Suppress alerts from Microsoft Defender for Cloud

Note

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Learn more about the recent renaming of Microsoft security services.

This page explains how you can use alerts suppression rules to suppress false positives or other unwanted security alerts from Defender for Cloud.

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Free
(Most security alerts are only available with enhanced security features)
Required roles and permissions: Security admin and Owner can create/delete rules.
Security reader and Reader can view rules.
Clouds: Commercial clouds
National (Azure Government, Azure China 21Vianet)

What are suppression rules?

The various Microsoft Defender plans detect threats in any area of your environment and generate security alerts.

When a single alert isn't interesting or relevant, you can manually dismiss it. Alternatively, use the suppression rules feature to automatically dismiss similar alerts in the future. Typically, you'd use a suppression rule to:

  • Suppress alerts that you've identified as false positives

  • Suppress alerts that are being triggered too often to be useful

Your suppression rules define the criteria for which alerts should be automatically dismissed.

Caution

Suppressing security alerts reduces the effectiveness of Defender for Cloud's threat protection. You should carefully check the potential impact of any suppression rule, and monitor it over time.

Create alert suppression rule.

Create a suppression rule

There are a few ways you can create rules to suppress unwanted security alerts:

  • To suppress alerts at the management group level, use Azure Policy
  • To suppress alerts at the subscription level, you can use the Azure portal or the REST API as explained below

Suppression rules can only dismiss alerts that have already been triggered on the selected subscriptions.

To create a rule directly in the Azure portal:

  1. From Defender for Cloud's security alerts page:

    • Select the specific alert you don't want to see anymore, and from the details pane, select Take action.

    • Or, select the suppression rules link at the top of the page, and from the suppression rules page select Create new suppression rule:

      Create new suppression rule** button.

  2. In the new suppression rule pane, enter the details of your new rule.

    • Your rule can dismiss the alert on all resources so you don't get any alerts like this one in the future.
    • Your rule can dismiss the alert on specific criteria - when it relates to a specific IP address, process name, user account, Azure resource, or location.

    Tip

    If you opened the new rule page from a specific alert, the alert and subscription will be automatically configured in your new rule. If you used the Create new suppression rule link, the selected subscriptions will match the current filter in the portal.

    Suppression rule creation pane.

  3. Enter details of the rule:

    • Name - A name for the rule. Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes (-) or underscores (_).
    • State - Enabled or disabled.
    • Reason - Select one of the built-in reasons or 'other' if they don't meet your needs.
    • Expiration date - An end date and time for the rule. Rules can run for up to six months.
  4. Optionally, test the rule using the Simulate button to see how many alerts would have been dismissed if this rule had been active.

  5. Save the rule.

Edit a suppression rule

To edit a rule you've created, use the suppression rules page.

  1. From Defender for Cloud's security alerts page, select the suppression rules link at the top of the page.

  2. The suppression rules page opens with all the rules for the selected subscriptions.

    Suppression rules list.

  3. To edit a single rule, open the ellipsis menu (...) for the rule and select Edit.

  4. Make the necessary changes and select Apply.

Delete a suppression rule

To delete one or more rules you've created, use the suppression rules page.

  1. From Defender for Cloud's security alerts page, select the suppression rules link at the top of the page.
  2. The suppression rules page opens with all the rules for the selected subscriptions.
  3. To delete a single rule, open the ellipsis menu (...) for the rule and select Delete.
  4. To delete multiple rules, select the check boxes for the rules to be deleted and select Delete. Deleting one or more suppression rules.

Create and manage suppression rules with the API

You can create, view, or delete alert suppression rules via Defender for Cloud's REST API.

The relevant HTTP methods for suppression rules in the REST API are:

  • PUT: To create or update a suppression rule in a specified subscription.

  • GET:

    • To list all rules configured for a specified subscription. This method returns an array of the applicable rules.

    • To get the details of a specific rule on a specified subscription. This method returns one suppression rule.

    • To simulate the impact of a suppression rule still in the design phase. This call identifies which of your existing alerts would have been dismissed if the rule had been active.

  • DELETE: Deletes an existing rule (but doesn't change the status of alerts already dismissed by it).

For full details and usage examples, see the API documentation.

Next steps

This article described the suppression rules in Microsoft Defender for Cloud that automatically dismiss unwanted alerts.

For more information on security alerts, see the following pages: