To suppress an alert for a behavior you consider normal or a trusted activity, you can add a suppression to a rule.
- The suppression filters use the same syntax as the search language.
- The suppression test filter works differently from the alert rule test filter. The alert test filter matches the events to the filter expression, and the results box indicates the number of alerts that will be generated. The suppression filter first matches the rule filter expression, compiles all matching events, and removes events that match the suppression filter. Therefore, if you do not see any results, it indicates you would not see alerts.
To suppress an alert, navigate to the Alerts page.
- Identify the alert to suppress and click the Suppress Alert button (fire extinguisher icon).
- The Add New Suppression dialog displays and shows the suggested suppression filter.
Threat Stack suggests suppression filters based on the event that triggered the alert.
- You can modify or add additional event parameters to the suppression filter (This step is optional).
- Click the Add New Suppression button to save and add the suppression.
- You can confirm the suppression was added by navigating to the Rules page. Open the associated rule and click the Suppression link. The Suppressions pane is displayed on the right side.
You can view and add suppression rules on the Rules page.
This example uses the "Users: Logins" rule in the Base Ruleset.
- Navigate to the Rules page and click the Show More link.
- Click the Users: Logins rule. The rule details is displayed in the right view pane.
- Click the Suppressions link or scroll to the Suppressions pane on the right side.
- Click the + New Suppression button to display the filter field.
- Add the suppression(s) to the Filter field.
- Click the Add New Suppression button.
- The suppression is saved to the rule.
In the Suppressions pane, you can view, edit, delete, or add a new suppression.