Manage Alert Suppression Rules
Implementation Effort: Medium — Creating and managing suppression rules requires understanding alert types, configuring rule logic, and ensuring that critical alerts are not unintentionally hidden.
User Impact: Low — Suppression rules are managed by security teams and do not affect end-user experience or application behavior.
Overview
Microsoft Defender for Cloud allows security teams to manage alert noise by creating alert suppression rules. These rules help reduce alert fatigue by hiding known, non-actionable alerts while maintaining visibility into critical threats. Suppression can be applied across services like App Service, Key Vault, and Resource Manager.
Use Cases for Suppression
- Suppress alerts from known safe tools or processes.
- Reduce duplicate alerts from recurring, low-risk events.
- Focus analyst attention on high-severity or novel threats.
How to Manage Suppression Rules
-
Access Suppression Settings:
- Sign in to the Azure Portal with Security Administrator or Global Administrator privileges 1.
-
Navigate to Suppression Rules:
- Go to Microsoft Defender for Cloud > Settings > Alerts > Suppression rules 2.
-
Create a Suppression Rule:
- Choose an existing alert to suppress or define a new rule.
- Specify conditions such as alert title, severity, affected resource types, or specific entities (e.g., IPs, users).
- Define the scope (e.g., subscription, resource group) and action (suppress or resolve).
-
Manage Existing Rules:
- View, edit, or delete suppression rules from the same interface.
- Optionally release previously suppressed alerts if rule conditions change 1.
-
API Support:
- Suppression rules can also be managed programmatically using the Defender for Cloud REST API 2.
Best Practices
- Regularly review suppression rules to ensure they are still valid.
- Avoid suppressing high-severity alerts unless they are fully understood and documented.
- Use suppression sparingly to maintain visibility into evolving threats.
This capability supports the "Assume Breach" principle of Zero Trust by helping teams focus on meaningful alerts while maintaining a secure and monitored environment.