|
| 1 | +--- |
| 2 | +title: Using alerts suppression rules to suppress false positives or other unwanted security alerts in Azure Security Center. |
| 3 | +description: This article explains how to use Azure Security Center's suppression rules to hide unwanted security alerts. |
| 4 | +author: memildin |
| 5 | +manager: rkarlin |
| 6 | +services: security-center |
| 7 | +ms.author: memildin |
| 8 | +ms.date: 05/04/2020 |
| 9 | +ms.service: security-center |
| 10 | +ms.topic: conceptual |
| 11 | +--- |
| 12 | + |
| 13 | +# Suppressing alerts from Azure Security Center's threat protection |
| 14 | + |
| 15 | +This page explains how you can use alerts suppression rules to suppress false positives or other unwanted security alerts in Azure Security Center. |
| 16 | + |
| 17 | +## Availability |
| 18 | + |
| 19 | +- Release state: **Preview** |
| 20 | +- Required roles: Security admin and owner can create/delete rules. Security reader and reader can view rules. |
| 21 | +- Clouds: All (Global, National, Government, and Sovereign) |
| 22 | + |
| 23 | + |
| 24 | +## Introduction to suppression rules |
| 25 | + |
| 26 | +The threat protection components of Azure Security Center detect threats in any area of your environment and generate security alerts. |
| 27 | + |
| 28 | +When a single alert isn't interesting or relevant, you can manually dismiss it. Alternatively, use the suppression rules feature to automatically dismiss similar alerts in the future. Typically, you'd use a suppression rule to: |
| 29 | + |
| 30 | +- suppress alerts that you've identified as false positives |
| 31 | + |
| 32 | +- suppress alerts that are being triggered too often to be useful |
| 33 | + |
| 34 | +Your suppression rules define the criteria for which alerts should be automatically dismissed. |
| 35 | + |
| 36 | +> [!CAUTION] |
| 37 | +> Suppressing security alerts reduces the threat protection of Security Center. You should carefully check the potential impact of any suppression rule, and monitor it over time. |
| 38 | +
|
| 39 | +[](media/alerts-suppression-rules/alerts-screen-with-options.png#lightbox) |
| 40 | + |
| 41 | +## Creating a suppression rule |
| 42 | + |
| 43 | +There are a few ways you can create rules to suppress unwanted security alerts: |
| 44 | + |
| 45 | +- To suppress alerts at the management group level, use Azure Policy |
| 46 | + |
| 47 | +- To suppress alerts at the subscription level, you can use the Azure portal or the REST API as explained below |
| 48 | + |
| 49 | +Suppression rules can only dismiss alerts that have already been triggered on the selected subscriptions. |
| 50 | + |
| 51 | +To create a rule directly in the Azure portal: |
| 52 | + |
| 53 | +1. From Security Center's security alerts page: |
| 54 | + |
| 55 | + - Locate the specific alert you don't want to see anymore, and from the ellipsis menu (...) for the alert, select **Create suppression rule**: |
| 56 | + |
| 57 | + [](media/alerts-suppression-rules/auto-dismiss-future-option.png#lightbox) |
| 58 | + |
| 59 | + - Or, select the **suppression rules** link at the top of the page, and from the suppression rules page select **Create new suppression rule**: |
| 60 | + |
| 61 | +  |
| 62 | + |
| 63 | +1. In the new suppression rule pane, enter the details of your new rule. |
| 64 | + |
| 65 | + - Your rule can dismiss the alert on **all resources** so you don't get any alerts like this one in the future. |
| 66 | + |
| 67 | + - Your rule can dismiss the alert **on specific criteria** - when it relates to a specific IP address, process name, user account, Azure resource, or location. |
| 68 | + |
| 69 | + > [!TIP] |
| 70 | + > If you opened the new rule page from a specific alert, the alert and subscription will be automatically configured in your new rule. If you used the **Create new suppression rule** link, the selected subscriptions will match the current filter in the portal. |
| 71 | +
|
| 72 | + [](media/alerts-suppression-rules/new-suppression-rule-pane.png#lightbox) |
| 73 | + |
| 74 | +1. Enter details of the rule: |
| 75 | + |
| 76 | + - **Name** - A name for the rule. Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes (-) or underscores (_). |
| 77 | + - **State** - Enabled or disabled. |
| 78 | + - **Reason** - Select one of the built-in reasons or 'other' if they don't meet your needs. |
