How to suppress Defender for Cloud Alerts

Question

Hi,

We run Breach and Attack simulations against workloads in Azure. This triggers a large amount of email alerts. Is there a way to suppress the alerts only for the simulations but not for real attacks?

Answer 1

Hello Renaldo Jack ,

Thank you for posting your query on Microsoft Q&A. I would recommend you to identify the type of alerts generated during Breach and Attack simulations.

From Defender for Cloud's security alerts page, select the alert you want to suppress.

1. From the details pane, select Take action.
2. In the Suppress similar alerts section of the Take action tab, select Create suppression rule.
3. In the New suppression rule pane, enter the details of your new rule. Entities - The resources that the rule applies to. You can specify a single resource, multiple resources, or resources that contain a partial resource ID. If you don't specify any resources, the rule applies to all resources in the subscription. Name - A name for the rule. Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes (-) or underscores (_). State - Enabled or disabled. Reason - Select one of the built-in reasons or 'other' to specify your own reason in the comment. Expiration date - An end date and time for the rule. Rules can run for up to six months.
4. You select Simulate to see the number of previously received alerts that would have been dismissed if the rule was active.
5. Save the rule.

• You can also select the Suppression rules button in the Security Alerts page and select Create suppression rule to enter the details of your new rule.

If you have current suppression rule for specific alerts or for specific resource ? If you would do it on resource, it should suppress all the alerts for that resource.

Apart from this you could also use, Sentinel automation rules to auto close in a similar way if integrated.

In case you are not using sentinel, We don't have a direct option for unknown alerts being suppressed but have a BCDR scenario to follow

Still, if this does not meet the requirement then I would recommend to have a feedback posted here, as this is monitored by our product group team

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

Answer 2

Dear Renaldo,

Yes, it is possible to suppress email alerts for Breach and Attack simulations in Azure, while still allowing real attacks to generate alerts.

One way to achieve this is by using custom alert rules in Azure Security Center. Here are the general steps you can follow:

1. Open the Azure Security Center dashboard and navigate to the "Security alerts" tab.
2. Click on the "Custom alert rules" button.
3. Click on the "New alert rule" button to create a new custom alert rule.
4. Give the alert rule a name and description.
5. In the "Alert logic" section, configure the rule to trigger only for real attacks, not for Breach and Attack simulations. You can do this by selecting specific criteria or thresholds that indicate a real attack, such as the severity level or the number of events within a certain timeframe.
6. In the "Actions" section, specify which actions should be taken when the alert rule triggers. You can choose to send email alerts, among other options.
7. Click on the "Create alert rule" button to save the rule.

Once the custom alert rule is created, it should only trigger for real attacks that meet the specified criteria, and not for Breach and Attack simulations. This can help to reduce the number of email alerts generated by the simulations, while still providing timely alerts for actual security incidents.

Thanks,

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.