Create an exemption rule to exclude a resource from a security recommendation

by | Sep 25, 2020 | Azure Policy, Azure Security Center, Microsoft Defender for Cloud

A core priority of any security team is to ensure that the analysts can focus on the tasks and incidents that are important to the organization. Security Center has many features for customizing the information that you give the most priority to and ensuring that your safe score is a valid reflection of your organization’s security decisions. Exempting resources is one such feature.

When you research a security recommendation in Azure Security Center (ASC), one of the first pieces of information you look at is the list of affected resources.

Occasionally, a resource will be listed as unhealthy with respect to a specific security recommendation (and as a result, your secure score will be lowered), even though you think it shouldn’t be. It may have been addressed by a process not being tracked by Security Center. Or maybe your organization has decided to accept the risk for that specific source.

In such cases, you can create an exemption rule and ensure that the resource is not listed among the unhealthy resources in the future and does not affect your safe score. These rules may include documented justifications, as described below.

How to create an exemption rule for a resource

If you believe that a resource should be excluded from a specific security recommendation, you can configure this with the following steps

Please note that this is a premium Azure policy capability that’s offered for Azure Defender customers with no additional cost. For other users, charges may apply in the future.

Open the recommendation

 

    • Go to the recommendation pane of ASC (Azure Portal https://portal.azure.com > Azure Security Center > Recommendations)
    • Open up the recommendation you want to exempt from a resource
    • On the list of unhealthy resources, select the ellipsis menu (“…”) for the resource you want to exempt.

 

Create the exemption

 

    • In the newly open “create exemption” pane:
        • Provide a name for the exemption. Choose something descriptive, so that later on, it is immediately clear what kind of exception it is without much research

        • Optionally you can choose to expire the exemption at a future moment automatically. This is useful in cases where you want to see this recommendation later if it is not resolved after X days, for example.

        • Select the exemption category for auditing purposes:

           

            • Mitigated – This issue isn’t relevant to the resource because it’s been handled by a different tool or process than the one being suggested

            • Waiver – Accepting the risk for this resource

        • Optionally you can provide a description containing details about this exemption.

        • Click on “Save”

View individual recommendation exemptions 

    • To review your exempted resources, open the Not applicable tab of the recommendation
    • To modify or delete an exemption, select the ellipsis menu (“…”)

View all recommendation exemptions

Exemption rules use Azure policy to create an exemption for the resource on the policy assignment.

 

    • To view additional information or to modify/delete an exemption, select the ellipsis menu (“…”)

The “Edit exemption” option within Azure Policy allows you to select additional recommendations to include in the exemption.

For more information about recommendation exemption rules see the following documentation:

https://docs.microsoft.com/en-us/azure/security-center/exempt-resource