You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/detections/alert-suppression.asciidoc
+31-38Lines changed: 31 additions & 38 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,14 @@
1
1
[[alert-suppression]]
2
2
== Suppress detection alerts
3
3
4
+
Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by <<about-rules,detection rules>>. Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, alerts for duplicate events are not created. Instead, the qualifying events are grouped, and only one alert is created for each group.
5
+
6
+
Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values.
7
+
8
+
The {security-app} displays several indicators in the Alerts table and the alert details flyout when a detection alert is created with alert suppression enabled. You can view the original events associated with suppressed alerts by investigating the alert in Timeline.
9
+
10
+
=== Configure alert suppression
11
+
4
12
.Requirements and notices
5
13
[sidebar]
6
14
--
@@ -9,57 +17,29 @@
9
17
* {ml-cap} rules have <<ml-requirements,additional requirements>> for alert suppression.
10
18
--
11
19
12
-
Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types:
13
-
14
-
* <<create-custom-rule,Custom query>>
15
-
* <<create-threshold-rule,Threshold>>
16
-
* <<create-indicator-rule,Indicator match>>
17
-
* <<create-eql-rule,Event correlation>>
18
-
* <<create-new-terms-rule,New terms>>
19
-
* <<create-esql-rule,{esql}>>
20
-
* <<create-ml-rule,{ml-cap}>>
20
+
You can configure alert suppression when <<rules-ui-create,creating>> or editing a rule.
21
21
22
-
Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values.
23
-
24
-
The {security-app} displays several indicators in the Alerts table and the alert details flyout when a detection alert is created with alert suppression enabled. You can view the original events associated with suppressed alerts by investigating the alert in Timeline.
25
-
26
-
=== Configure alert suppression
27
-
28
-
You can configure alert suppression when you create or edit a supported rule type. Refer to documentation for creating <<create-custom-rule,custom query>>, <<create-threshold-rule, threshold>>, <<create-eql-rule,event correlation>>, <<create-new-terms-rule,new terms>>, <<create-esql-rule,{esql}>>, or <<create-ml-rule,{ml}>> rules for detailed instructions.
29
-
30
-
. When configuring the rule type (the *Define rule* step for a new rule, or the *Definition* tab for an existing rule), specify how you want to group events for alert suppression:
22
+
. When configuring the rule (the **Define rule** step for a new rule, or the **Definition** tab for an existing rule), specify how you want to group alerts for alert suppression:
31
23
+
32
24
--
33
-
* **Custom query, indicator match, threshold, event correlation, new terms, {ml}, and {esql} rules:** In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values.
34
-
* **Threshold rule:** In *Group by*, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together.
25
+
** **All rule types except the threshold rule**: In *Suppress alerts by*, enter 1-3 field names to group events by the fields' values.
26
+
** **Threshold rule only:** In **Group by**, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together.
35
27
36
28
--
37
29
+
38
-
[NOTE]
39
-
======
40
-
If you specify a field with multiple values, alerts with that field are handled as follows:
41
-
42
-
* **Custom query or threshold rules:** A group of alerts is created for each value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`.
43
-
* **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group.
44
-
* **Event correlation (sequence queries only) rules:** If the specified field contains an array of values, suppression only happens if the field's values are an exact match and in the same order. For example, if you specify the field `myips` and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element.
45
-
======
46
-
47
-
. If available, select how often to create alerts for duplicate events:
48
-
+
49
-
NOTE: Both options are available for custom query, indicator match, event correlation, new terms, {esql}, and {ml} rules. Threshold rules only have the *Per time period* option.
30
+
TIP: Refer to <<suppression-fields-with-multiple-values,Suppression for fields with an array of values>> to learn how fields with multiple values are handled.
50
31
+
51
-
--
52
-
* *Per rule execution*: Create an alert each time the rule runs and meets its criteria.
53
-
* *Per time period*: Create one alert for all qualifying events that occur within a specified time window, beginning from when an event first meets the rule criteria and creates the alert.
32
+
. If available, choose how often to create alerts for duplicate events:
33
+
** *Per rule execution*: Create an alert each time the rule runs and meets its criteria.
34
+
** *Per time period*: Create one alert for all qualifying events that occur within a specified time window, beginning from when an event first meets the rule criteria and creates the alert. This is the only option available when configuring alert suppression for threshold rules.
54
35
+
55
36
For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events.
. Under *If a suppression field is missing*, choose how to handle events with missing suppression fields (events in which one or more of the *Suppress alerts by* fields don't exist):
61
41
+
62
-
NOTE: These options are not available for threshold rules.
42
+
NOTE: These options are available for all rule types except threshold rules.
63
43
64
44
* *Suppress and group alerts for events with missing fields*: Create one alert for each group of events with missing fields. Missing fields get a `null` value, which is used to group and suppress alerts.
65
45
* *Do not suppress alerts for events with missing fields*: Create a separate alert for each matching event. This basically falls back to normal alert creation for events with missing suppression fields.
@@ -74,6 +54,19 @@ NOTE: These options are not available for threshold rules.
74
54
75
55
====
76
56
57
+
[discrete]
58
+
[[suppression-fields-with-multiple-values]]
59
+
=== Suppression for fields with an array of values
60
+
61
+
62
+
When specifying fields to suppress alerts by, you can select fields that have multiple values. When alerts for those fields are generated, they're handled as follows:
63
+
64
+
* **Custom query or threshold rules:** Alerts are grouped by each unique value and an alert is created for each group. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts are grouped separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3` and an alert is created for each group.
65
+
66
+
* **Indicator match, event correlation (non-sequence queries only), new terms, {esql}, or {ml} rules:** Alerts with identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group.
67
+
68
+
* **Event correlation (sequence queries only) rules:** Alerts that are an exact match are grouped. To be an exact match, array values must be identical and in the same order. For example, if you specify the field `myips` and one sequence alert has `[1.1.1.1, 0.0.0.0]` and another sequence alert has `[1.1.1.1, 192.168.0.1]`, neither of those alerts is suppressed, despite sharing an array element.
69
+
77
70
=== Confirm suppressed alerts
78
71
79
72
The {security-app} displays several indicators of whether a detection alert was created with alert suppression enabled, and how many duplicate alerts were suppressed.
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments