Suppression Rules from the Orchestration Rules Page

Role Availability Read-Only Analyst Manager

About Suppression Rules

USM Central includes suppression rules that enable you to manage false positive A condition that is flagged as a vulnerability or weakness that is not actually a concern. This may be caused by other mitigating conditions (such as additional security technology) or inefficient tuning of detection technology. alarms Alarms provide notification of an event or sequence of events that require attention or investigation. . After you have confirmed that these issues do not pose a security threat, create a suppression rule to prevent these issues from displaying in the user interface (UI), and avoid noise in your system.

You can create a suppression rule from the details page of an alarm (View Alarm Details). This functionality works the same way, and the Create Rule dialog box is similar when you are creating a rule either from a detail page or from the system configuration window. Although it is not a rule, you can also suppress a specific alarm.

Important: The easiest way to configure a suppression rule is from the Alarms details page (see Creating Suppression Rules from the Alarms Page for more information).

Note: The suppression rule you create applies to future items. It also applies to items of the current day, up to 10 K alarms.

Managing Suppression Rules

To create a suppression rule from the orchestration rules page

  1. Go to Settings > Rules.
  2. Select Create Orchestration Rule > Create Suppression Rule.

    Create a suppression rule

  3. Enter a name for the rule.
  4. Select a deployment.
  5. Select the property values you want to include in the rule to create a matching condition.
  6. Click Add Condition and select the property values you want to include in the rule to create a matching condition.

    7. Note: If the field is related to the name of a country, you should use the country code defined by the ISO 3166.

    Note: The Sources or Destinations field needs to match the universally unique identifier (UUID) of the event or alarm. You can use the Source Name or Destination Name field instead.

  7. (Optional.) Click Add Group to group your conditions.

    Note: See Operators in the Orchestration Rules for more information.

  8. (Optional.) Click the More link to include a multiple occurrence parameter.

    Modify these two options:

    • Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.

    • Length: Specify the length of the timespan used to identify a match for multiple occurrences. Enter the number and choose a value of seconds, minutes, or hours.

      This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

      Specify multiple occurances to match for the rule

      In this example, the rule applies when the configured conditions happen five times every three hours.

    These two options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

  9. Click Save Rule.

    10. The created rule displays in the list of rules.

    Important: It takes a few minutes for an orchestration rule to become active.

To filter suppression rules by name

  1. Go to Settings > Rules.
  2. Click the box next to Filter By.
  3. Enter your search.

To filter suppression rules by deployment

  1. Go to Settings > Rules.
  2. In the left navigation pane, click Suppression Rules.
  3. Click the box Deployment.
  4. Select All Rules, Enabled, or Disabled.

To filter suppression rules by rule status

  1. Go to Settings > Rules.
  2. Click the combo box next to Rule Status.
  3. Select All Rules, Enabled, or Disabled.

To edit a suppression rule

  1. Go to Settings > Rules.
  2. On the left navigation pane, click Suppression Rules.
  3. Click the icon of the rule you want to edit.
  4. Modify the data of the items that need to be modified.
  5. Click Save Rule.

To delete a suppression rule

  1. Go to Settings > Rules.
  2. On the left navigation pane, click Suppression Rules.
  3. Click the icon of the rule you want to delete.
  4. Confirm by clicking Accept.

To enable a suppression rule

  1. Go to Settings > Rules.
  2. On the left navigation pane, click Suppression Rules.
  3. Click the icon of the rule you want to enable.

To disable a suppression rule

  1. Go to Settings > Rules.
  2. On the left navigation pane, click Suppression Rules.
  3. Click the icon of the rule you want to disable.

To enable all suppression rules

  1. Go to Settings > Rules.
  2. On the left navigation pane, click Suppression Rules.
  3. In the list of rules, select the first checkbox in the first column to select all the rules.
  4. Click Enable All Rules.

To disable all suppression rules

  1. Go to Settings > Rules.
  2. On the left navigation pane, click Suppression Rules.
  3. In the list of rules, select the first checkbox in the first column to select all the rules.
  4. Click Disable All Rules.
  5. Confirm by clicking Accept.