How to tune Initial access incident to not trigger if there was no successful login

Anders Analyst 10 Reputation points
2024-03-06T17:57:28.9833333+00:00

I am getting a significant amount of alerts from detection source AAD Identity Protection on my MS Defender Incident page, that are called "Initial access incident involving one user" and "Multi-stage incident involving Initial access & Credential access involving one user".

Here is a screenshot of the incidents (usernames are censored):

User's image

Time and time again, I look into these alerts and for evidence they include a user and one or more "malicious" IP addresses that attempted to login. However, not a single one of the attempts are successful.

I figure that the user's emails were leaked on the internet somewhere and actual bad actors are trying to log in, but there is MFA set up, they don't have the password, and in some cases the password is expired on the account.

These incidents and the alerts within are marked as high and aren't being automatically resolved by the system. I can't just completely disable the accounts or remove them due to how my organization operates. I need some way to tune the alerts or incidents because they have become a burden to have to analyze when there is no compromise.

I think that this incident would be very useful if it could filter in only the cases where a successful login occurred. Does anyone have any thoughts to a solution to this issue?

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
617 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
154 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,606 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,036 Reputation points Microsoft Employee
    2024-03-07T11:18:22.37+00:00

    @Anders Analyst

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are looking to tune the incidents generated on Microsoft defender portal for risky sign on attempts.

    Please do correct me if this is not the case by responding in the comments section.

    The only option we have as of now is to Create rule conditions to tune alerts.

    User's image

    However If this does not suit your business requirement then I would recommend you post your idea on our feedback forum. which is monitored by our dev team.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik