Forum Discussion
Whitelisting Pentesting tools
Hello everyone.
I'm coming to you with a question that I think is pertinent.
We use a pentesting tool in our environment.
It generates a lot of incidents and alerts in Microsoft Defender. We have
on-prem accounts (one user, one admin) so that the tool can perform this pentesting.
Do you have any ideas on how to whitelist incidents linked to this user, these actions or the node machine he uses to initiate connections? So that it no longer generates or the incidents linked to these activities are automatically resolved.
Thank you for your help.
HKN
1 Reply
Please check one of the following steps; it might help resolve the issue.
- Tag the Machine as "Pentest"
- In Microsoft Defender Security Center, go to Settings > Device Groups.
- Create a new device group and tag the machine used for pentesting.
- Use this tag in advanced hunting queries and exclusions.
- Create Automated Investigation & Response (AIR) Exclusions
- Go to Microsoft Defender Security Center.
- Navigate to Settings > Endpoints > Indicators.
- Add exclusions based on:
- IP addresses (the pentest tool's machine).
- User accounts (the accounts used for testing).
- Process paths (the executable files used).
- Custom Detection Rules to Auto-Resolve Alerts
- Use Advanced Hunting to identify recurring alerts triggered by the pentesting tool.
- Go to Microsoft 365 Defender > Hunting > Advanced Hunting.
- Write a KQL query to match known pentesting activities.
- Create an Automated Investigation Rule that sets alerts to resolved.
- Disable Defender's Automatic Blocking for the Pentest Machine
- If your tool is being blocked, add an exception for the pentest machine in Defender settings.
- Go to Settings > Endpoints > Attack Surface Reduction Rules.
- • Add exclusions for the specific actions being flagged.
