To suppress an alert for behavior you consider normal or a known “good” activity, you can add a suppression to a rule.
Items to Note:
- The suppression filters use the same syntax as the search language.
- The suppression test filter works differently from alert rule test filter. The alert test filter matches the events to the filter expression, results box will indicate the number of alerts that will be generated if you put the filter. The suppression filter first matches the rule filter expression, gets all matching events and takes out events that match the suppression filter. Therefore if you do not see any results, that means you would not see alerts.
Add an Alert Suppression to a Rule
To suppress an alert from the Alerts page:
1. Find the alert to suppress and click the Suppress Alert button (fire extinguisher icon).
2. The Add new Host Rule Suppression popup displays and shows the suggested suppression filter.
NOTE: Threat Stack suggests suppression filters based on the event that triggered the alert. For this example it suggested `src_ip = “22.214.171.124” and user = “ubuntu” `.
3. Optional: You can modify or add additional event parameters to the suppression filter.
4. Click the Add New Suppression button to save and add the suppression.
You can confirm the suppression added by navigating to the Rulesets page, opening the associated rule, and checking the Suppression section.
View or Manually Add a Suppression to a Rule
You can view and add suppression rules on the Rulesets page.
This example uses the `Users: Login` rule in the Base Rule Set.
1. On the Rulesets page, in the Base Rule Set, click the Show More… link.
2. Select the `Users: Login` rule to display the rule details
3. Click the Suppressions link (or scroll to the Suppressions section on the right side).
4. Click the + New Suppression button to display the filter field.
5. Add the suppression(s) to the Filter field and click the Add New Suppression button.
The suppression saves to the rule!
REMINDER: In the Suppressions section, you can view, edit, or add a new suppression.