
To the right of the alert, select More [...] > Close and exclude. The action closes the alert and it is no longer listed in the Open events list in the Alert timeline. The action also adds the user, computer, or IP address to the exclusions list for that alert.
Defender for Identity scanning starts immediately. Some detections, such as Suspicious additions to sensitive groups, require a learning period and aren't available immediately after Defender for Identity deployment. The learning period for each alert is listed in the detailed security alert guide.