Issue
We are receiving alerts in our MDE for apps that have been discovered by Defender for Cloud Apps. We are trying to disable these alerts because we do not want to see them any longer. When we open the Alert and attempt to uncheck the "Generate Alerts" box, it is greyed out and we cannot disable alerts for this app.
Environment
Microsoft Defender for Endpoint + Defender for Cloud Apps
Resolution
The Alerts are generated in MDE for apps that are marked as "Unsanctioned" in Defender for Cloud Apps. The specific "Unsanctioned" app settings can be found in MDE > Defender for Cloud Apps > Discovery > Discovered Apps. NOTE: MDE Users cannot disable the Alerts from the MDE > Alerts page. The reason for this is because Defender for Cloud App is a system level integration that is controlled by Microsoft on the back-end.
The way to disable these alerts is to do one of the following:
- To disable the Alerts tenant wide, go back to the MDE > Defender for Cloud Apps > Discovery > Discovered Apps section and set the specific app to "Sanctioned."
- To disable the Alerts for a specific Device Group, go back to the MDE > Defender for Cloud Apps > Discovery > Discovered Apps section, set the app to "Unsanctioned," and when the "Tag as unsanctioned?" dialog box appears, select the "Exclude groups profile" drop-down and select the specific Device Group(s) that the app is allowed to operate on. If you do not use Device Groups, you will need to create a Device Group and add the specific endpoints to that group.
- To disable Alerts for ALL apps discovered by Defender for Cloud Apps, go to Defender for Cloud Apps, under the settings cog, select Settings, under Cloud Discovery select Microsoft Defender for Endpoint, and then uncheck the box that says "Enforce App Access." Keep in mind: this will disable alerts for any and all apps that Defender for Cloud Apps discovers.
For more information on this topic, please see the following Microsoft Article: https://learn.microsoft.com/en-us/defender-cloud-apps/mde-govern
Comments
0 comments
Please sign in to leave a comment.