To suppress an alert for behavior you consider normal or a known “good” activity, you can add a suppression to a rule.
NOTE: The suppression filters use the same syntax as the search language.
Add an Alert Suppression to a Rule
To suppress an alert from the Alerts page:
1. Find the alert to suppress and click the Suppress Alert button (fire extinguisher icon).
2. The Add new Host Rule Suppression popup displays and shows the suggested suppression filter.
NOTE: Threat Stack suggests suppression filters based on the event that triggered the alert. For this example it suggested `src_ip = “126.96.36.199” and user = “ubuntu” `.
3. Optional: You can modify or add additional event parameters to the suppression filter.
4. Click the Add New Suppression button to save and add the suppression.
You can confirm the suppression added by navigating to the Rulesets page, opening the associated rule, and checking the Suppression section.
View or Manually Add a Suppression to a Rule
You can view and add suppression rules on the Rulesets page.
This example uses the `Users: Login` rule in the Base Rule Set.
1. On the Rulesets page, in the Base Rule Set, click the Show More… link.
2. Select the `Users: Login` rule to display the rule details
3. Click the Suppressions link (or scroll to the Suppressions section on the right side).
4. Click the + New Suppression button to display the filter field.
5. Add the suppression(s) to the Filter field and click the Add New Suppression button.
The suppression saves to the rule!
REMINDER: In the Suppressions section, you can view, edit, or add a new suppression.