Merge pull request #2307 from MicrosoftDocs/main

Auto Publish – main to live - 2025-12-28 23:00 UTC

Author: learn-build-service-prod[bot]

articles/defender-for-cloud/disable-vulnerability-findings-containers-secure-score.md

@@ -1,80 +1,102 @@
 ---
-title: Create exemptions and disable vulnerabilities (Secure score)
-description: Learn how to create exemptions and disable vulnerabilities in Defender for Cloud to customize secure score results and manage findings effectively.
+title: Disable vulnerability findings (Secure score)
+description: Learn how to disable vulnerability assessment findings in Microsoft Defender for Cloud to customize secure score results and manage findings effectively.
 ms.topic: how-to
 ms.date: 03/31/2025
-#customer intent: As a security administrator, I want to manage exemptions and disable vulnerabilities so that I can customize secure score results.
+#customer intent: As a security administrator, I want to disable vulnerability findings so that I can customize secure score results.
+
 ---
 
-# Create exemptions and disable vulnerabilities (Secure score)
+# Disable vulnerability findings (Secure score)
 
-Defender for Cloud lets you create exemptions and disable vulnerability assessment findings on container registry images and running images (secure score). This feature lets you customize your secure score results and manage the findings relevant to your organization.
+Microsoft Defender for Cloud lets you customize your secure score by controlling which vulnerability assessment findings are included in the score. You can do this by creating disable rules, which suppress specific findings for container registry images and running images.
 
-If your organization needs to ignore a finding instead of remediating it, you can disable it. Disabled findings don't affect your secure score or generate unwanted alerts or recommendations.
+Disable rules help you exclude findings that aren't relevant to your organization so they don’t affect your secure score or appear in your vulnerability findings list.
 
-## Prerequisites
+## How disable rules work
 
-- To create a rule, you need permissions to edit a policy in Azure Policy. Learn more in [Azure RBAC permissions in Azure Policy](/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy).
+Disable rules control how Defender for Cloud evaluates vulnerability assessment findings for container registry images and running container images. A disable rule tells Defender for Cloud to ignore specific findings that match the criteria you define.
+
+When a finding is disabled:
+
+- it doesn't appear in the list of vulnerability findings,
+- it doesn't affect your secure score, and
+- it doesn't generate alerts or recommendations.
+
+Disable rules are applied per recommendation. To disable the same CVE or criteria for both registry images and running images, create a rule in each recommendation.
+
+Disable rules are commonly used to:
+
+- exclude low-severity findings,
+- ignore vulnerabilities in images the vendor won’t fix, or
+- suppress findings that aren't relevant to your environment.
 
 > [!NOTE]
-> You can customize your vulnerability assessment experience by exempting management groups, subscriptions, or specific resources from your secure score. Learn how to [create an exemption](exempt-resource.md) for a resource or subscription.
+> If you need to exclude an entire resource, subscription, or management group from secure score calculations, you can [create an exemption](exempt-resource.md).
+
+## Prerequisites
+
+- To create a rule, you need permissions to edit a policy in Azure Policy. Learn more in [Azure RBAC permissions in Azure Policy](/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy).
 
 ## Create a disable rule
 
-Create a disable rule for vulnerability findings on registry images and running images (secure score) from the recommendations detail page in Defender for Cloud.
+1. From the recommendations details page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) or [Running container images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5), select **Disable rule**.
 
-When a finding matches the criteria you defined in your disable rules, it won't appear in the list of findings.
+1. Select the scope where you want the rule to apply.
 
-Typical scenarios include:
+1. Define your criteria. Disable rules can match findings based on:
 
-- Disabling findings with severity below medium
-- Disabling findings for images that the vendor won't fix
+   - **CVE** – Enter one or more valid CVE identifiers, separated by semicolons.  
+     For example, `CVE-2020-1347;CVE-2020-1346`
 
-Disable rules use a combination of the following criteria:
+   - **Image digest** – Specify the digests of images whose vulnerability findings you want to exclude. Separate multiple digests with semicolons.  
+     For example:  
+     `sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c`
 
-- **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.
-- **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: `sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c`
-- **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17
-- **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than the specified severity level.
-- **Fix status** - Select the option to exclude vulnerabilities based on their fix status.
+   - **OS version** – Specify OS versions to exclude *for images running that OS*. Separate multiple OS versions with semicolons.  
+     For example: `ubuntu_linux_20.04;alpine_3.17`
 
-Disable rules apply per recommendation, for example, to disable [CVE-2017-17512](https://github.com/advisories/GHSA-fc69-2v7r-7r95) both on the registry images and runtime images, the disable rule has to be configured in both places.
+   - **Minimum severity** – Exclude vulnerabilities that are *less than or equal to* the selected severity (low, medium, high, or critical).
 
-### Create the disable rule:
+   - **Fix status** – Exclude vulnerabilities based on whether a fix is available. 
+     For example: "Fix available", "No fix", "Unknown"
 
-1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) or [Running container images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5), select **Disable rule**.
+1. Enter a justification explaining why the finding is being disabled. This helps maintain clarity and auditability.
 
-1. Select the relevant scope.
+1. Select **Apply rule**.
 
-1. Define your criteria. You can use any of the following criteria:
+    :::image type="content" source="./media/disable-vulnerability-findings-containers/disable-rules-secure-score.png" alt-text="Screenshot showing where to create a disable rule for vulnerability findings." lightbox="media/disable-vulnerability-findings-containers/disable-rules.png":::
 
-    - **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.
-    - **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: `sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c`
-    - **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17
-    - **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity level.
-    - **Fix status** - Select the option to exclude vulnerabilities based on their fix status.
+Disable rule changes can take up to 24 hours to take effect. When the rule is active, it appears on the Disable rule page with a **Rule applied** status.
 
-1. In the justification text box, add your justification for why a specific vulnerability was disabled. This provides clarity and understanding for anyone reviewing the rule.
+## View a disable rule
 
-1. Select **Apply rule**.
+1. From the recommendation details page, select **Disable rule**.
+
+1. Select the ellipsis (**…**) next to the rule and choose **View rule**.
 
-    :::image type="content" source="./media/disable-vulnerability-findings-containers/disable-rules-secure-score.png" alt-text="Screenshot showing where to create a disable rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/disable-rules.png":::
+## Override a disable rule
 
-    > [!IMPORTANT]
-    > Changes might take up to 24 hours to take effect.
+1. From the recommendation details page, select **Disable rule**.
 
-## View, override, or delete a rule
+1. Select the ellipsis (**…**) next to the rule you want to override.
 
-1. From the recommendations detail page, select **Disable rule**.
-1. From the scope list, subscriptions with active rules show as **Rule applied**.
-1. To view or delete the rule, select the ellipsis menu ("...").
-1. Do one of the following:
-    - To view or override a disable rule - select **View rule**, make any changes you want, and select **Override rule**.
-    - To delete a disable rule - select **Delete rule**.
+1. Select **View rule**.
+
+1. Update the criteria as needed and select **Override rule** to apply the changes.
 
     :::image type="content" source="./media/disable-vulnerability-findings-containers/override-rules.png" alt-text="Screenshot showing where to view, delete or override a rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/override-rules.png":::
+   
+## Delete a disable rule
+
+1. From the recommendation details page, select **Disable rule**.
+
+1. Select the ellipsis (**…**) next to the rule you want to delete.
 
-## Next step
+1. Select **Delete rule**.
+
+## Next steps
 
 - Learn how to [view and remediate vulnerability assessment findings for registry images](view-and-remediate-vulnerability-assessment-findings.md).
+
 - Learn about [agentless container posture](concept-agentless-containers.md).

articles/defender-for-cloud/disable-vulnerability-findings-containers.md

@@ -1,6 +1,6 @@
 ---
-title: Creating exemptions and disabling vulnerabilities
-description: Learn how to create exemptions and disable vulnerabilities
+title: Create exemptions and disable vulnerability assessment findings on container registry images and running images
+description: Learn how to create exemptions and disable vulnerability assessment findings for container registry images and running images in Microsoft Defender for Cloud.
 ms.topic: how-to
 ms.date: 07/29/2025
 ---

articles/defender-for-cloud/disable-vulnerability-findings.md

@@ -18,9 +18,9 @@ If your organization needs to ignore certain findings instead of remediating the
 You might disable findings for:
 
