Merge pull request #223348 from bmansheim/fresh-alerts-suppression

Refresh the alerts suppression page

Author: v-shils

articles/defender-for-cloud/alerts-suppression-rules.md

@@ -1,7 +1,7 @@
 ---
-title: Using alerts suppression rules to suppress false positives or other unwanted security alerts in Microsoft Defender for Cloud
-description: This article explains how to use Microsoft Defender for Cloud's suppression rules to hide unwanted security alerts
-ms.date: 11/09/2021
+title: Suppressing false positives or other unwanted security alerts - Microsoft Defender for Cloud
+description: This article explains how to use Microsoft Defender for Cloud's suppression rules to hide unwanted security alerts, such as false positives
+ms.date: 01/09/2023
 ms.topic: how-to
 ms.author: benmansheim
 author: bmansheim
@@ -15,113 +15,90 @@ This page explains how you can use alerts suppression rules to suppress false po
 |Aspect|Details|
 |----|:----|
 |Release state:|General availability (GA)|
-|Pricing:|Free<br>(Most security alerts are only available with [enhanced security features](enable-enhanced-security.md))|
+|Pricing:|Free<br>(Security alerts are generated by [Defender plans](enable-enhanced-security.md))|
 |Required roles and permissions:|**Security admin** and **Owner** can create/delete rules.<br>**Security reader** and **Reader** can view rules.|
 |Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)|
 
-
-
 ## What are suppression rules?
 
-The various Microsoft Defender plans detect threats in any area of your environment and generate security alerts.
+The Microsoft Defender plans detect threats in your environment and generate security alerts. When a single alert isn't interesting or relevant, you can manually dismiss it. Suppression rules let you automatically dismiss similar alerts in the future.
 
-When a single alert isn't interesting or relevant, you can manually dismiss it. Alternatively, use the suppression rules feature to automatically dismiss similar alerts in the future. Typically, you'd use a suppression rule to:
+Just like when you identify an email as spam, you want to review your suppressed alerts periodically to make sure you're not missing any real threats.
 
-- Suppress alerts that you've identified as false positives
+Some examples of how to use suppression rule are:
 
+- Suppress alerts that you've identified as false positives
 - Suppress alerts that are being triggered too often to be useful
 
-Your suppression rules define the criteria for which alerts should be automatically dismissed.
-
-> [!CAUTION]
-> Suppressing security alerts reduces the effectiveness of Defender for Cloud's threat protection. You should carefully check the potential impact of any suppression rule, and monitor it over time.
-
 :::image type="content" source="./media/alerts-suppression-rules/create-suppression-rule.gif" alt-text="Create alert suppression rule.":::
 
 ## Create a suppression rule
 
-There are a few ways you can create rules to suppress unwanted security alerts:
-
-- To suppress alerts at the management group level, use Azure Policy
-- To suppress alerts at the subscription level, you can use the Azure portal or the REST API as explained below
-
-> [!NOTE]
-> Suppression rules don't work retroactively - they'll only suppress alerts triggered _after_ the rule is created. Also, if a specific alert type has never been generated on a specific subscription, future alerts of that type won't be suppressed. For a rule to suppress an alert on a specific subscription, that alert type has to have been triggered at least once before the rule is created.
-
-To create a rule directly in the Azure portal:
-
-1. From Defender for Cloud's security alerts page:
+You can apply suppression rules to management groups or to subscriptions.
 
-    - Select the specific alert you don't want to see anymore, and from the details pane, select **Take action**.
+- To suppress alerts for a management group, use [Azure Policy](/azure/governance/policy/overview).
+- To suppress alerts for subscriptions, use the Azure portal or the [REST API](#create-and-manage-suppression-rules-with-the-api).
 
-    - Or, select the **suppression rules** link at the top of the page, and from the suppression rules page select **Create new suppression rule**:
+Alert types that were never triggered on a subscription or management group before the rule was created won't be suppressed.
 
-        ![Create new suppression rule** button.](media/alerts-suppression-rules/create-new-suppression-rule.png)
+To create a rule for a specific alert in the Azure portal:
 
-1. In the new suppression rule pane, enter the details of your new rule.
-    - Your rule can dismiss the alert on **all resources** so you don't get any alerts like this one in the future.     
-    - Your rule can dismiss the alert **on specific criteria** - when it relates to a specific IP address, process name, user account, Azure resource, or location.
+1. From Defender for Cloud's security alerts page, select the alert you want to suppress.
+1. From the details pane, select **Take action**.
+1. In the **Suppress similar alerts** section of the Take action tab, select **Create suppression rule**.
+1. In the **New suppression rule** pane, enter the details of your new rule.
 
