We use defender for endpoint and also sanction/unsanction cloud applications in defender.

When unsanctioned application is blocked we get two alerts generated for it. One titled “Connection to a custom network indicator” and second “Unsanctioned cloud app access was blocked”

We expect and want only one of these alerts, but can’t seem to find correct area to edit policy for “Unsanctioned cloud app access was blocked” and editing “Connection to a custom network indicator” seems to require editing alert settings for each indicator. Maybe there is better way for latter one.

Connection to a custom network indicator

When application is unsanctioned, it creates a custom indicator which is further vieweable at Defender > System > Settings > Endpoints > Rules > Indicators URLs/Domains.

Application column is displaying cloud app which was sanctioned and alert with title “Unsanctioned cloud app access was blocked” for each indicator can be furter edited from this area. This would be one place we can turn off these alerts, but hoping there is bulk edit or a global setting to not create these alerts when cloud app is unsanctioned.

This is the alert policy/rule we would like to turn off and not have created automatically for each unsanctioned cloud app. Is there a setting to disable autoamtic creating of these alerts with each new unsanctioned cloud app?

Unsanctioned cloud app access was blocked

Only severity can be changed for these alerts as far as I can find under Settings > Cloud apps > Cloud Discovery > Microsoft Defender for Endpoint.

That is okay as this is the preffered alert that would like to retain

​We use defender for endpoint and also sanction/unsanction cloud applications in defender.When unsanctioned application is blocked we get two alerts generated for it. One titled “Connection to a custom network indicator” and second “Unsanctioned cloud app access was blocked”We expect and want only one of these alerts, but can’t seem to find correct area to edit policy for “Unsanctioned cloud app access was blocked” and editing “Connection to a custom network indicator” seems to require editing alert settings for each indicator. Maybe there is better way for latter one. Connection to a custom network indicatorWhen application is unsanctioned, it creates a custom indicator which is further vieweable at Defender > System > Settings > Endpoints > Rules > Indicators URLs/Domains.Application column is displaying cloud app which was sanctioned and alert with title “Unsanctioned cloud app access was blocked” for each indicator can be furter edited from this area. This would be one place we can turn off these alerts, but hoping there is bulk edit or a global setting to not create these alerts when cloud app is unsanctioned.This is the alert policy/rule we would like to turn off and not have created automatically for each unsanctioned cloud app. Is there a setting to disable autoamtic creating of these alerts with each new unsanctioned cloud app? Unsanctioned cloud app access was blockedOnly severity can be changed for these alerts as far as I can find under Settings > Cloud apps > Cloud Discovery > Microsoft Defender for Endpoint.That is okay as this is the preffered alert that would like to retain    Read More

​