Forum Discussion
Unsanctioned cloud apps generates constant alerts
When I mark a cloud app as unsanctioned it created a URL based indicator to block the site. However, it also by default enables the Generate Alert option on the indictor. This causes my SOC to bet inundated with garbage alerts. Now normally if I'm just unsanctioning one Cloud App a could go and turn of the alert.
However, I use cloud app policy that will identify any new Cloud Apps in an entire category and then unsanction it. But it enables Generate Alert on the URL indicator.
Then if someone accesses that new one the generate alert kicks off.
I don't want to have to go into every new app and untick generate alert manually that's just too time consuming.
Is there a way to change the default behaviour when adding an indicator to not enable the generate alert? Of is there some other way to do this?
I could consider using power automate or something but I'd rather the default behaviour be the fix as automation can break. I don't have time to babysit it.
3 Replies
- Nagaraj Venkatesh
Microsoft
Thanks for the feedback!
I am a Product Manager with Microsoft Defender. We hear you and this is a pain point, we take very seriously.
We are currently updating the product to provide an option for customers to decide whether they need an alert generated when a user is blocked from accessing an app, or if they would prefer to turn the alert off entirely.
The feature is currently undergoing internal testing. It is expected to be available publicly within the next couple of weeks.
We appreciate your patience while we roll this out to help you streamline your security workflows!
At the moment there is no setting to change the default behavior when Defender creates a URL indicator from a Cloud App governance action. When a Cloud Discovery policy automatically tags an app as Unsanctioned, Microsoft Defender creates the corresponding URL indicator and enables the “Generate alert” option by default. Unfortunately this behavior is currently hard-coded and there is no tenant-level configuration to disable it globally.
Because of that, SOC teams that use policies like yours (for example automatically unsanctioning all newly discovered apps in a category such as Generative AI) often end up with a large number of alerts when users attempt to access those apps.
Today the practical options are:
- Manually edit the indicator and disable Generate alert (which you already mentioned, but does not scale well).
- Use automation (Graph API, Power Automate, or a script) to periodically modify newly created indicators and turn off the alert flag.
- Adjust the SOC alert pipeline by filtering or suppressing these alerts if they are not actionable.
In many environments the goal of marking an app as Unsanctioned is simply to enforce blocking through Defender for Endpoint or network controls, not necessarily to generate alerts for every access attempt. Because of that, several organizations handle this by filtering those alerts in their SOC workflow.
Unfortunately, until Microsoft exposes a configurable option for indicator creation behavior, there is no native way to change this default in Defender.
I suspected that would be the case. I already have an automation in Sentinel to block alerts with "
Connection to a custom network indicator" to close which works but it also blocked other IOCs i have set that i might want to have the SOC review. Anyway to create an automation that detects if its also a specific Cloud App category? e.g. webmail.
