You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When an admin marks a user safe, dismisses risk, etc. in Entra, a new record is created in the SecurityAlert table. The time between when an Entra Risk Alert is generated and when an Admin takes action on the Risk alert can lead to a (sometimes significant) time difference between the TimeGenerated and StartTime/EndTime fields. The "Correlate Unfamiliar sign-in properties & atypical travel alerts" logic triggers an alert if the TimeGenerated of the alerts is less than or equal to TimeDeltaInMinutes; however, the StartTime/EndTime fields, which is the time actually associated with the user event, can be very different.
To Reproduce
Steps to reproduce the behavior:
Mark User Safe, Dismiss risk, etc. in Entra
False Positive "Correlate Unfamiliar sign-in properties & atypical travel alerts" will be triggered
Expected behavior
Alert should only be triggered based upon user activity, not Admin actions in Entra.
Additional context
I think the best way to fix this is to exclude events where the Comments field starts with "Risk detail: Admin", sample KQL:
Hi @quantumburnz , CorrelateIPC_Unfamiliar-Atypical.txt
I have made some adjustments based on your feedback. Could you please review the changes and let us know if everything meets your expectations?
Hi @v-visodadasi , thanks for making this change. It looks like you implemented my suggestion, and I'm good with this if you think this change makes sense as well.
Hi @quantumburnz , Thank you for your confirmation. We have raised a Draft PR with these changes and it will get reviewed by our PR review team. As your issue has been resolved we are closing this issue.
Thanks!
Describe the bug
When an admin marks a user safe, dismisses risk, etc. in Entra, a new record is created in the SecurityAlert table. The time between when an Entra Risk Alert is generated and when an Admin takes action on the Risk alert can lead to a (sometimes significant) time difference between the TimeGenerated and StartTime/EndTime fields. The "Correlate Unfamiliar sign-in properties & atypical travel alerts" logic triggers an alert if the TimeGenerated of the alerts is less than or equal to TimeDeltaInMinutes; however, the StartTime/EndTime fields, which is the time actually associated with the user event, can be very different.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Alert should only be triggered based upon user activity, not Admin actions in Entra.
Additional context
I think the best way to fix this is to exclude events where the Comments field starts with "Risk detail: Admin", sample KQL:
| extend Comments = tostring(ExtendedProperties_json.Comments)
| where Comments !startswith "Risk detail: Admin"
The text was updated successfully, but these errors were encountered: