Defender 365 admin console - Disabled Connected to a custom indicator & Connected to a unsanctionned blocked app rules

Étienne Fiset 50

I want to know how I can disable these two following alerts :

Disabled Connected to a custom indicator
Connected to an unsanctioned blocked app

I didn't find these alerts on the Alerts Policy of XDR/EPP or Cloud apps.

Since all the changed that Microsoft has done in the past few months, a lot of settings changed the place or are missing. Those alerts type needs to be enabled or disabled on demand, like the other alerts types..

Akshay-MSFT 17,641 Reputation points Microsoft Employee

2024-03-29T16:08:49.9966667+00:00

@Étienne Fiset

Kindly share the screenshot of the blade generating alert to validate about the source generating it.

Thanks,

Akshay Kaushik
Étienne Fiset 50 Reputation points

2024-04-02T15:30:13.25+00:00

@Akshay-MSFT Hi ! Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It create automatically the indicators to Defender XDR. When someone for example click or go the URL related with the application, the following alerts will be triggered. When an indicator is automatically created through that, it check the box of generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing.

Note : Uncheck the box manually is not possible, since we unsanctioned hundred applications.

7 answers

Étienne Fiset 50 Reputation points

2024-04-25T18:15:54.0566667+00:00

Hey Guys,

I'm working on a solution, if that's working as expected, I will post it here :)

Thanks
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Étienne Fiset 50 Reputation points

2024-05-30T15:10:47.2666667+00:00
So i found a Quick Workaround that is working good for me right now. You have different options to doing it. However here's the solution :

Steps to Automate Alert Management

Create a NRT (Near-Real Time) Rule in Sentinel:

Configure a detection rule that runs in near real-time to detect the specific alerts you want to manage.

Create an Automation Rule:

Define an automation rule in Microsoft Sentinel that triggers when an alert matching your NRT rule is generated. You can also create an incident to group alerts if needed.

Trigger a Logic App Playbook:

Set this automation rule to run a Logic App playbook when the alerts are generated. This playbook can be configured to perform various actions on the alerts.

Configuring the Logic App Playbook

Retrieve Alerts:

Use an action in the playbook to call the Sentinel API and retrieve the details of the alerts triggered by the automation rule.

Change Alert Status:

Add an action in the playbook to update the status of the retrieved alerts to “Resolved”. This can be done using either the Microsoft Sentinel API or the Microsoft Defender for Endpoint (WindowsDefenderATP) API.

API Integration Options

Microsoft Sentinel API:

Use built-in Sentinel actions in Logic Apps to interact directly with alerts and incidents in Sentinel.

Microsoft Defender for Endpoint (WindowsDefenderATP) API:

You can also use this API to manage alerts. Refer to the documentation for details on the necessary API calls: Microsoft Defender for Endpoint API.

Summary of Actions

Automate Closing Alerts: Create an automated playbook in Sentinel to automatically close alerts.

Bidirectional Management: With SIEM integration in the Defender portal, you can manage incidents and alerts in both directions (from Sentinel to Defender and vice versa).
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Defender 365 admin console - Disabled Connected to a custom indicator & Connected to a unsanctionned blocked app rules

7 answers