Forum Discussion

VOatMH1265's avatar
VOatMH1265
Copper Contributor
Oct 28, 2024

Duplicate alerts generated when unsanctioned app is accessed

We use defender for endpoint and also sanction/unsanction cloud applications in defender.

When unsanctioned application is blocked we get two alerts generated for it. One titled "Connection to a custom network indicator" and second "Unsanctioned cloud app access was blocked"

We expect and want only one of these alerts, but can't seem to find correct area to edit policy for "Unsanctioned cloud app access was blocked" and editing "Connection to a custom network indicator" seems to require editing alert settings for each indicator. Maybe there is better way for latter one.

 

Connection to a custom network indicator

When application is unsanctioned, it creates a custom indicator which is further vieweable at Defender > System > Settings > Endpoints > Rules > Indicators URLs/Domains.

Application column is displaying cloud app which was sanctioned and alert with title "Unsanctioned cloud app access was blocked" for each indicator can be furter edited from this area. This would be one place we can turn off these alerts, but hoping there is bulk edit or a global setting to not create these alerts when cloud app is unsanctioned.

This is the alert policy/rule we would like to turn off and not have created automatically for each unsanctioned cloud app. Is there a setting to disable autoamtic creating of these alerts with each new unsanctioned cloud app?

 

Unsanctioned cloud app access was blocked

Only severity can be changed for these alerts as far as I can find under Settings > Cloud apps > Cloud Discovery > Microsoft Defender for Endpoint.

That is okay as this is the preffered alert that would like to retain

 

 

  • GuidoImpe's avatar
    GuidoImpe
    Brass Contributor
    Hello, are you sure that is not alert aggregated ?
    Some times, in the defender portal alert is aggregated and is not duplicated.
    Have you a screenshoot about this problem ?

    Thanks
    Guido
    • VOatMH1265's avatar
      VOatMH1265
      Copper Contributor

      GuidoImpe Please take a look at screenshots attached.

       

      I am pretty sure they are separate alerts for the same activity in process tree. 

       

      First occurance of "Network Filter Lookup Service blocked chrome.exe from accessing https://img.freepik.com" and "[18500] chrome.exe established
      Outbound connection from 10.153.1.29:60961 to 23.221.212.196:443
      Observed Device: Unknown device" generated one alert "Connection to a custom network indicator"

       

      Second occurance of "Network Filter Lookup Service blocked chrome.exe from accessing https://www.freepik.com" and "[18500] chrome.exe established
      Outbound connection from 10.153.1.29:60966 to 23.204.115.183:443
      Observed Device: Unknown device" generated second alert "Connection to a custom network indicator" which is expected as they are connecting to different IPs.

       

      Then "chrome.exe has initiated a TLS connection to https://www.freepik.com" and "[18500] chrome.exe established
      Outbound connection from 10.153.1.29:60966 to 23.204.115.183:443
      Observed Device: Unknown device" also generated alert "Unsanctioned cloud app access was blocked"

       

      Most examples I have include a pair of alerts for same activity, and this one example is odd because it includes duplicate for one alert,and no duplicate for another alert.

      • GuidoImpe's avatar
        GuidoImpe
        Brass Contributor
        Sorry for the late Answer, i see screenshoot and is very strange, is the same alert infact hour is the same.
        But on process_tree.png Outbound connection have a different public ip so i think duplicate connection and alert is for this reason, i don't know if chrome point to different public ip to recognize the same website but i confirm that alert is generated for this.
        To be sure of this i suggest to open a case in Microsoft Directly
        Regards,
        Guido
  • GuidoImpe's avatar
    GuidoImpe
    Brass Contributor

    Hello, 

    You resolved the issues with Microsoft Support ?

    If yes write here solution, this is very import to help community.

    Regards,

    Guido

Resources