Share via

Why defender is not correlating the Entra ID protection alerts?

Supriya Nelluri 0 Reputation points
2025-02-17T14:53:42.8366667+00:00

Hi Team,

In my environment, Entra ID Protection is generating multiple alerts even when the user, IP address, and sign-in events are the same and occur within seconds. These alerts are forwarded to Microsoft Defender, but they are not being correlated, resulting in the same number of alerts being forwarded to Sentinel without correlation.

For example, if I receive 3 "Unfamiliar Sign-in Properties" alerts for the same user and IP address within 20 seconds, 3 separate alerts are triggered in Entra ID Protection, Defender, and Sentinel.

Question:

Is there a way to correlate these alerts to reduce duplicates? I have been searching for a solution in Microsoft documentation but haven't found one. Please help, as this is creating duplicate alerts in my environment.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,224 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
251 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,311 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pauline Mbabu 595 Reputation points Microsoft Employee
    2025-02-18T09:34:32.02+00:00

    Hello @Supriya Nelluri ,
    The behavior you’re experiencing with Entra ID Protection generating multiple alerts for the same user, IP address, and sign-in events within a short time frame is expected. Entra ID Protection is designed to trigger alerts for each instance of suspicious activity to ensure that all potential security threats are captured.

    However, this can lead to duplicate alerts. To manage this, you can implement correlation such as using Analytics rules. Follow this guidance https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rules?tabs=azure-portal.
    You can also create Suppression Rules in defender to suppress duplicate alerts.
    I hope this helps to answer your question.

    If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.

  2. Sakshi Devkante 830 Reputation points Microsoft Vendor
    2025-02-19T17:38:25.9666667+00:00

    Hello @Supriya Nelluri

    Thank you for reaching out to Microsoft Q&A.

    Regarding your request to suppress activities/consolidate alerts We strongly recommend utilizing XDR (Extended Detection and Response) Alert Tuning.

    False positive (FP) alerts in Microsoft Defender for Identity are alerts that are mistakenly triggered without any actual attack activity or technique being present.

    To effectively manage false-positive alerts in Microsoft Defender for Identity, it is essential to regularly review and tune your alert configurations.

    Microsoft Defender XDR allows you to tune alerts, which helps reduce the number of alerts that require triage. This tuning process resolves alerts automatically based on your configurations and rule conditions. It is recommended to review your tuning configurations regularly to ensure they remain relevant and effective. For instance, you should check if your existing rules have matches as expected and consider removing any rules that no longer have matches.

    To investigate and inspect events, you can utilize advanced hunting. Below are the documents for your reference. Create conditions and save your query to review the events.

    Additionally, you can adjust alert thresholds to influence the volume of alerts generated. By customizing the threshold level for specific alerts, you can help reduce false positives. It is advisable to change alert thresholds from the default (High) only after careful consideration, especially if you have NAT or VPN configurations.

    For more detailed guidance on adjusting alert thresholds, you can access the relevant settings in Microsoft Defender XDR under Settings > Identities > Adjust alert thresholds.

    Daily operational guide - Microsoft Defender for Identity | Microsoft Learn 

    Investigate alerts in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn

    Tune an alert - Microsoft Defender XDR | Microsoft Learn

    This is a default behavior of the Defender for Identity where in the security or risky alerts will be captured and projected within Defender to take appropriate actions https://learn.microsoft.com/en-us/defender-for-identity/manage-security-alerts

    The tune an alert functionality allows you to adjust the alert’s condition parameters. You can define additional conditions that will refine when an alert is triggered. For example:If the sign-in request IDs are differing by milliseconds, you can add conditions that account for this small-time difference (e.g., combining alerts that are triggered within a certain time window).

    If the same user (device, IP, etc.) is generating multiple alerts, you might group those under a single alert if the difference in timing is very small.

    Ref: https://learn.microsoft.com/en-us/defender-xdr/investigate-alerts?tabs=settings

    https://blog.admindroid.com/how-to-tune-alerts-in-microsoft-365-defender/#:~:text=Tune%20Alert%20from%20the%20Alerts%20Page%20of%20Microsoft,alert%20%E2%80%9D%20based%20on%20your%20need.%20More%20ite

    I hope this clarifies things. Please contact us if you have any additional questions.

    If this answers your query, do click Accept Answer and Yes for "Was this answer helpful". And, if you have any further query do let us know.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.