Forum Discussion

pcgr's avatar
pcgr
Copper Contributor
Feb 20, 2025

Alert Tuning (formerly Alert Suppression) Issues

Hello all! I am managing a Microsoft Defender instance and I have created a Custom Detection Rule. I want to tune this Alert so it auto-resolves in ALL scenarios (any host , any user). I have ...
pcgr's avatar
pcgr
Copper Contributor
Mar 04, 2025

Hey luchete, the scope is pretty much everything in the organization, All hosts, All accounts, All alert sources, nothing is not included. Would it be possible for you to provide me an example Alert Title that you have found that was able to match a generated alert? (as you might see in the end of this post I tried various different iterations with no luck.) 

Sadly still, nothing works and I have delved even deeper into the "rabbit hole".

I will share my insights in case it helps anyone tackle this issue or gives any ideas.

In the https://learn.microsoft.com/en-us/defender-xdr/investigate-alerts?view=o365-worldwide&tabs=settings#public-preview-tune-an-alert page related to tuning there is the following Note:

Since I have been trying to filter alerts by Alert Title, I figured it might be the reason that I am not able to proceed with the suppression/tuning.

Now the IoaDefinitionId is not a field that is natively available, at least in our version of Defender and from this https://learn.microsoft.com/en-us/defender-endpoint/configure-siem article, it appears that it has been replaced by detectorId (which is also not natively available during queries).

Using the native API explorer in our Defender and an AlertID from one of the generated Alerts, i was able to use the following API request to get some more Information on the generated alerts:

GET https://api.security.microsoft.com/api/v1.0/alerts/{alertId}

and thankfully one of the fields returned by the API request was indeed detectorId. I checked a couple more AlertIds to make sure that they produced the same detectorId and they did.

To no avail though.

I used the detectorId as Alert Title in the suppression/tuning rule in every possible combination, with or without the actual Alert Title in OR, with or without wildcards, with or without quotation marks and nothing worked.

examples:

TEST - Alert Title (actual name of the alert from both Custom Detection as well as AlertInfo table in advanced hunting)
"TEST - Alert Title"
*TEST - Alert Title*
*TEST - Alert*
detectorId (the string that is detector id)
"detectorId"
*detectorId*
*(part of detectorId)*

I will keep digging and will probably also ask some more places about this but I figured it might be useful here as well. Hope to find a solution.

Resources