How do I Suppress an Alert?

Follow

To suppress an alert for behavior you consider normal or a known “good” activity, you can add a suppression to a rule.

Items to Note:

  1. The suppression filters use the same syntax as the search language.
  2. The suppression test filter works differently from alert rule test filter.  The alert test filter matches the events to the filter expression, results box will indicate the number of alerts that will be generated if you put the filter.   The suppression filter first matches the rule filter expression, gets all matching events and takes out events that match the suppression filter.   Therefore if you do not see any results, that means you would not see alerts.

Add an Alert Suppression to a Rule

To suppress an alert from the Alerts page:

1. Find the alert to suppress and click the Suppress Alert button (fire extinguisher icon).

1_suppress_button.png

2. The Add new Host Rule Suppression popup displays and shows the suggested suppression filter.

NOTE: Threat Stack suggests suppression filters based on the event that triggered the alert. For this example it suggested `src_ip = “144.121.5.10” and user = “ubuntu” `.

2_add_suppress.png

3. Optional: You can modify or add additional event parameters to the suppression filter.

B_1_optional.png

4. Click the Add New Suppression button to save and add the suppression.

B_2_alert_page.png

You can confirm the suppression added by navigating to the Rulesets page, opening the associated rule, and checking the Suppression section.

View or Manually Add a Suppression to a Rule

You can view and add suppression rules on the Rulesets page.

This example uses the `Users: Login` rule in the Base Rule Set.

1. On the Rulesets page, in the Base Rule Set, click the Show More… link.

A_1_rulesets.png

2. Select the `Users: Login` rule to display the rule details

3. Click the Suppressions link (or scroll to the Suppressions section on the right side).

A_2_suppression__.png

4. Click the + New Suppression button to display the filter field.

A_3_add_suppression.png

5. Add the suppression(s) to the Filter field  and click the Add New Suppression button.

A_4_enter_suppressions.png

The suppression saves to the rule!

4_check_rulesets.png

REMINDER: In the Suppressions section, you can view, edit, or add a new suppression.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

1 comment
  • I do not see the edit alert button for auto suppression. I only see the dismiss and suppress alert button. If I double click on the alert I do see a notification button only when I am in the alert pane. From there I can then go to more alert options and can then enable and set auto suppression as a new alert not as saving the existing one.

Article is closed for comments.