In Sentinel, I'm able to decide which connectors to pull in events from (ie, not to pull in DLP incidents). I don't seem to have that same ability once I'm connected in the Unified Experience.
We have a separate team that generates hundreds of alerts per day for DLP policies that randomly get correlated with items we're looking at as Security Operations... and when we close our investigation, we close their alerts and mess up their stats and workflow.
If only we had a way to filter these out so they didn't get correlated. Similar to the toggle button we were given for IRM...
Awesome, we had opened up a ticket last week on a hunch. I've added this (and the corresponding purple box) to the ticket. We'll give this a try! Thanks José!
Just to follow up, we're part of the Customer Connection Program (CCP), and a Product Manager there put us in a gated private preview that displayed options to completely disable DLP alerts appearing in the Incident and Alerts pages.
If anyone else finds this page and is looking to exclude DLP alerts (or apparently Defender for Cloud alerts) from showing in the Incidents and Alerts pages, open a ticket asking to be added to the "gated private preview" with the product management for cloud security. I don't want to give any names or ticket#s, but hopefully support gets you the right place.
In Sentinel, I'm able to decide which connectors to pull in events from (ie, not to pull in DLP incidents). I don't seem to have that same ability once I'm connected in the Unified Experience.
We have a separate team that generates hundreds of alerts per day for DLP policies that randomly get correlated with items we're looking at as Security Operations... and when we close our investigation, we close their alerts and mess up their stats and workflow.
If only we had a way to filter these out so they didn't get correlated. Similar to the toggle button we were given for IRM...
f you don't want DLP alerts to flow into Defender, open a support case to disable this feature. If you disable this feature DLP alerts will surface in the Defender portal as Microsoft Defender for Office alerts. Check out this link: https://learn.microsoft.com/en-us/defender-xdr/dlp-investigate-alerts-defender
Awesome, we had opened up a ticket last week on a hunch. I've added this (and the corresponding purple box) to the ticket. We'll give this a try! Thanks José!
Just to follow up, we're part of the Customer Connection Program (CCP), and a Product Manager there put us in a gated private preview that displayed options to completely disable DLP alerts appearing in the Incident and Alerts pages.
If anyone else finds this page and is looking to exclude DLP alerts (or apparently Defender for Cloud alerts) from showing in the Incidents and Alerts pages, open a ticket asking to be added to the "gated private preview" with the product management for cloud security. I don't want to give any names or ticket#s, but hopefully support gets you the right place.