The experience described in this page can also be accessed at https://security.microsoft.com as part of Microsoft 365 Defender. The supporting documents for the new experience can be found here. For more information about Microsoft Defender for Identity and when other features will be available in Microsoft 365 Defender, see Microsoft Defender for Identity in Microsoft 365 Defender.
Microsoft Defender for Identity enables the exclusion of specific IP addresses, computers, or users from a number of detections.
For example, a DNS Reconnaissance exclusion could be a security scanner that uses DNS as a scanning mechanism. The exclusion helps Defender for Identity ignore such scanners.
How to add detection exclusions
There are two ways you can manually exclude users, computers, domains, or IP addresses for a detection. You can either do so on the Configuration page under Exclusions, or directly from the security alert.
From the Configuration page
To configure exclusions from the configuration page, do the following:
- In the Defender for Identity portal, select Configuration.
- Under Detection, select Exclusions.
- For each detection that you want to configure, do the following:
- Enter an IP address, computer, domain, or user account to be excluded from the detection
- Select the plus icon (+).
The user or computer field is searchable and will autofill with entities in your network. For more information, see the security alert guide.
- Select Save.
Of the most common domains with Suspicious communication over DNS alerts opened on them, we observed the domains that customers most excluded from the alert. These domains are added to the exclusions list by default, but you have the option to easily remove them.
From a security alert
To configure exclusions from a security alert, do the following:
- In the Defender for Identity portal, select Timeline.
- Identify an alert on an activity for a user, computer, or IP address that is allowed to perform the particular activity.
- To the right of the alert, select More […] > Close and exclude. The action closes the alert and it’s no longer listed in the Open events list in the Alert timeline. The action also adds the user, computer, or IP address to the exclusions list for that alert.
Defender for Identity scanning starts immediately. Some detections, such as Suspicious additions to sensitive groups, require a learning period and aren’t available immediately after Defender for Identity deployment. The learning period for each alert is listed in the detailed security alert guide.