Suppress alerts from Microsoft Defender for Cloud
This page explains how you can use alerts suppression rules to suppress false positives or other unwanted security alerts from Defender for Cloud.
|Release state:||General availability (GA)|
(Most security alerts are only available with enhanced security features)
|Required roles and permissions:||Security admin and Owner can create/delete rules.
Security reader and Reader can view rules.
National (Azure Government, Azure China 21Vianet)
What are suppression rules?
The various Microsoft Defender plans detect threats in any area of your environment and generate security alerts.
When a single alert isn't interesting or relevant, you can manually dismiss it. Alternatively, use the suppression rules feature to automatically dismiss similar alerts in the future. Typically, you'd use a suppression rule to:
Suppress alerts that you've identified as false positives
Suppress alerts that are being triggered too often to be useful
Your suppression rules define the criteria for which alerts should be automatically dismissed.
Suppressing security alerts reduces the effectiveness of Defender for Cloud's threat protection. You should carefully check the potential impact of any suppression rule, and monitor it over time.
Create a suppression rule
There are a few ways you can create rules to suppress unwanted security alerts:
- To suppress alerts at the management group level, use Azure Policy
- To suppress alerts at the subscription level, you can use the Azure portal or the REST API as explained below
Suppression rules don't work retroactively - they'll only suppress alerts triggered after the rule is created. Also, if a specific alert type has never been generated on a specific subscription, future alerts of that type won't be suppressed. For a rule to suppress an alert on a specific subscription, that alert type has to have been triggered at least once before the rule is created.
To create a rule directly in the Azure portal:
From Defender for Cloud's security alerts page:
Select the specific alert you don't want to see anymore, and from the details pane, select Take action.
Or, select the suppression rules link at the top of the page, and from the suppression rules page select Create new suppression rule:
In the new suppression rule pane, enter the details of your new rule.
- Your rule can dismiss the alert on all resources so you don't get any alerts like this one in the future.
- Your rule can dismiss the alert on specific criteria - when it relates to a specific IP address, process name, user account, Azure resource, or location.
If you opened the new rule page from a specific alert, the alert and subscription will be automatically configured in your new rule. If you used the Create new suppression rule link, the selected subscriptions will match the current filter in the portal.
Enter details of the rule:
- Name - A name for the rule. Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes (-) or underscores (_).
- State - Enabled or disabled.
- Reason - Select one of the built-in reasons or 'other' if they don't meet your needs.
- Expiration date - An end date and time for the rule. Rules can run for up to six months.
Optionally, test the rule using the Simulate button to see how many alerts would have been dismissed if this rule had been active.
Save the rule.
Edit a suppression rule
To edit a rule you've created, use the suppression rules page.
From Defender for Cloud's security alerts page, select the suppression rules link at the top of the page.
The suppression rules page opens with all the rules for the selected subscriptions.
To edit a single rule, open the ellipsis menu (...) for the rule and select Edit.
Make the necessary changes and select Apply.
Delete a suppression rule
To delete one or more rules you've created, use the suppression rules page.
- From Defender for Cloud's security alerts page, select the suppression rules link at the top of the page.
- The suppression rules page opens with all the rules for the selected subscriptions.
- To delete a single rule, open the ellipsis menu (...) for the rule and select Delete.
- To delete multiple rules, select the check boxes for the rules to be deleted and select Delete.
Create and manage suppression rules with the API
You can create, view, or delete alert suppression rules via Defender for Cloud's REST API.
The relevant HTTP methods for suppression rules in the REST API are:
PUT: To create or update a suppression rule in a specified subscription.
To list all rules configured for a specified subscription. This method returns an array of the applicable rules.
To get the details of a specific rule on a specified subscription. This method returns one suppression rule.
To simulate the impact of a suppression rule still in the design phase. This call identifies which of your existing alerts would have been dismissed if the rule had been active.
DELETE: Deletes an existing rule (but doesn't change the status of alerts already dismissed by it).
For full details and usage examples, see the API documentation.
This article described the suppression rules in Microsoft Defender for Cloud that automatically dismiss unwanted alerts.
For more information on security alerts, see the following pages:
- Security alerts and the intent kill chain - A reference guide to the security alerts you might get from Defender for Cloud.
Submit and view feedback for