Forum Discussion
Disable Defender for Cloud Apps alerts
Hi all,
we just enabled Defender for Cloud Apps in our environment (about 500 clients).
We started with setting about 300 apps to "Unsanctioned".
Now we get flooded with alerts. Mainly "Connection to a custom network indicator on one endpoint" and "Multi-stage incident on multiple endpoints" when an URL is blocked on more clients.
Is there a possibility to disable the alerts for this kind of blocks?
I tried creating a supression rules, but didnt manage to get it working. Dont know if it is not possible or if I made a mistake.
As the Defender for Cloud Apps just creates a Indicator for every app i want to block I could click every single Indicator and disable the alert there. But thats a few hundred Indicators and we plan to extend the usage.
Can I centrally disable alerts for custom indicators?
Thanks & Cheers
2 Replies
Hi VolkerRacho,
Here are steps to disable these alerts:
For a tenant-wide disable, navigate to MDE > Defender for Cloud Apps > Discovery > Discovered Apps and set the specific app to "Sanctioned".
To disable alerts for a specific Device Group, go back to the MDE > Defender for Cloud Apps > Discovery > Discovered Apps section, set the app to "Unsanctioned," and when the "Tag as unsanctioned?" dialog box appears, select the specific Device Group.
help.redcanary.com
Manage security alerts - Microsoft Defender for Cloud | Microsoft Learn
Control cloud apps with policies - Microsoft Defender for Cloud Apps | Microsoft LearnPlease click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)Changing the sanctioned status of an app edits if the app is blocked or not. I think OP wants to keep the app unsanctioned/blocked, but does not want to get alerted on every occasion where a user visits the URL.
