Nov 24 2023 01:00 AM - edited Nov 24 2023 01:14 AM
Hi all,
we just enabled Defender for Cloud Apps in our environment (about 500 clients).
We started with setting about 300 apps to "Unsanctioned".
Now we get flooded with alerts. Mainly "Connection to a custom network indicator on one endpoint" and "Multi-stage incident on multiple endpoints" when an URL is blocked on more clients.
Is there a possibility to disable the alerts for this kind of blocks?
I tried creating a supression rules, but didnt manage to get it working. Dont know if it is not possible or if I made a mistake.
As the Defender for Cloud Apps just creates a Indicator for every app i want to block I could click every single Indicator and disable the alert there. But thats a few hundred Indicators and we plan to extend the usage.
Can I centrally disable alerts for custom indicators?
Thanks & Cheers
Nov 24 2023 02:32 AM
Hi @VolkerRacho,
Here are steps to disable these alerts:
For a tenant-wide disable, navigate to MDE > Defender for Cloud Apps > Discovery > Discovered Apps and set the specific app to "Sanctioned".
To disable alerts for a specific Device Group, go back to the MDE > Defender for Cloud Apps > Discovery > Discovered Apps section, set the app to "Unsanctioned," and when the "Tag as unsanctioned?" dialog box appears, select the specific Device Group.
help.redcanary.com
Manage security alerts - Microsoft Defender for Cloud | Microsoft Learn
Control cloud apps with policies - Microsoft Defender for Cloud Apps | Microsoft Learn
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Sep 17 2024 11:43 PM
Changing the sanctioned status of an app edits if the app is blocked or not. I think OP wants to keep the app unsanctioned/blocked, but does not want to get alerted on every occasion where a user visits the URL.