cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Trying to suppress an alert, no option

zrvirgo
Copper Contributor

‎Oct 11 2021 02:55 PM - last edited on ‎Dec 23 2021 11:03 AM by

‎Oct 11 2021 02:55 PM - last edited on ‎Dec 23 2021 11:03 AM by

Trying to suppress an alert, no option

Hello,

We have a basic alert in Defender that informs us if a change in email forwarding has been made for a certain level of user. This is important to know, but about 3/4th of these are triggered when our system automatically sets up an email address for a new user, or a user switching departments. These are known and the alerts are just noise. I am looking for a way to auto-resolve these. We were looking at using the suppression rule option, but for these alerts this isn't an option. I think it might have to do with being an informational alert as opposed to a compromise, but we just want to filter out a specific username that indicates it is our internal system.

 

Does anyone know if a way we can get this done? Is there another option without completely turning off this alert all together?

 

Thank you

Labels:
2,323 Views
0 Likes
2 Replies
Reply
2 Replies
Chandrasekhar_Arya

‎Oct 18 2021 12:11 AM

‎Oct 18 2021 12:11 AM

Re: Trying to suppress an alert, no option

Go to 'Security Alerts' page in Azure Security Center.
Choose the alert you would like to suppress, click on the three dots at the end of the row, and choose 'Create suppression rule'
3. In the 'new suppression rules' page - Choose the alert you would like to suppress
4. Choose the entities you would like to suppress the alert for, for example: suppress the alert only for specific IP ranges, processes, resources, or user accounts (The best practice is to refine the suppression rule and suppress as less alerts as possible)
5. Enter rule details: Rule name, Reason for suppression, comment and expiration date (up to 6 months ahead)
6. Click on 'simulate' to test your rule before you are applying it and validate it's correctness.
7. Click on apply.
8. To manage your suppression rules, click on 'Suppression rules' button at the head of 'Security alerts' page
Refer this article for more details
https://docs.microsoft.com/en-us/azure/security-center/alerts-suppression-rules
2 Likes
Reply
zrvirgo

‎Oct 20 2021 11:11 AM

‎Oct 20 2021 11:11 AM

Re: Trying to suppress an alert, no option

Thank you for the reply! The issue I have is for these specific alerts, when I click on the three dots, the "Create Suppression Rule' option does not appear, it does for other types of alerts, but I am unsure why it does not work for all alert types.
1 Like
Reply