Disable vulnerability findings

The Defender for Servers plan in Microsoft Defender for Cloud provides vulnerability scanning for machines using Microsoft Defender Vulnerability Management. Learn more

When scanning reports vulnerability findings, Defender for Servers presents the findings and related information as recommendations.

  • Findings include related information such as remediation steps, relevant common vulnerabilities and exposures (CVEs), CVSS scores, and more.
  • You can view the identified vulnerabilities for one or more subscriptions, or for a specific VM.

If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it with a rule. Disabled findings don't affect your secure score or generate unwanted noise and don't appear in the list of findings. Typically you might disable findings for:

  • Vulnerabilities with a severity less than medium
  • Vulnerabilities that aren't patchable.
  • Vulnerabilities with CVSS score less than 6.5
  • Findings with specific text in the security check or category (for example, “RedHat”)

Prerequisites

Disable specific findings

Create a rule to disable findings as follows:

  1. In Defender for Cloud > Recommendations. Find recommendation Machines should have vulnerability findings resolved.

  2. In the recommendation details page > Take action tab, select Disable rule.

  3. In Disable rule, specify the settings for disabling vulnerability findings. Findings will be disabled based on the settings criteria. You can specify:

    • IDs: Enter the ID of the findings you want to disable. Separate multiple IDs with a semicolon
    • CVEs: Enter valid CVEs for findings you want to disable.
    • Categories: Enter the categories of findings.
    • Security checks: Enter text from the name of the security checks for findings to disable.
    • CVSS2 and CVSS3 scores: to filter by score, enter a value between 1-10.
    • Minimum severity: Select Medium or High to exclude findings with a severity of less than that chosen.
    • Patchable status: Select the checkbox to exclude findings that can't be patched.
  4. Optionally add a justification, and then select Apply rule. It might take up to 24 hours to take effect.

    Create a disable rule for VA findings on VM.

  5. To view the status of a rule, in the Disable rule page. In the Scope list, subscriptions with active findings show a status of Rule applied.

    Modify or delete an existing rule.

Next steps