| 79 | + - **Expiration date** - An end date and time for the rule. Rules can run for up to six months. |
| 80 | + |
| 81 | +1. Optionally, test the rule using the **Simulate** button to see how many alerts would have been dismissed if this rule had been active. |
| 82 | + |
| 83 | +1. Save the rule. |
| 84 | + |
| 85 | +## Editing suppression rules |
| 86 | + |
| 87 | +To edit the rules you've created, use the suppression rules page. |
| 88 | + |
| 89 | +1. From Security Center's security alerts page, select the **suppression rules** link at the top of the page. |
| 90 | + |
| 91 | +1. The suppression rules page opens listing all available rules according to the subscriptions currently selected. |
| 92 | + |
| 93 | + [](media/alerts-suppression-rules/suppression-rules-page.png#lightbox) |
| 94 | + |
| 95 | +1. To edit a single rule, open the ellipsis menu (...) for the rule and select **Edit**. |
| 96 | + |
| 97 | +1. Make the necessary changes and select **Apply**. |
| 98 | + |
| 99 | +## Deleting suppression rules |
| 100 | + |
| 101 | +To delete one or more rules you've created, use the suppression rules page. |
| 102 | + |
| 103 | +1. From Security Center's security alerts page, select the **suppression rules** link at the top of the page. |
| 104 | + |
| 105 | +1. The suppression rules page opens listing all available rules according to the subscriptions currently selected. |
| 106 | + |
| 107 | +1. To delete a single rule, open the ellipsis menu (...) for the rule and select **Delete**. |
| 108 | + |
| 109 | +1. To delete multiple rules, select the check boxes for the rules to be deleted and select **Delete**. |
| 110 | + |
| 111 | +  |
| 112 | + |
| 113 | +## Viewing alerts that have been suppressed |
| 114 | + |
| 115 | +Alerts that match your enabled suppression rules will still be generated, but their state will be set to **dismissed**. You can see the state in the Azure portal or however you access your Security Center security alerts. |
| 116 | + |
| 117 | +> [!TIP] |
| 118 | +> [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) won't create incidents for suppressed alerts. For other SIEMs, you can filter suppressed alerts by using the alerts' state ('dismissed'). |
| 119 | +
|
| 120 | +Use Security Center's filter to view alerts that have been dismissed by your rules. |
| 121 | + |
| 122 | +* From Security Center's security alerts page, open the filter options and select **Dismissed**. |
| 123 | + |
| 124 | + [](media/alerts-suppression-rules/view-dismissed-alerts.png#lightbox) |
| 125 | + |
| 126 | + |
| 127 | +## Using the API to create and manage suppression rules |
| 128 | + |
| 129 | +You can create, view, or delete alert suppression rules via Security Center's REST API. |
| 130 | + |
| 131 | +The relevant HTTP methods for suppression rules in the REST API are: |
| 132 | + |
| 133 | +- **PUT**: To create or update a suppression rule in a specified subscription. |
| 134 | + |
| 135 | +- **GET**: |
| 136 | + |
| 137 | + - To list all rules configured for a specified subscription. This method returns an array of the applicable rules. |
| 138 | + |
| 139 | + - To get the details of a specific rule on a specified subscription. This method returns one suppression rule. |
| 140 | + |
| 141 | + - To simulate the impact of a suppression rule still in the design phase. This call identifies which of your existing alerts would have been dismissed if the rule had been active. |
| 142 | + |
| 143 | +- **DELETE**: Deletes an existing rule (but doesn't change the status of alerts already dismissed by it). |
| 144 | + |
| 145 | +For full details and usage examples, see the [API documentation](https://docs.microsoft.com/api/securitycenter/). |
| 146 | + |
| 147 | + |
| 148 | +## Next steps |
| 149 | + |
| 150 | +This article described the suppression rules in Azure Security Center that automatically dismiss unwanted alerts. |
| 151 | + |
| 152 | +For more information on security alerts in Azure Security Center, see the following pages: |
| 153 | + |
| 154 | +- [Security alerts and the intent kill chain](alerts-reference.md) - A reference guide for the security alerts you might see in Azure Security Center's Threat Protection module. |
| 155 | +- [Threat protection in Azure Security Center](threat-protection.md) - A description of the many aspects of your environment monitored by Azure Security Center's Threat Protection module. |
0 commit comments