There are cases where the alarms Alarms provide notification of an event or sequence of events that require attention or investigation. in USM Anywhere are false positives A condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning of detection technology., and you may want to suppress these kinds of alarms to prevent the false positives from flooding your system. To suppress an alarm, you need to create a suppression rule. USM Anywhere applies the suppression rule to similar alarms from the current day (up to 10 K alarms) and to future alarms. Existing alarms are suppressed but kept open, while future alarms are suppressed and closed.

To create a suppression rule from the Alarms page

1. Go to Activity > Alarms.

2. Locate the alarm that you want to include in the suppression rule.

   See Searching Alarms for more information.

3. Click the alarm that you want to suppress.
4. Click Create Rule > Create Event Suppression Rule or Create Rule > Create Alarm Suppression Rule.

5. Select a Boolean operator.

   The options are AND, OR, AND NOT, and OR NOT.

6. Select a packet type in the Match drop-down list.

   

   • Logs: Use this packet type for event-based rules.
   • Configuration Issues: Use this packet type for configuration issues-based rules1 This packet type refers to configuration issues that are used to identify incorrect uses of certain features. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the AWS security features..
   • Vulnerabilities: Use this packet type for vulnerabilities-based rules.
   • Alarms: Use this packet type for console user alarms-based rules.
7. You have already suggested property values to create a matching condition, but if you want to add new property values, click Add Condition.

Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.

Important: Instead of using the equals and equals, case insensitive operators for array fields, LevelBlue recommends the use of the in or contains operators.

Note: If you need to add a property value that maps with a property key, you need to know the mapping of the field. See Determining the Mapping of a Field for more information.

8. (Optional.) Click Add Group to group your conditions.

   Note: See Operators in the Orchestration Rules for more information.

9. In the Occurrences text box, enter the number of event occurrences that you want to produce a match on the conditional expression to trigger the rule.

   You can enter the number of occurrences or use the arrows to scroll the value up or down. You can enter a number between 1 and 100.

Note: The current rule box shows you the syntax of your rule, and the rule verification box reviews that syntax before saving the rule.

10. Click Next.

    

    Important: A dialog box opens if there are warning messages. Click Cancel to review the warning messages, or click Accept to continue creating the rule.

11. Enter a name for the rule.
12. (Optional.) Enter a description for identifying this rule.

13. In the Length text box, specify the timespan that you want to use to identify a match for multiple occurrences. Enter the number in the text box, and then use the drop-down menu to select a value of seconds, minutes, or hours.

    This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

Note: Your defined length and occurrences function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

14. Click Save.

The created rule displays in the list of rules. You can see it from Settings > Rules > Orchestration Rules. See Orchestration Rules for more information.

Important: It takes a few minutes for an orchestration rule to become active.

Suppressed alarms remain in the system but are hidden in the web user interface (UI) by default. If you want to see these alarms, click Suppressed in the Search & Filters area. The table displays suppressed alarms along with the other alarms. Use the following instructions if you want to display just the suppressed alarms.

To only display the suppressed alarms

1. Go to Activity > Alarms.
2. In the Search & Filters area, click Not Suppressed to remove the Suppressed: False filter, and then click Suppressed to add the Suppressed: True filter.
3. Click Closed to include the closed alarms.
4. In the upper-left corner of the page, click the Configure Filters link to see alarms suppressed by a certain rule.
5. In the Search filters field, enter Suppress.
6. Select the Suppress Rule Name filter.
7. Click the icon to pass the selected filter from the available filters to the selected ones.

8. Click Apply.

   The page reloads, and the Suppress Rule Name filter is added at the lower-left corner.

9. Search the Suppress Rule Name filter and click the rule.

If no rule name displays, it is because the rules are not suppressing the alarms or the Suppressed filter is not enabled.

See Searching Alarms for more information about the icons below the filters.

To show triggered alarms rules

1. Go to Settings > Rules to open the All Orchestration Rules page.
2. In the Create an Alarm row, click the icon.

The Alarms List View page opens. The page includes Rules Name as a filter so that you can see how many alarms match the selected rule.