I suppress an event from the Alerts page. When I click the Test Filter button, I don’t see any events that match the suppression.
There are two possible causes for this issue:
The event that contributed to the alert falls outside of the retention period.
The Test Filter button connects to the raw events stream, not the contributing events stream. More information on the differences between raw and contributing events here. As a result, Threat Stack only returns potential suppressions that match raw events that fall within your company’s event retention policy (one or three days). Contributing events, which Threat Stack retains for one full calendar year from the date of the triggered alert, will not display in the potential suppression results and, if you apply the suppression rule, will not retroactively suppress.
The data in the raw event search is different than the data in the alert search.
The Test Filter button connects to the raw events stream. The raw event search contains augmented data. However, the alert search contains raw data. If you click the Test Filter button on the Alerts page, then Threat Stack is using the raw event search to return potential suppression results. Since the raw event search includes augmented data, it may not return potential suppressions that match raw alert data.