Suppressions

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.
Available for:

Cloud SIEM | CSM Threats

Overview

Suppressions are specific conditions for when a signal should not be generated, which can improve the accuracy and relevance of the signals that are generated.

Suppression routes

You can set up a suppression query within an individual detection rule, or define a separate suppression rule to suppress signals across one or more detection rules.

Detection rules

When you create or modify a detection rule, you can define a suppression query to prevent a signal from getting generated. For example, add a rule query to determine when a detection rule triggers a security signal. You can also customize the suppression query to suppress signals for a specific attribute value.

The detection rule editor showing the add suppression query section

Suppression rules

All suppression queries for detection rules are being automatically migrated to suppression rules . Your suppression queries will now use the log suppression option in suppression rules. This process will complete by the end of April. See Migrate legacy suppression queries to suppression rules for more information.

Use suppression rules to set general suppression conditions across multiple detection rules instead of setting up suppression conditions for each individual detection rule. For example, you can set up a suppression rule to suppress any signal that contains a specific IP.

Suppressions configuration

Suppression list

The suppression list provides a centralized and organized way for you to manage suppressions across multiple detection rules.

The suppressions page showing a list of suppression rules

Create a suppression rule

  1. Navigate to the Suppressions page.
  2. Click + New Suppression.
  3. Enter a name for the suppression query.
  4. Add a description to provide context on why this suppression is being applied.
  5. Optionally, add an expiration date on which this suppression will be deactivated.
  6. Select the detection rules you want to apply this suppression to. You can select multiple detection rules.
  7. In the Add Suppression Query section, you have the option to enter suppression queries so that a signal is not generated when the values are met. For example, if a user john.doe is triggering a signal, but their actions are benign and you no longer want signals triggered from this user, input the log query: @user.username:john.doe.
    The add suppression query with the query @user.username:john.doe
    Suppression rule queries are based on signal attributes.
  8. Additionally, you can add a log exclusion query to exclude logs from being analyzed. These queries are based on log attributes. Note: The legacy suppression was based on log exclusion queries, but it is now included in the suppression rule’s Add a suppression query step.

Migrate legacy suppression queries to suppression rules

All suppression queries for detection rules are being automatically migrated to suppression rules . Your suppression queries will now use the log suppression option in suppression rules. This process will be completed by the end of April 2024.

Migrate your detection rules’s legacy Suppression Queries to the new Suppression Rules.

The add suppression query with the query @user.username:john.doe

To see a list of rules using the legacy suppression query and to migrate them:

  1. Navigate to the detection rules list.
  2. Hover over xx rules in the yellow banner to see the list of rules that need to be migrated.
    A yellow banner saying that 28 rules with suppression queries need to be migrated to suppression rules
  3. Click on a rule.
  4. In the detection rule editor, scroll down to the legacy Suppression Queries section and review the information.
  5. In the Suppression Rules section, fill in the information based on what is in the legacy Suppression Queries section.
  6. Repeat steps 2 to 5 for each detection rule using legacy suppression queries.

Further reading

Additional helpful documentation, links, and articles: