Manage suppression rules
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see Suppress alerts.
You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
Sign in to the Microsoft Defender portal using an account with the Security administrator or Global Administrator role assigned.
In the navigation pane, select Settings > Endpoints > Rules > Alert suppression. The list of suppression rules that users in your organization have created is displayed.
Select a rule by clicking on the check-box beside the rule name.
Click Turn rule on, Edit rule, or Delete rule. When making changes to a rule, you can choose to release alerts that it has already suppressed, regardless whether or not these alerts match the new criteria.
View details of a suppression rule
In the navigation pane, select Settings > Endpoints > Rules > Alert suppression. The list of suppression rules that users in your organization have created is displayed.
Select a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions.
Related topics
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.