Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Disable Defender for Cloud Apps alerts

Copper Contributor

Hi all, 

 

we just enabled Defender for Cloud Apps in our environment (about 500 clients). 

We started with setting about 300 apps to "Unsanctioned".

 

Now we get flooded with alerts. Mainly "Connection to a custom network indicator on one endpoint" and "Multi-stage incident on multiple endpoints" when an URL is blocked on more clients.

 

DfCA.jpg

 

Is there a possibility to disable the alerts for this kind of blocks?

I tried creating a supression rules, but didnt manage to get it working. Dont know if it is not possible or if I made a mistake.

As the Defender for Cloud Apps just creates a Indicator for every app i want to block I could click every single Indicator and disable the alert there. But thats a few hundred Indicators and we plan to extend the usage.

Can I centrally disable alerts for custom indicators?

 

Thanks & Cheers

1 Reply

Hi @VolkerRacho,

Here are steps to disable these alerts:

  1. For a tenant-wide disable, navigate to MDE > Defender for Cloud Apps > Discovery > Discovered Apps and set the specific app to "Sanctioned".

  2. To disable alerts for a specific Device Group, go back to the MDE > Defender for Cloud Apps > Discovery > Discovered Apps section, set the app to "Unsanctioned," and when the "Tag as unsanctioned?" dialog box appears, select the specific Device Group.

help.redcanary.com
Manage security alerts - Microsoft Defender for Cloud | Microsoft Learn
Control cloud apps with policies - Microsoft Defender for Cloud Apps | Microsoft Learn

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)