exclude users from Suspected brute-force attack (Kerberos, NTLM)

Occasional Visitor

Dear community,


within our environment we use group mailboxes for a lot of teams. the problem is that we get a lot of false positive alerts in Microsoft defender for identity and Cloud app security (monitoring tool). this happens because users can just click close on the prompt and still receive the mails in the mailbox. (the group mailboxes are disabled accounts)


I have seen that we can exclude computers and IP's but not the users, and the users is what we need. 

policy name: Suspected brute-force attack (Kerberos, NTLM)


Does anybody have some idea's or solutions?


Kind regards,

Jeroen Borger

0 Replies