deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 2832: Update suppression rules section

Browse Source 
Update suppression rules section
This commit is contained in:
Joey Caparas 2017-08-23 16:56:02 +00:00
commit 59273b8fd1
1 changed files with 17 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -52,10 +52,9 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen
Added comments instantly appear on the pane. Added comments instantly appear on the pane.
## Suppress alerts ## Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Windows Defender ATP lets you create suppression rules so you can limit the alerts you see in the **Alerts queue**. Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
Suppression rules can be created from an existing alert.
When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created. When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
@ -64,7 +63,9 @@ There are two contexts for a suppression rule that you can choose from:
- **Suppress alert on this machine** - **Suppress alert on this machine**
- **Suppress alert in my organization** - **Suppress alert in my organization**
The context of the rule lets you tailor the queue to ensure that only alerts you are interested in will appear. You can use the examples in the following table to help you choose the context for a suppression rule: The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
You can use the examples in the following table to help you choose the context for a suppression rule:
| **Context** | **Definition** | **Example scenarios** | | **Context** | **Definition** | **Example scenarios** |
|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@ -87,35 +88,28 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
> [!NOTE] > [!NOTE]
> You cannot create a custom or blank suppression rule. You must start from an existing alert. > You cannot create a custom or blank suppression rule. You must start from an existing alert.
4. Specify the conditions for when the rule is applied: 4. Specify the conditions for when the rule is applied:
- Alert title - Alert title
- Indicator of compromise (IOC) - Indicator of compromise (IOC)
- Suppression conditions - Suppression conditions
> [!NOTE] > [!NOTE]
> The SHA1 of the alert cannot be modified > The SHA1 of the alert cannot be modified, however you can clear the SHA1 to remove it from the suppression conditions.
5. Specify the action and scope on the alert. You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. You can also specify to suppress the alert on the machine only or the whole organization.
5. Specify the action and scope on the alert. <br>
You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on the machine only or the whole organization.
6. Click **Save and close**. 6. Click **Save and close**.
**See the list of suppression rules:** ### View the list of suppression rules
1. Click the settings icon ![The settings icon looks like a cogwheel or gear](images/settings.png) on the main menu bar at the top of the Windows Defender ATP screen. 1. Click **Alerts queue** > **Suppression rules**.
2. Click **Suppression rules**.
![Click the settings icon and then Suppression rules to create and modify rules](images/atp-suppression-rules.png) 2. The list of suppression rules shows all the rules that users in your organization have created.
The list of suppression rules shows all the rules that users in your organization have created.
![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png)
Each rule shows:
- (1) The title of the alert that is suppressed
- (2) Whether the alert was suppressed for a single machine (clicking the machine name will allow you to investigate the machine) or the entire organization
- (3) The date when the alert was suppressed
- (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards.
You can select rules to open up the **Alert management** pane. From there, you can activate previously disabled rules.
## Related topics ## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)