Suppressions

Available for:

Cloud SIEM | CSM Threats

Overview

Suppressions are specific conditions for when a signal should not be generated, which can improve the accuracy and relevance of the signals that are generated.

Suppression routes

You can set up a suppression query within an individual detection rule, or define a separate suppression rule to suppress signals across one or more detection rules.

Detection rules

When you create or modify a detection rule, you can define a suppression query to prevent a signal from getting generated. For example, add a rule query to determine when a detection rule triggers a security signal. You can also customize the suppression query to suppress signals for a specific attribute value.

The detection rule editor showing the add suppression query section

Suppression rules

Use suppression rules to set general suppression conditions across multiple detection rules instead of setting up suppression conditions for each individual detection rule. For example, you can set up a suppression rule to suppress any signal that contains a specific IP.

Suppressions configuration

Suppression list

The suppression list provides a centralized and organized way for you to manage suppressions across multiple detection rules.

The suppressions page showing a list of suppression rules

Create a suppression rule

  1. Navigate to the Suppressions page.
  2. Click + New Suppression.
  3. Enter a name for the suppression query.
  4. Add a description to provide context on why this suppression is being applied.
  5. Optionally, add an expiration date on which this suppression will be deactivated.
  6. Select the detection rules you want to apply this suppression to. You can select multiple detection rules.
  7. In the Add Suppression Query section, you have the option to enter suppression queries so that a signal is not generated when the values are met. For example, if a user john.doe is triggering a signal, but their actions are benign and you no longer want signals triggered from this user, input the log query: @user.username:john.doe.
    The add suppression query with the query @user.username:john.doe
    Suppression rule queries are based on signal attributes.
  8. Additionally, you can add a log exclusion query to exclude logs from being analyzed. These queries are based on log attributes. Note: The legacy suppression was based on log exclusion queries, but it is now included in the suppression rule’s Add a suppression query step.

Restrict edit permissions

By default, all users have view and edit access to suppressions. To use granular access controls to limit the roles that may edit a suppression rule:

  1. Click the vertical three-dot menu for the rule and select Permissions.
  2. Click Restrict Access. The dialog box updates to show that members of your organization have Viewer access by default. Use that dropdown menu to select one or more roles, teams, or users that may edit the suppression rule.
  3. Click Add.
  4. Click Save.

Note: To maintain your edit access to the rule, Datadog requires you to include at least one role that you are a member of before saving.

To restore access to a rule:

  1. Click the vertical three-dot menu for the rule and select Permissions.
  2. Click Restore Full Access.
  3. Click Save.

Further reading

Additional helpful documentation, links, and articles: