You can create suppression rules from the EventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. page to prevent some events from flooding your system.
USM Anywhere saves the events that match a suppression rule, but does not correlate these suppressed events. By default, USM Anywhere hides these suppressed events. If you want to see these events, click Suppressed in the Search & Filters area. The suppressed events will be displayed in the table along with all events. See To only display the suppressed events if you want to display just the suppressed events.
Warning: Keep in mind that orchestration rules only apply to future events and alarms. There is no longer an exception for suppression rules.
Suppression rules using the
Match, case insensitive operators apply to future events and alarms, not to events and alarms received in the current day.
You can create your own rules from the Suppression Rules page or from the Events details page, which is the easiest way to configure the matching conditions.
To create a Suppression Rule from the Events page
- Go to Activity > Events.
- Search the events which you want to include in the suppression rule. See Searching Events for more information.
- Click the event to suppress.
- Select Create Rule > Create Suppression Rule.
- Enter a name for the rule.
- You have already suggested property values to create a matching condition. If you want to add new property values, click Add Condition.
- (Optional.) Click Add Group of Conditions to group your conditions.
(Optional.) Click the More link to include a multiple occurrence parameter.
These options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarmAlarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized accessAn incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). loginLog in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window. These are the two options that you can modify:
- Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
Length: Specify the length of the window used to identify a match for multiple occurrences. Enter the number and choose a time-unit value of seconds, minutes, or hours.
This duration identifies the amount of time that transpires from the first to last. If the number of occurrences is not met within this period, the rule is not a match.
In this example, the rule applies when the configured conditions happen five times every three hours.
- Click Save Rule.
Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.
Note: Keep in mind that the Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.
Important: Instead of using the equals and equals, case insensitive operators for array fields, AT&T Cybersecurity recommends the use of the in or contains operators.
Note: If you need to add a property value that maps with a property key, you need to know the mapping of the field. See Determining the Mapping of a Field for more information.
Note: See Operators in the Orchestration Rules for more information.
The suppression rule has been created. You can see it from Settings > Rules, see Suppression Rules from the Orchestration Rules Page for more information.
To only display the suppressed events
- Go to Activity > Events.
- In the Search & Filters area, click Not Suppressed to remove the Suppressed: False filter, and then click Suppressed to add the Suppressed: True filter.
- To see
eventssuppressed by a certain rule, in the upper-left corner of the page, click the Configure Filters link.
- In the Search filters field, enter Suppress.
- Select the Suppress Rule Name filter.
- Click the icon to pass the selected filter from the available filters to the selected ones.
The page reloads and the Suppress Rule Name filter is added at the lower left corner.
- Search the Suppress Rule Name filter and click the rule.
If no rule name displays, it is because of these reasons:
- There are no
eventssuppressed by the rule.
- The Suppressed filter is not enabled.
See Searching Events for more information about the icons below the filters.
Note: You can save the view for later use. See Event Views for more information about how to create a configuration view.
To show triggered
- Go to Settings > Rules to open the All Orchestration Rules page.
- In the
Event Suppressionrow, click the icon.