Forum Discussion
Alert Tuning (formerly Alert Suppression) Issues
Hello all!
I am managing a Microsoft Defender instance and I have created a Custom Detection Rule.
I want to tune this Alert so it auto-resolves in ALL scenarios (any host , any user).
I have tried using Alert Tuning like so:
I have selected ALL service sources , scope is All organization, condition is Alert:Custom and must match Alert Title which is the title of the generated alerts as taken from Advanced Hunting to make sure it is an exact match.
I have tried using wildcards in Alert title, adding severity as another indicator, tried doing it directly from a triggered alert as well as from Alert Tuning from settings.
Nothing has worked so far.
Any input or insights would be greatly appreciated.
Cheers!
Sadly the culprit was found, it is not possible to use Alert Suppression on Custom Detections ATM as it can be seen by this Microsoft Learn article.
Hope this gets included at some point as there are other uses for Custom Detections.
Thank you allHey luchete, the scope is pretty much everything in the organization, All hosts, All accounts, All alert sources, nothing is not included. Would it be possible for you to provide me an example Alert Title that you have found that was able to match a generated alert? (as you might see in the end of this post I tried various different iterations with no luck.)
Sadly still, nothing works and I have delved even deeper into the "rabbit hole".
I will share my insights in case it helps anyone tackle this issue or gives any ideas.
In the Microsoft Learn page related to tuning there is the following Note:Since I have been trying to filter alerts by Alert Title, I figured it might be the reason that I am not able to proceed with the suppression/tuning.
Now the IoaDefinitionId is not a field that is natively available, at least in our version of Defender and from this Microsoft Learn article, it appears that it has been replaced by detectorId (which is also not natively available during queries).Using the native API explorer in our Defender and an AlertID from one of the generated Alerts, i was able to use the following API request to get some more Information on the generated alerts:
GET https://api.security.microsoft.com/api/v1.0/alerts/{alertId}
and thankfully one of the fields returned by the API request was indeed detectorId. I checked a couple more AlertIds to make sure that they produced the same detectorId and they did.
To no avail though.
I used the detectorId as Alert Title in the suppression/tuning rule in every possible combination, with or without the actual Alert Title in OR, with or without wildcards, with or without quotation marks and nothing worked.
examples:
TEST - Alert Title (actual name of the alert from both Custom Detection as well as AlertInfo table in advanced hunting)
"TEST - Alert Title"
*TEST - Alert Title*
*TEST - Alert*
detectorId (the string that is detector id)
"detectorId"
*detectorId*
*(part of detectorId)*
I will keep digging and will probably also ask some more places about this but I figured it might be useful here as well. Hope to find a solution.Hey! luchete
Thanks for your reply.
I have not set ANY conditions because I want the Suppression/Tuning to apply in EVERY time the alert triggers, regardless of User , Host or Account. This means that the only conditions i have are Alert Title.
As far as the Aler Title , i have taken it from the Advanced Hunting table to make sure that it is word for word exactly the way it triggers and yet still nothing :P
Have you or anyone else , ever successfully suppressed a Custom Detection based on Alert Title?
Cheers!Hi pcgr,
If you're aiming for the alert tuning to apply every time the alert triggers without conditions on user, host, or account, using just the Alert Title condition should technically work as long as the title matches exactly. Since you’ve already double-checked that the Alert Title is word for word correct, one thing to consider is whether there are any hidden characters or formatting issues in the title that might be causing the match to fail.
Another thing to try would be ensuring there are no conflicting alert tuning rules or any restrictions in your organization’s settings that could be preventing the suppression from applying universally. If it’s still not working, it could be helpful to check if there are any known limitations or updates regarding custom detection rule suppression in the Defender documentation.
I haven’t personally encountered this issue, but I’d recommend trying these steps and seeing if that helps resolve it! Let me know how it goes,
Regards!
Hi pcgr,
One thing to check is whether the specific conditions you’ve set for the alert are covering all scenarios correctly. For the auto-resolution to work across all hosts and users, make sure the scope and condition are broad enough without restricting it too much.
Sometimes, tweaking the Alert Title condition slightly or ensuring the match is exactly how the alert is generated can help. If you’re still running into issues, it might be helpful to check if there are any other underlying settings or limitations with the custom detection rule itself.
Regards!
