Edit

Suppress alerts from Microsoft Defender for Cloud

Microsoft Defender for Cloud generates security alerts when it detects threats in your environment. Some alerts might be expected or not relevant for your environment. You can create suppression rules to automatically dismiss alerts that match predefined conditions.

When an alert matches an active suppression rule, its status changes to Dismissed. The alert still appears in the security alerts list, but it no longer triggers notifications or appears in active alert views.

Prerequisites

Required roles and permissions:

  • Security admin or Owner can create and delete suppression rules.
  • Security reader or Reader can view suppression rules.

For cloud availability, see the Defender for Cloud support matrices for Azure commercial/other clouds.

Create a suppression rule

You can create a suppression rule for one or more alert types, or start from an existing alert to suppress similar alerts.

You can apply suppression rules to management groups or to subscriptions.

  • To suppress alerts for a management group, use Azure Policy.
  • To suppress alerts for subscriptions, use the Azure portal or the REST API.

A suppression rule applies only to alert types that have already been triggered at least once.

Create a suppression rule for one or more alert types

To create a suppression rule for one or more alert types:

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Security alerts.

  3. Select Suppression rules.

    Screenshot of the Security alerts page with the Suppression rules button highlighted.

  4. Select Create new suppression rule.

    Screenshot of the Suppression rules page with the Create new suppression rule button highlighted.

  5. Select the subscriptions that the rule applies to.

  6. Under Alerts, select Custom to choose specific alert types, or select All to apply the rule to all alert types.

  7. If you selected Custom, select the alert types that the rule applies to.

  8. If needed, add entity conditions to limit the rule to specific resources or entity values.

  9. Enter a rule name.

    Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes (-) or underscores (_).

  10. Select whether the rule is enabled or disabled.

  11. Select a reason for suppressing the alert.

  12. If needed, add a comment.

  13. Select when the rule expires:

    • Select Custom to set an end date and time.
    • Select None to run the rule indefinitely.

  14. If needed, select Simulate to test the rule.

  15. Select Apply.

The rule is created and listed on the Suppression rules page.

Create a suppression rule from a specific alert

To create a suppression rule from an alert that already exists:

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Security alerts.

  3. Select an alert.

  4. Select Take action.

  5. In the Take action tab, expand Suppress similar alerts.

  6. Select Create suppression rule.

    Screenshot of an alert details page with the Create suppression rule button highlighted under Suppress similar alerts.

  7. Review the selected alert type.

  8. If needed, add entity conditions to limit the rule to specific resources or entity values.

  9. Enter a rule name.

    Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes (-) or underscores (_).

  10. Select whether the rule is enabled or disabled.

  11. Select a reason for suppressing the alert.

  12. If needed, add a comment.

  13. Select when the rule expires:

    • Select Custom to set an end date and time.
    • Select None to run the rule indefinitely.

  14. If needed, select Simulate to test the rule.

  15. Select Apply.

The rule is created and listed on the Suppression rules page.

Edit or delete a suppression rule

To edit or delete a suppression rule:

  1. Sign in to the Azure portal.

  2. Go to Microsoft Defender for Cloud > Security alerts.

  3. Select Suppression rules.

  4. Select the rule that you want to update.

  5. To edit the rule, select Edit, update the rule details, and then select Apply.

  6. To delete the rule, select Remove.

Deleting a suppression rule doesn't change the status of alerts that the rule already dismissed.

Create and manage suppression rules with the API

You can create, view, and delete alert suppression rules by using the Defender for Cloud REST API.

To create a suppression rule for a specific alert type, first use the Alerts REST API to retrieve the alert that you want to suppress. Then use the Alerts Suppression Rules REST API to create the rule.

The relevant methods for suppression rules in the Alerts Suppression Rules REST API are:

  • UPDATE - Create or update a suppression rule in a specified subscription.
  • GET - Get the details of a specific suppression rule in a specified subscription.
  • LIST - List all suppression rules configured for a specified subscription.
  • DELETE - Delete an existing suppression rule. This method doesn't change the status of alerts that the suppression rule already dismissed.

For details and usage examples, see the Defender for Cloud operation groups API reference.

Related content

  • Last updated on