Easier way to "ignore" or "suppress" alerts from the Alerts GUI

[oscar-o-oneill]

Hi. I'm wondering if it has ever been considered to add a more simple way of supressing alerts.

I just started using Security Onion, but it seems like it is a lot of work to do a very simple task, which is to clear out all of the alerts which I know to be perfectly safe and acceptable.

But it seems like I need to do a fair bit of CLI stuff (not that much, mind you) to do this.

Why isn't there a simple button I can click to then create a filter or other "suppression" on these alerts?

Ideally I would be able to put in a source / destination IP, the rule ID, and possibly other identifying elements and click "SAVE" and I can filter out all of those verified safe alerts in the Security Onion GUI. I would want to be able to add those additional elements because I don't want to turn that rule off completely as I might miss real future alerts.

This could work much like the existing "escalate" or "acknowledge" buttons, but it would open a slightly different interface to allow for these changes to be saved and added.

Possibly you could edit the rules in a GUI as well.

This change would make Security Onion even easier to use for new users.

What do you think? I'm sure you've already thought of this. Why isn't this in Security Onion if that's the case?

Thank you.

[dougburks]

I'm sure you've already thought of this.

Yes, of course we've already thought of several different ways of approaching GUI alert tuning.

Why isn't this in Security Onion if that's the case?

There's a difference between thinking about a feature and actually building, testing, and maintaining it.

This feature is on our roadmap and we will get to it as time allows. We are a small team and working as hard as we can.

If you would like to expedite this feature, please feel free to help us find an additional developer:
https://blog.securityonion.net/2021/08/security-onion-solutions-is-looking-for.html

[oscar-o-oneill]

Hi again, @dougburks. Thanks for your comment.

I understand completely regarding priorities and constraints; I'm sure there are many more urgent and important tasks to work on. No matter, you guys are doing an awesome job with Security Onion!

I think I can help in another way.

I was planning on making a little RPA workflow in UiPath that would help me automate this process as an attended automation.

I would be able to press "start" and my automation would scrape the necessary details from the Security Onion Alerts dashboard, format it all, and finally SSH into the machine and update the alert rules. (Ideally all in less than a second.)

I would be happy to write this and share my work with you and the team and release it publicly on Github for anyone to use.

I think this would be a fun little automation to write and it would help me (and others) use Security Onion better!

Will report back here soon with more details.

[TFWol]

@oscar-o-oneill I was curious if you ever found a viable workaround for this.
I often catch myself sighing before I start going through the process of putting in an exception.

It feels like another form of 'alert fatigue'

[oscar-o-oneill]

Hey @TFWol, sorry, I didn't really make any progress on that automation because it wasn't that high of a priority for me. Manually adding exceptions is still the way for me because I don't do it that often.