Whitelisting o365 successful login incidents

The o365 Login Analyzer creates notifications for successful logins.  If there are successful logins that don't require a notification to be created for them, these detections can be whitelisted in the incident notification that was created. 

NOTE: Whitelisting successful o365 logins should only be done from the incident ticket - Do I need to remediate or whitelist the events in the apps? 

 

On the customer level navigate to the incidents list

mceclip0.png

Locate the incident > view details

 

mceclip4.png

 

 

Action > add to whitelist

mceclip0.png

 

Custom

mceclip8.png

 

Enter the 2 letter country abbreviation in attributes>location>countryOrRegion field and the user email name in attributes>user>principalName field then add

 mceclip9.png

 

This will create a new whitelist rule to no longer create email notifications for that detection. 

 

 

 

 

 

 

 

 

 

 

 

 

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!