Configure detection exclusions and honeytoken accounts

Azure ATP enables the exclusion of specific IP addresses or users from a number of detections.

For example, a DNS Reconnaissance exclusion could be a security scanner that uses DNS as a scanning mechanism. The exclusion helps Azure ATP ignore such scanners.

Azure ATP also enables the configuration of honeytoken accounts, which are used as traps for malicious actors - any authentication associated with these honeytoken accounts (normally dormant), triggers an alert.

To configure, follow these steps:

  1. From the Azure ATP portal, click on the settings icon and select Configuration.

    Azure ATP configuration settings

  2. Under Detection, click Entity tags.

  3. Under Honeytoken accounts, enter the Honeytoken account name and click the + sign. The Honeytoken accounts field is searchable and automatically displays entities in your network. Click Save.

    Honeytoken

  4. Click Exclusions. Enter a user account or IP address to be excluded from the detection, for each type of threat.

  5. Click the plus sign. The Add entity (user or computer) field is searchable and will autofill with entities in your network. For more information, see Excluding entities from detections and the security alert guide.

    Exclusions

  6. Click Save.

Congratulations, you have successfully deployed Azure Advanced Threat Protection!

Check the attack time line to view detected security alerts and search for users or computers, and view their profiles.

Azure ATP scanning starts immediately. Some detections, such as Abnormal Group Modifications, require a learning period and aren't available immediately after Azure ATP deployment.

See Also