Edit

Manage suppression rules

  • Article

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see Suppress alerts.

You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.

  1. Log in to Microsoft Defender XDR using an account with the Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Endpoints > Rules > Alert suppression. The list of suppression rules that users in your organization have created is displayed.

  3. Select a rule by clicking on the check-box beside the rule name.

  4. Click Turn rule on, Edit rule, or Delete rule. When making changes to a rule, you can choose to release alerts that it has already suppressed, regardless whether or not these alerts match the new criteria.

View details of a suppression rule

  1. In the navigation pane, select Settings > Endpoints > Rules > Alert suppression. The list of suppression rules that users in your organization have created is displayed.

  2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.