Suppression rules giving the ability to fine-tune Azure Security Center alerts by your organizations' specific needs and conditions, letting you suppress alerts that are triggered by known normal activities in your organization. Use suppression rules to suppress alerts that are known to be inoffensive, thus reducing alerts fatigue for your SOC team.
Suppressed alerts will be hidden in Azure Security Center, Azure Sentinel and third-party SIEM solutions, but will still be reachable if needed later on with dismissed state.
How to suppress alert in Azure Security Center?
To suppress alerts in Azure Security Center, follow the following guidelines:
- Go to 'Security Alerts' page in Azure Security Center.
- Choose the alert you would like to suppress, click on the three dots at the end of the row, and choose 'Create suppression rule'
3. In the 'new suppression rules' page - Choose the alert you would like to suppress
4. Choose the entities you would like to suppress the alert for, for example: suppress the alert only for specific IP ranges, processes, resources, or user accounts (The best practice is to refine the suppression rule and suppress as less alerts as possible)
5. Enter rule details: Rule name, Reason for suppression, comment and expiration date (up to 6 months ahead)
6. Click on 'simulate' to test your rule before you are applying it and validate it's correctness.
7. Click on apply.
8. To manage your suppression rules, click on 'Suppression rules' button at the head of 'Security alerts' page
For more information, reach out to our documentation.
Tal Rosler,
Product Manager,
Azure Security Center.