Forum Discussion
Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024
I have found a way to disabling these annoying alerts. Look for the solution above.
Issue:
I want to know how I can disable these two following alerts :
- Disabled Connected to a custom indicator
- Connected to an unsanctioned blocked app
Those alerts type needs to be enabled or disabled on demand, like the other alerts types.
Why's that :
Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing.
Possible to disable the custom alert in setting ?
No.
Why ?
Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type.
Solutions :
IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports.
The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected.
In the Defender XDR setting->Alert tuning->Create this rule: Here's an example:
Rule Analysis
From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working:
1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered.
2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts.
So, any Informational alert with a title that does not match the specified exclusions will be automatically closed.
This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review.
