[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation #4648
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Issue link(s):
Resolves SDH #569
Summary - What I changed
The following are recommended for exclusion:
NT AUTHORITY\SYSTEM (Microsoft.Exchange.ServiceHost) - already excluded
NT AUTHORITY\SYSTEM (w3wp) - no telemetry in the last year but should be excluded as suggested
NT AUTHORITY\SYSTEM (Microsoft.Exchange.AdminApi.NetCore) - showing ~40% of alerts in telemetry over last 30 days and should be excluded
These changes reduce alerts in telemtry from 11537 to 7160 in last 30 days.