Whitelisting o365 successful login incidents

The o365 Login Analyzer creates notifications for successful logins.  If there are successful logins that don't require a notification to be created for them, these detections can be whitelisted in the incident notification that was created. 

NOTE: Whitelisting successful o365 logins should only be done from the incident ticket - Do I need to remediate or whitelist the events in the apps? 


On the customer level navigate to the incidents list


Locate the incident > view details





Action > add to whitelist






Enter the 2 letter country abbreviation in attributes>location>countryOrRegion field and the user email name in attributes>user>principalName field then add



This will create a new whitelist rule to no longer create email notifications for that detection. 














Was this article helpful?
1 out of 1 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!