In this example, we are going to create a suppression rule to avoid having a lot of sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.. You can create this rule whenever you trust the origin host Reference to a computer on a network., or because you need to do maintenance. This way you will avoid noise in your list of events.

To create a suppression rule for avoiding Sudo events

1. Go to Settings > Rules.
2. Select Create Orchestration Rule > Suppression Rule.

3. Select a Boolean operator.

   The options are AND, OR, AND NOT, and OR NOT.

4. Select a packet type in the Match drop-down list.

   

   • Logs: Use this packet type for event-based rules.
   • Configuration Issues: Use this packet type for configuration issues-based rules1 This packet type refers to configuration issues that are used to identify incorrect uses of certain features. For example, the app for AWS assesses your configuration of AWS to identify insecure use of the AWS security features..
   • Vulnerabilities: Use this packet type for vulnerabilities-based rules.
   • Alarms: Use this packet type for console user alarms-based rules.

5. Select these property values:

   

6. (Optional.) Click Add Group to group your conditions.

   Note: See Operators in the Orchestration Rules for more information.

7. In the Occurrences text box, enter the number of event occurrences that you want to produce a match on the conditional expression to trigger the rule.

   You can enter the number of occurrences or use the arrows to scroll the value up or down. You can enter a number between 1 and 100.

8. Click Next.

   

   Important: A dialog box opens if there are warning messages. Click Cancel to review the warning messages, or click Accept to continue creating the rule.

9. Enter a name for the rule, (for example, Suppress Sudo Events).
10. (Optional.) Enter a description for identifying this rule.

11. In the Length text box, specify the timespan that you want to use to identify a match for multiple occurrences. Enter the number in the text box, and then use the drop-down menu to select a value of seconds, minutes, or hours.

    This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

Note: Your defined length and occurrences function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

12. Click Save.

The suppression rule has been created. You can see it from Settings > Rules. See Suppression Rules from the Orchestration Rules Page for more information.

Important: It takes a few minutes for an orchestration rule to become active.