You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/manage-alerts.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,15 +41,15 @@ You can create a new incident from the alert or link to an existing incident.
41
41
42
42
## Assign alerts
43
43
44
-
If an alert is not yet assigned, you can select **Assign to me** to assign the alert to yourself.
44
+
If an alert isn't yet assigned, you can select **Assign to me** to assign the alert to yourself.
45
45
46
46
## Suppress alerts
47
47
48
48
There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender XDR. Defender for Endpoint lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
49
49
50
50
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
51
51
52
-
When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue, prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
52
+
When a suppression rule is created, it will take effect from the point when the rule is created. The rule won't affect existing alerts already in the queue, prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
53
53
54
54
There are two contexts for a suppression rule that you can choose from:
55
55
@@ -62,7 +62,7 @@ You can use the examples in the following table to help you choose the context f
62
62
63
63
|Context|Definition|Example scenarios|
64
64
|---|---|---|
65
-
|**Suppress alert on this device**|Alerts with the same alert title and on that specific device only will be suppressed. <p> All other alerts on that device will not be suppressed.|<ul><li>A security researcher is investigating a malicious script that has been used to attack other devices in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul>|
65
+
|**Suppress alert on this device**|Alerts with the same alert title and on that specific device only will be suppressed. <p> All other alerts on that device won't be suppressed.|<ul><li>A security researcher is investigating a malicious script that has been used to attack other devices in your organization.</li><li>A developer regularly creates PowerShell scripts for their team.</li></ul>|
66
66
|**Suppress alert in my organization**|Alerts with the same alert title on any device will be suppressed.|<ul><li>A benign administrative tool is used by everyone in your organization.</li></ul>|
67
67
68
68
### Suppress an alert and create a new suppression rule
@@ -88,14 +88,14 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
88
88
89
89
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Defender for Endpoint APIs.
90
90
91
-
Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Defender for Endpoint APIs.
91
+
Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and won't be streamed across Defender for Endpoint APIs.
92
92
93
93
5. Enter a rule name and a comment.
94
94
95
95
6. Click **Save**.
96
96
97
97
> [!NOTE]
98
-
> Alert suppression is not compatible for custom detections. Make sure to fine-tune your custom detections to avoid [false positives](/defender-endpoint/defender-endpoint-false-positives-negatives).
98
+
> Alert suppression isn't compatible for custom detections. Make sure to fine-tune your custom detections to avoid [false positives](/defender-endpoint/defender-endpoint-false-positives-negatives).
99
99
100
100
#### View the list of suppression rules
101
101
@@ -111,7 +111,7 @@ You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by chan
111
111
112
112
For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
113
113
114
-
Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a device that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
114
+
Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a device that's irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
115
115
116
116
## Alert classification
117
117
@@ -124,7 +124,7 @@ The steps to classify alerts are included in this video:
124
124
125
125
You can add comments and view historical events about an alert to see previous changes made to the alert.
126
126
127
-
Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
127
+
Whenever a change or comment is made to an alert, it's recorded in the **Comments and history** section.
0 commit comments