Defender 365 admin console - Disabled Connected to a custom indicator & Connected to a unsanctionned blocked app rules

Étienne Fiset 50 Reputation points
2024-03-21T14:28:41.46+00:00

I want to know how I can disable these two following alerts :

  1. Disabled Connected to a custom indicator
  2. Connected to an unsanctioned blocked app

I didn't find these alerts on the Alerts Policy of XDR/EPP or Cloud apps.

Since all the changed that Microsoft has done in the past few months, a lot of settings changed the place or are missing. Those alerts type needs to be enabled or disabled on demand, like the other alerts types..

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,421 questions
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
151 questions
{count} votes

7 answers

Sort by: Most helpful
  1. Étienne Fiset 50 Reputation points
    2024-04-04T15:08:24.1766667+00:00

    I find the answer :

    User's image

    1 person found this answer helpful.

  2. Étienne Fiset 50 Reputation points
    2024-06-19T19:36:11.75+00:00
    1 person found this answer helpful.
    0 comments No comments

  3. Catherine Kyalo 665 Reputation points Microsoft Employee
    2024-04-04T10:12:52.8433333+00:00

    Hi @Étienne Fiset

    Based on my research, You can explore using Alert Suppression feature in Microsoft defender XDR. Below is a link that can guide on the process.

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-suppression-rules?view=o365-worldwide

    User's image


  4. Étienne Fiset 50 Reputation points
    2024-04-09T17:23:24.5566667+00:00

  5. Marilee Turscak-MSFT 36,891 Reputation points Microsoft Employee
    2024-04-11T22:41:30.1366667+00:00

    Hi @Étienne Fiset ,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    You wanted to disable these two alerts:

    1. Disabled Connected to a custom indicator
      1. Connected to an unsanctioned blocked app

    Solution:

    You cannot currently suppress an alert triggered by a "custom detection" source.

    You filed a design change request here: https://feedbackportal.microsoft.com/feedback/idea/f7a32d7d-7bf3-ee11-a73d-6045bd7e894e

    I have also filed an internal design change request on your behalf.

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.