Forum Discussion

lfk73's avatar
lfk73
Brass Contributor
Mar 10, 2026

Unsanctioned cloud apps generates constant alerts

When I mark a cloud app as unsanctioned it created a URL based indicator to block the site.  However, it also by default enables the Generate Alert option on the indictor.  This causes my SOC to bet inundated with garbage alerts.  Now normally if I'm just unsanctioning one Cloud App a could go and turn of the alert.

However, I use cloud app policy that will identify any new Cloud Apps in an entire category and then unsanction it.  But it enables Generate Alert on the URL indicator.

 

Then if someone accesses that new one the generate alert kicks off.

I don't want to have to go into every new app and untick generate alert manually that's just too time consuming.

Is there a way to change the default behaviour when adding an indicator to not enable the generate alert?  Of is there some other way to do this? 

I could consider using power automate or something but I'd rather the default behaviour be the fix as automation can break.  I don't have time to babysit it.

 

 

 

 

cloud security
endpoint security
microsoft defender for cloud apps

1 Reply

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Mar 12, 2026

    At the moment there is no setting to change the default behavior when Defender creates a URL indicator from a Cloud App governance action. When a Cloud Discovery policy automatically tags an app as Unsanctioned, Microsoft Defender creates the corresponding URL indicator and enables the “Generate alert” option by default. Unfortunately this behavior is currently hard-coded and there is no tenant-level configuration to disable it globally.

     

    Because of that, SOC teams that use policies like yours (for example automatically unsanctioning all newly discovered apps in a category such as Generative AI) often end up with a large number of alerts when users attempt to access those apps.

     

    Today the practical options are:

    1. Manually edit the indicator and disable Generate alert (which you already mentioned, but does not scale well).
    2. Use automation (Graph API, Power Automate, or a script) to periodically modify newly created indicators and turn off the alert flag.
    3. Adjust the SOC alert pipeline by filtering or suppressing these alerts if they are not actionable.

    In many environments the goal of marking an app as Unsanctioned is simply to enforce blocking through Defender for Endpoint or network controls, not necessarily to generate alerts for every access attempt. Because of that, several organizations handle this by filtering those alerts in their SOC workflow.

     

    Unfortunately, until Microsoft exposes a configurable option for indicator creation behavior, there is no native way to change this default in Defender.