Trying to suppress an alert, no option

Copper Contributor

Hello,

We have a basic alert in Defender that informs us if a change in email forwarding has been made for a certain level of user. This is important to know, but about 3/4th of these are triggered when our system automatically sets up an email address for a new user, or a user switching departments. These are known and the alerts are just noise. I am looking for a way to auto-resolve these. We were looking at using the suppression rule option, but for these alerts this isn't an option. I think it might have to do with being an informational alert as opposed to a compromise, but we just want to filter out a specific username that indicates it is our internal system.

 

Does anyone know if a way we can get this done? Is there another option without completely turning off this alert all together?

 

Thank you

2 Replies
Go to 'Security Alerts' page in Azure Security Center.
Choose the alert you would like to suppress, click on the three dots at the end of the row, and choose 'Create suppression rule'
3. In the 'new suppression rules' page - Choose the alert you would like to suppress
4. Choose the entities you would like to suppress the alert for, for example: suppress the alert only for specific IP ranges, processes, resources, or user accounts (The best practice is to refine the suppression rule and suppress as less alerts as possible)
5. Enter rule details: Rule name, Reason for suppression, comment and expiration date (up to 6 months ahead)
6. Click on 'simulate' to test your rule before you are applying it and validate it's correctness.
7. Click on apply.
8. To manage your suppression rules, click on 'Suppression rules' button at the head of 'Security alerts' page
Refer this article for more details
https://docs.microsoft.com/en-us/azure/security-center/alerts-suppression-rules
Thank you for the reply! The issue I have is for these specific alerts, when I click on the three dots, the "Create Suppression Rule' option does not appear, it does for other types of alerts, but I am unsure why it does not work for all alert types.