Suppressions

Suppressions are available for Cloud Security Management Threats and Cloud SIEM.

Overview

Suppressions are specific conditions for when a signal should not be generated, which can improve the accuracy and relevance of the signals that are generated.

Suppression routes

You can set up a suppression query within an individual detection rule, or define a separate suppression rule to suppress signals across one or more detection rules.

Detection rules

Suppression rules are replacing suppression queries in detection rules. The legacy suppression queries will be deprecated on April 1, 2024. See Migrate legacy suppression queries to suppression rules for more information.

When you create or modify a detection rule, you can define a suppression query to prevent a signal from getting generated. For example, add a rule query to determine when a detection rule triggers a security signal. You can also customize the suppression query to suppress signals for a specific attribute value.

The detection rule editor showing the add suppression query section

Suppression rules

Use suppression rules to set general suppression conditions across multiple detection rules instead of setting up suppression conditions for each individual detection rule. For example, you can set up a suppression rule to suppress any signal that contains a specific IP.

Suppressions configuration

Suppression list

The suppression list provides a centralized and organized way for you to manage suppressions across multiple detection rules.

The suppressions page showing a list of suppression rules

Create a suppression rule

  1. Navigate to the Suppressions page.
  2. Click + New Suppression.
  3. Enter a name for the suppression query.
  4. Add a description to provide context on why this suppression is being applied.
  5. Optionally, add an expiration date on which this suppression will be deactivated.
  6. Select the detection rules you want to apply this suppression to. You can select multiple detection rules.
  7. In the Add Suppression Query section, you have the option to enter suppression queries so that a signal is not generated when the values are met. For example, if a user john.doe is triggering a signal, but their actions are benign and you no longer want signals triggered from this user, input the log query: @user.username:john.doe.
    The add suppression query with the query @user.username:john.doe
    Note: Suppression rule queries are based on signal attributes. If the query value you want to use is not a signal attribute, you have to add it as a facet in Log Explorer. See Log side panel on how to create a facet.

Migrate legacy suppression queries to suppression rules

The legacy suppression queries will be deprecated on April 1, 2024.

Migrate your detection rules’s legacy Suppression Queries to the new Suppression Rules.

The add suppression query with the query @user.username:john.doe

To see a list of rules using the legacy suppression query and to migrate them:

  1. Navigate to the detection rules list.
  2. Hover over xx rules in the yellow banner to see the list of rules that need to be migrated.
    A yellow banner saying that 28 rules with suppression queries need to be migrated to suppression rules
  3. Click on a rule.
  4. In the detection rule editor, scroll down to the legacy Suppression Queries section and review the information.
  5. In the Suppression Rules section, fill in the information based on what is in the legacy Suppression Queries section.
  6. Repeat steps 2 to 5 for each detection rule using legacy suppression queries.

Further reading

Additional helpful documentation, links, and articles: