Manage Alert Suppression Rules
Implementation Effort: Low
Creating and managing suppression rules is a straightforward administrative task that can be done through the Azure portal or REST API without requiring infrastructure changes.
User Impact: Low
This is a backend configuration task handled by security teams; end users are not affected.
Overview
In Microsoft Defender for Containers, alert suppression rules help reduce noise by automatically dismissing alerts that are known false positives or not relevant to your environment. This allows security teams to focus on high-priority threats while maintaining visibility into suppressed activity.
Key Capabilities
- Suppress recurring false positives or alerts that are not actionable.
- Apply rules at scale across subscriptions or management groups.
- Simulate suppression to preview the impact before applying.
- Set expiration dates to ensure rules are periodically reviewed.
How to Create a Suppression Rule
- Go to Microsoft Defender for Cloud > Security Alerts.
- Select an alert you want to suppress.
- Click Take action > Suppress similar alerts > Create suppression rule.
- Configure:
- Entities: Scope the rule to specific resources or apply globally.
- Name: Must be 2–50 characters, starting with a letter or number.
- State: Enabled or disabled.
- Reason: Choose a predefined reason or enter a custom one.
- Expiration date: Optional, to automatically disable the rule later.
- Use Simulate to preview how many past alerts would have been suppressed.
- Save the rule.
You can also manage suppression rules via the Defender for Cloud REST API for automation and integration into CI/CD or security workflows 1.
This supports the Zero Trust principle of "Verify Explicitly" by allowing teams to document and control exceptions while maintaining alert hygiene and visibility.
Risks if not implemented: Without suppression rules, security teams may face alert fatigue, increasing the risk of missing critical threats due to noise from low-priority or false-positive alerts.