Forum Discussion
Duplicate alerts generated when unsanctioned app is accessed
We use defender for endpoint and also sanction/unsanction cloud applications in defender.
When unsanctioned application is blocked we get two alerts generated for it. One titled "Connection to a custom network indicator" and second "Unsanctioned cloud app access was blocked"
We expect and want only one of these alerts, but can't seem to find correct area to edit policy for "Unsanctioned cloud app access was blocked" and editing "Connection to a custom network indicator" seems to require editing alert settings for each indicator. Maybe there is better way for latter one.
Connection to a custom network indicator
When application is unsanctioned, it creates a custom indicator which is further vieweable at Defender > System > Settings > Endpoints > Rules > Indicators URLs/Domains.
Application column is displaying cloud app which was sanctioned and alert with title "Unsanctioned cloud app access was blocked" for each indicator can be furter edited from this area. This would be one place we can turn off these alerts, but hoping there is bulk edit or a global setting to not create these alerts when cloud app is unsanctioned.
This is the alert policy/rule we would like to turn off and not have created automatically for each unsanctioned cloud app. Is there a setting to disable autoamtic creating of these alerts with each new unsanctioned cloud app?
Unsanctioned cloud app access was blocked
Only severity can be changed for these alerts as far as I can find under Settings > Cloud apps > Cloud Discovery > Microsoft Defender for Endpoint.
That is okay as this is the preffered alert that would like to retain
- GuidoImpeBrass ContributorHello, are you sure that is not alert aggregated ?
Some times, in the defender portal alert is aggregated and is not duplicated.
Have you a screenshoot about this problem ?
Thanks
Guido- VOatMH1265Copper Contributor
GuidoImpe Please take a look at screenshots attached.
I am pretty sure they are separate alerts for the same activity in process tree.
First occurance of "Network Filter Lookup Service blocked chrome.exe from accessing https://img.freepik.com" and "[18500] chrome.exe established
Outbound connection from 10.153.1.29:60961 to 23.221.212.196:443
Observed Device: Unknown device" generated one alert "Connection to a custom network indicator"Second occurance of "Network Filter Lookup Service blocked chrome.exe from accessing https://www.freepik.com" and "[18500] chrome.exe established
Outbound connection from 10.153.1.29:60966 to 23.204.115.183:443
Observed Device: Unknown device" generated second alert "Connection to a custom network indicator" which is expected as they are connecting to different IPs.Then "chrome.exe has initiated a TLS connection to https://www.freepik.com" and "[18500] chrome.exe established
Outbound connection from 10.153.1.29:60966 to 23.204.115.183:443
Observed Device: Unknown device" also generated alert "Unsanctioned cloud app access was blocked"Most examples I have include a pair of alerts for same activity, and this one example is odd because it includes duplicate for one alert,and no duplicate for another alert.
- GuidoImpeBrass ContributorSorry for the late Answer, i see screenshoot and is very strange, is the same alert infact hour is the same.
But on process_tree.png Outbound connection have a different public ip so i think duplicate connection and alert is for this reason, i don't know if chrome point to different public ip to recognize the same website but i confirm that alert is generated for this.
To be sure of this i suggest to open a case in Microsoft Directly
Regards,
Guido
- GuidoImpeBrass Contributor
Hello,
You resolved the issues with Microsoft Support ?
If yes write here solution, this is very import to help community.
Regards,
Guido