 - Vulnerabilities with a severity less than medium
-- Vulnerabilities that aren't patchable.
+- Unpatchable vulnerabilities
 - Vulnerabilities with CVSS score less than 6.5
-- Findings with specific text in the security check or category (for example, “RedHat”)
+- Findings with specific text in the security check or category (for example, “Red Hat”)
 
 ## Prerequisites
 
@@ -30,27 +30,30 @@ You might disable findings for:
 
 ## Disable specific findings
 
-Create a rule to disable findings as follows:
+1. Sign in to the [Azure portal](https://portal.azure.com/).
 
-1. In Defender for Cloud > **Recommendations**. Find recommendation [Machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1195afff-c881-495e-9bc5-1486211ae03f).
-1. In the recommendation details page > **Take action** tab, select **Disable rule**.
-1. In **Disable rule**, specify the settings for disabling vulnerability findings. Findings will be disabled based on the settings criteria. You can specify:
+1. Go to **Defender for Cloud** > **Recommendations**.
 
-    - IDs: Enter the ID of the findings you want to disable. Separate multiple IDs with a semicolon
-    - CVEs: Enter valid CVEs for findings you want to disable.
-    - Categories: Enter the categories of findings.
-    - Security checks: Enter text from the name of the security checks for findings to disable.
-    - CVSS2 and CVSS3 scores: to filter by score, enter a value between 1-10.
-    - Minimum severity: Select Medium or High to exclude findings with a severity of less than that chosen.
-    - Patchable status: Select the checkbox to exclude findings that can't be patched.
+1. Find the recommendation **[Machines should have vulnerability findings resolved](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/1195afff-c881-495e-9bc5-1486211ae03f)**.
 
-1. Optionally add a justification, and then select **Apply rule**. It might take up to 24 hours to take effect.
+1. On the recommendation details page, select the **Take action** tab, and then select **Disable rule**.
 
-    :::image type="content" source="./media/remediate-vulnerability-findings-vm/new-disable-rule-for-finding.png" alt-text="Create a disable rule for VA findings on VM."  lightbox="media/remediate-vulnerability-findings-vm/new-disable-rule-for-finding.png":::
+1. In the **Disable rule** pane, specify the criteria for the findings you want to disable. You can specify:
+   - **IDs** – Enter one or more finding IDs (separate multiple IDs with semicolons).
+   - **CVEs** – Enter CVE identifiers for the findings you want to disable.
+   - **Categories** – Enter the categories of findings to disable.
+   - **Security checks** – Enter text from the security check name for findings to disable.
+   - **CVSS2 and CVSS3 scores** – To filter by score, enter a value between 1 and 10.
+   - **Minimum severity** – Select *Medium* or *High* to exclude findings with a lower severity.
+   - **Patchable status** – Select this option to exclude findings that can't be patched.
 
-1. To view the status of a rule, in the **Disable rule** page. In the **Scope** list, subscriptions with active findings show a status of **Rule applied**.
+1. Optionally, add a justification, and then select **Apply rule**. The rule might take up to 24 hours to take effect.
 
-     :::image type="content" source="./media/remediate-vulnerability-findings-vm/modify-rule.png" alt-text="Modify or delete an existing rule."  lightbox="media/remediate-vulnerability-findings-vm/modify-rule.png":::
+    :::image type="content" source="./media/remediate-vulnerability-findings-vm/new-disable-rule-for-finding.png" alt-text="Screenshot of creating a rule to disable VM vulnerability findings in Defender for Cloud." lightbox="media/remediate-vulnerability-findings-vm/new-disable-rule-for-finding.png":::
+
+1. To view the rule status, open the **Disable rule** page. In the **Scope** list, subscriptions with active findings show the status **Rule applied**.
+
+    :::image type="content" source="./media/remediate-vulnerability-findings-vm/modify-rule.png" alt-text="Screenshot showing how to view, modify, or delete a rule for disabling vulnerability findings in Defender for Cloud." lightbox="media/remediate-vulnerability-findings-vm/modify-rule.png":::
 
 ## Next steps