-    > [!TIP]
-    > If you opened the new rule page from a specific alert, the alert and subscription will be automatically configured in your new rule. If you used the **Create new suppression rule** link, the selected subscriptions will match the current filter in the portal.
-
-    [![Suppression rule creation pane.](media/alerts-suppression-rules/new-suppression-rule-pane.png)](media/alerts-suppression-rules/new-suppression-rule-pane.png#lightbox)
-1. Enter details of the rule:
+    - **Entities** - The resources that the rule applies to. You can specify a single resource, multiple resources, or resources that contain a partial resource ID. If you don't specify any resources, the rule applies to all resources in the subscription.
     - **Name** - A name for the rule. Rule names must begin with a letter or a number, be between 2 and 50 characters, and contain no symbols other than dashes (-) or underscores (_). 
     - **State** - Enabled or disabled.
-    - **Reason** - Select one of the built-in reasons or 'other' if they don't meet your needs.
+    - **Reason** - Select one of the built-in reasons or 'other' to specify your own reason in the comment.
     - **Expiration date** - An end date and time for the rule. Rules can run for up to six months.
-1. Optionally, test the rule using the **Simulate** button to see how many alerts would have been dismissed if this rule had been active.
-1. Save the rule. 
 
+1. You select **Simulate** to see the number of previously received alerts that would have been dismissed if the rule was active.
+1. Save the rule.
+
+You can also select the **Suppression rules** button in the Security Alerts page and select **Create suppression rule** to enter the details of your new rule.
+
+:::image type="content" source="media/alerts-suppression-rules/create-new-suppression-rule.png" alt-text="Screenshot of the Create suppression rule button in the Suppression rules page.":::
 
 ## Edit a suppression rule
 
-To edit a rule you've created, use the suppression rules page.
+To edit a rule you've created from the suppression rules page:
 
-1. From Defender for Cloud's security alerts page, select the **suppression rules** link at the top of the page.
-1. The suppression rules page opens with all the rules for the selected subscriptions.
+1. From Defender for Cloud's security alerts page, select **Suppression rules** at the top of the page.
 
-    [![Suppression rules list.](media/alerts-suppression-rules/suppression-rules-page.png)](media/alerts-suppression-rules/suppression-rules-page.png#lightbox)
+    :::image type="content" source="media/alerts-suppression-rules/suppression-rules-button.png" alt-text="Screenshot of the suppression rule button in the Security Alerts page.":::
 
-1. To edit a single rule, open the ellipsis menu (...) for the rule and select **Edit**.
-1. Make the necessary changes and select **Apply**. 
+1. The suppression rules page opens with all the rules for the selected subscriptions.
 
-## Delete a suppression rule
+    :::image type="content" source="media/alerts-suppression-rules/suppression-rules-page.png" alt-text="Screenshot of the Suppression rules page where you can review the suppression rules and create new ones." lightbox="media/alerts-suppression-rules/suppression-rules-page.png":::
 
-To delete one or more rules you've created, use the suppression rules page.
+1. To edit a single rule, open the three dots (...) at the end of the rule and select **Edit**.
+1. Change the details of the rule and select **Apply**.
 
-1. From Defender for Cloud's security alerts page, select the **suppression rules** link at the top of the page.
-1. The suppression rules page opens with all the rules for the selected subscriptions.
-1. To delete a single rule, open the ellipsis menu (...) for the rule and select **Delete**.
-1. To delete multiple rules, select the check boxes for the rules to be deleted and select **Delete**.
-    ![Deleting one or more suppression rules.](media/alerts-suppression-rules/delete-multiple-alerts.png)
+To delete a rule, use the same three dots menu and select **Remove**.
 
 ## Create and manage suppression rules with the API
 
-You can create, view, or delete alert suppression rules via Defender for Cloud's REST API. 
+You can create, view, or delete alert suppression rules using the Defender for Cloud REST API. 
 
 The relevant HTTP methods for suppression rules in the REST API are:
 
 - **PUT**: To create or update a suppression rule in a specified subscription.
-
 - **GET**:
 
     - To list all rules configured for a specified subscription. This method returns an array of the applicable rules.
-
     - To get the details of a specific rule on a specified subscription. This method returns one suppression rule.
-
     - To simulate the impact of a suppression rule still in the design phase. This call identifies which of your existing alerts would have been dismissed if the rule had been active.
 
 - **DELETE**: Deletes an existing rule (but doesn't change the status of alerts already dismissed by it).
 
-For full details and usage examples, see the [API documentation](/rest/api/defenderforcloud/). 
-
+For details and usage examples, see the [API documentation](/rest/api/defenderforcloud/).
 
 ## Next steps
 
 This article described the suppression rules in Microsoft Defender for Cloud that automatically dismiss unwanted alerts.
 
-For more information on security alerts, see the following pages:
+Learn more about security alerts:
 
-- [Security alerts and the intent kill chain](alerts-reference.md) - A reference guide to the security alerts you might get from Defender for Cloud.
+- [Security alerts generated by Defender for Cloud](alerts-reference.md)