Alert Tuning Quick‐Start Guide (Beginner Edition) - Arkthos/The-Escalation-Protocol GitHub Wiki

🔍 Before You Begin

1.1 How to Access the Alert Tuning Blade

Before configuring alert tuning, it’s essential to locate where the tuning options live within Microsoft Defender XDR. Follow these steps:

  1. Visit https://security.microsoft.com and log in with an account that has at least Security Administrator ermissions.
  2. In the left-hand navigation panel, click ⚙ Settings, then select Microsoft Defender XDR.
  3. Under the Rules section, choose Alert tuning. You’ll have two options to start creating a rule
    • Create a rule from scratch, defining all criteria manually.
    • Create a rule based on an existing alert, which pre-populates some settings. This option is also available from within an alert's detail page under Incidents & Alerts ▶ Alerts.

Screenshot of the Microsoft Defender XDR portal illustrating the navigation path to the Alert tuning blade:

📌 Tip: If the “Alert Tuning” option isn’t visible, it usually means your account lacks the necessary permissions or licensing.

1.2 Role & License Prerequisites

Action Minimum Role Required License
View rules Security Reader Any Microsoft Defender subscription
Create/edit rules Security Operator or Administrator Defender for Endpoint Plan 2
Disable/delete rules Security Administrator or Global Admin Defender for Endpoint Plan 2

💡 Preview rules or features may require additional licensing aligned with the specific Defender workload.

🧠 What Alert Tuning Is (and What It’s Not)

What Alert Tuning DOES:

Alert Tuning is a feature that helps reduce alert fatigue by learning from repeated, safe patterns and automatically classifying matching alerts. This improves productivity for security teams by allowing them to focus on truly suspicious or harmful behavior.

  • Automatically classifies known-good behaviors by hiding or resolving matching alerts.
  • Uses evidence from real alerts (e.g., specific file hashes, process names, or IPs).
  • Helps enforce alert hygiene and reduce noise in the console.

🚫 What Alert Tuning DOES NOT do:

  • Does not change detection logic, alert severity, or threat intelligence.
  • Does not apply to alerts retroactively — only works on new alerts after the rule is active.
  • Does not replace the need for human investigation.
  • Is not officially supported for alerts generated by Custom Detection rules.

📂 Key Terms at a Glance

Term Description
Evidence / IOC The specific object or indicator that triggered the alert
Condition A filter that limits the rule to alerts that meet specific evidence values
Service Source The Defender workload generating the alert (e.g., Endpoint, Office 365)
Action What happens to the alert: Resolve (close) or Hide (remove from queues)

🤔 Hide vs. Resolve – What’s the Difference?

Action What It Does When to Use
Resolve Closes the alert but keeps it in audit logs When testing or preserving alert history
Hide Completely removes alert from dashboards When confident the alert is noise and safe to hide

Best Practice: Start every rule in Resolve mode. Monitor for at least one week. If no unexpected matches occur, switch to Hide. Document your justification.

⚙ Using “Autofill Rule Conditions”

  • Autofill uses data directly present in the alert.
  • It excludes enriched data from related logs or processes.
  • Prevents overfitting — enriched-only fields may cause silent rule failure.

🔍 Add a missing condition only if you're sure the field is directly part of the alert object.

🚧 Microsoft is working on "contextual suppression" to include enriched fields (not available yet).

🛠 Creating Your First Rule: Step-by-Step Example

Let’s walk through a real-world example. Suppose your team runs a trusted administrative script every night that triggers the “Suspicious remote execution (PsExec)” alert. You want to suppress it:

  1. Go to Incidents & Alerts ▶ Alerts and select the PsExec alert.
  2. Click Tune Alert ▶ Only this alert type to scope the rule to just this category.
  3. Use Autofill rule conditions, and verify it includes:
    • Process name = PsExec.exe
    • Device group = Servers-Prod
  4. Choose Action = Resolve, and give the rule a descriptive name such as:
  • LT-Infra-PsExec-Resolve
  1. Monitor the rule for one week:
    • Go to Settings ▶ Alert Tuning ▶ Associated Alerts
    • Confirm that only expected alerts are being resolved
  2. If everything looks good, return to the rule and change the Action = Hide to clean up the dashboard. Flowchart showing the general “create and validate an alert-tuning rule” process: Start at a blue box: “Open the alert you want to tune.” Downward arrow to “Tune alert wizard – choose alert scope.” Arrow to “Click Auto-fill rule conditions.” Arrow to “Review / adjust evidence & operators.” Arrow to “Save rule with Action = Resolve.” Arrow to “Monitor ‘Associated alerts’ for 7-14 days.” Arrow to a diamond decision: “Unexpected alerts or false negatives?” Yes branch leads to “Refine conditions, scope, or groups,” which loops back to the save-rule step. No branch leads to “Edit rule → switch Action to Hide,” completing the loop. The diagram emphasizes an iterative cycle: pilot in Resolve, monitor, refine if needed, then promote the rule to Hide once confident.

🔄 Managing or Reversing Rules

  • Disable a rule: Settings ▶ Alert Tuning ▶ … ▶ Turn off
  • Delete a rule: Same menu ▶ Delete

💡 If unsure, switch back to Resolve before deleting for visibility.

📋 Governance Best Practices

  • Use clear naming conventions: e.g., LT-Network-SMBScan
  • Always fill in the Comments field.
  • Review rules quarterly.
  • Export associated alerts to CSV for analysis.
  • Automate Teams notifications when a rule triggers via Power Automate.

🚑 Troubleshooting Quick Sheet

Symptom Likely Cause Suggested Fix
“Alert tuning” not visible Missing permissions/license Check role and Defender Plan 2 availability
Rule saved but alerts still show Mismatched evidence/condition Review rule conditions and wildcards
Hidden alerts too aggressive Rule action too strict Switch to Resolve to regain visibility

📚 Learn More & Next Steps

📄 Authored by Arkthos - Version 1.3 – April 2025

⚠️ **GitHub.com Fallback** ⚠️