When you receive a security event you consider as a false alarm, Office Protect allows you to create a rule to automatically ignore future similar events based on the event's criteria. You will not be alerted anymore on events
In this article:
1. Access to the feature
To ignore an event you can:
- Click on the "Ignore event" link in the security event email or in your PSA (ConnectWise / Autotask security events tickets)
- Select the security event in the Report table and click "Ignore"
After clicking on "Ignore":
- The event is individually ignored and moved to "Ignored" tab in the Report table
- You have the choice to create a rule to ignore similar future events with the "Create rule" button
Previously, clicking on "Ignore" would ignore the event and automatically create a rule, based on default criteria.
2. Create a rule
After clicking on "Create rule" you are redirected to a form in which you can select the criteria on which future similar events will be ignore.
The criteria displayed rely on the event type, and on the event's details. For each criterion, you can either select:
- The event's detail: all future similar events with these criteria will be ignored.
- "Any": this data will be disregarded
Combinations work with "AND" conditions.
You can also choose a specific period of time on which the rule will be applied, when events need to be whitelisted temporarily (example: business trip in an Unauthorized Country).
I received a "Sign-In from Unauthorized Country":
- Username: Henry,
- Country: France (FR),
- IP address: 188.8.131.52,
- User Agent: Outlook-iOS.
I know Henry is based in France, so I don't want to be alerted when Henry signs-in from France. I will select "Any" in IP address, and User Agent, but leave Username selected with "Henry" and Country with "France". All future "Sign-In from Unauthorized Country" events triggered on Username "Henry" AND Country "France" will now be automatically ignored.
All other users connecting from France will still raise alerts.
- Setting "Any" for all criteria is equivalent to disabling the alert. If you want to deactivate the alert, we suggest you deactivate it from the Monitor section instead.
- For "Sign-In from Unauthorized Country" events, setting "Any" for all criteria except the country is equivalent to
3. Review existing rules
Under the "Monitor" tab, you now have access to a new section "Whitelist". From this section, you can access all whitelisting rules that have been created on the tenant, with their criteria.
You can either Edit the rule or Delete it from the menu on the right.