Defender 365 admin console – Disabled Connected to a custom indicator & Connected to a unsanctionned
Issue:
I want to know how I can disable these two following alerts :
Disabled Connected to a custom indicatorConnected to an unsanctioned blocked app
Those alerts type needs to be enabled or disabled on demand, like the other alerts types.
Why’s that :
Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It create automatically the indicators to Defender XDR. When someone for example click or go the URL related with the application, the following alerts will be triggered. When an indicator is automatically created through that, it check the box of generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing.
Possible to disable the custom alert in setting ?
No.
Why ?
Explanation : You cannot suppress “custom detection”. But, they are categorized as “Informational” and you can suppress severity alert type.
Solutions :
Note: If you want to customize which alerts you want to close automatically, you can create a Playbook for it. Or, see the option 2 for a simple way.
Option 1:
So i found a Quick Workaround that is working good for me right now. You have different options to doing it. However here’s the solution :
Note: you need all licences and Security Admin role about Sentinel, Defender all solutions related.
Steps to Automate Alert Management
Create a NRT (Near-Real Time) Rule in Sentinel:Configure a detection rule that runs in near real-time to detect the specific alerts you want to manage.
Create an Automation Rule:
Define an automation rule in Microsoft Sentinel that triggers when an alert matching your NRT rule is generated. You can also create an incident to group alerts if needed.
Trigger a Logic App Playbook:
Set this automation rule to run a Logic App playbook when the alerts are generated. This playbook can be configured to perform various actions on the alerts.
Configuring the Logic App Playbook
Retrieve Alerts:
Use an action in the playbook to call the Sentinel API and retrieve the details of the alerts triggered by the automation rule.
Change Alert Status:
Add an action in the playbook to update the status of the retrieved alerts to “Resolved”. This can be done using either the Microsoft Sentinel API or the Microsoft Defender for Endpoint (WindowsDefenderATP) API.
API Integration Options
Microsoft Sentinel API:
Use built-in Sentinel actions in Logic Apps to interact directly with alerts and incidents in Sentinel.
Microsoft Defender for Endpoint (WindowsDefenderATP) API:
You can also use this API to manage alerts. Refer to the documentation for details on the necessary API calls: Microsoft Defender for Endpoint API.
Summary of Actions
Automate Closing Alerts: Create an automated playbook in Sentinel to automatically close alerts.Bidirectional Management: With SIEM integration in the Defender portal, you can manage incidents and alerts in both directions (from Sentinel to Defender and vice versa).
Option 2:
Note: This removes all types of informational alerts. You can still filter by source type to reduce irrelevant items.
In the Defendetr XDR setting->Alert tunning->
Regards
Issue:I want to know how I can disable these two following alerts :Disabled Connected to a custom indicatorConnected to an unsanctioned blocked appThose alerts type needs to be enabled or disabled on demand, like the other alerts types. Why’s that :Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It create automatically the indicators to Defender XDR. When someone for example click or go the URL related with the application, the following alerts will be triggered. When an indicator is automatically created through that, it check the box of generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ?No.Why ?Explanation : You cannot suppress “custom detection”. But, they are categorized as “Informational” and you can suppress severity alert type. Solutions :Note: If you want to customize which alerts you want to close automatically, you can create a Playbook for it. Or, see the option 2 for a simple way. Option 1:So i found a Quick Workaround that is working good for me right now. You have different options to doing it. However here’s the solution : Note: you need all licences and Security Admin role about Sentinel, Defender all solutions related.Steps to Automate Alert ManagementCreate a NRT (Near-Real Time) Rule in Sentinel:Configure a detection rule that runs in near real-time to detect the specific alerts you want to manage.Create an Automation Rule:Define an automation rule in Microsoft Sentinel that triggers when an alert matching your NRT rule is generated. You can also create an incident to group alerts if needed.Trigger a Logic App Playbook:Set this automation rule to run a Logic App playbook when the alerts are generated. This playbook can be configured to perform various actions on the alerts.Configuring the Logic App PlaybookRetrieve Alerts:Use an action in the playbook to call the Sentinel API and retrieve the details of the alerts triggered by the automation rule.Change Alert Status:Add an action in the playbook to update the status of the retrieved alerts to “Resolved”. This can be done using either the Microsoft Sentinel API or the Microsoft Defender for Endpoint (WindowsDefenderATP) API.API Integration OptionsMicrosoft Sentinel API:Use built-in Sentinel actions in Logic Apps to interact directly with alerts and incidents in Sentinel.Microsoft Defender for Endpoint (WindowsDefenderATP) API:You can also use this API to manage alerts. Refer to the documentation for details on the necessary API calls: Microsoft Defender for Endpoint API.Summary of ActionsAutomate Closing Alerts: Create an automated playbook in Sentinel to automatically close alerts.Bidirectional Management: With SIEM integration in the Defender portal, you can manage incidents and alerts in both directions (from Sentinel to Defender and vice versa).Option 2:Note: This removes all types of informational alerts. You can still filter by source type to reduce irrelevant items. In the Defendetr XDR setting->Alert tunning->Regards Read More