You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by [detection rules](/solutions/security/detect-and-alert/about-detection-rules.md) Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule’s criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group.
16
17
17
-
::::{admonition} Requirements and notices
18
-
* In {{stack}} alert suppression requires a [Platinum or higher subscription](https://www.elastic.co/pricing) or the appropriate [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
19
-
* {{ml-cap}} rules have [additional requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for alert suppression.
20
-
* This functionality is in technical preview for event correlation rules only and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
21
-
22
-
::::
23
-
24
-
Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types:
Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule’s criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values.
18
+
Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values.
35
19
36
20
The {{security-app}} displays several indicators in the Alerts table and the alert details flyout when a detection alert is created with alert suppression enabled. You can view the original events associated with suppressed alerts by investigating the alert in Timeline.
37
21
@@ -42,31 +26,44 @@ Alert suppression is not available for Elastic prebuilt rules. However, if you w
You can configure alert suppression when you create or edit a supported rule type. Refer to documentation for creating [custom query](/solutions/security/detect-and-alert/create-detection-rule.md#create-custom-rule), [threshold](/solutions/security/detect-and-alert/create-detection-rule.md#create-threshold-rule), [event correlation](/solutions/security/detect-and-alert/create-detection-rule.md#create-eql-rule), [new terms](/solutions/security/detect-and-alert/create-detection-rule.md#create-new-terms-rule), [{{esql}}](/solutions/security/detect-and-alert/create-detection-rule.md#create-esql-rule), or [{{ml}}](/solutions/security/detect-and-alert/create-detection-rule.md#create-ml-rule) rules for detailed instructions.
29
+
::::{admonition} Requirements and notices
30
+
* In {{stack}} alert suppression requires a [Platinum or higher subscription](https://www.elastic.co/pricing) or the appropriate [{{serverless-short}} project tier](../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
31
+
* {{ml-cap}} rules have [additional requirements](/solutions/security/advanced-entity-analytics/machine-learning-job-rule-requirements.md) for alert suppression.
32
+
* This functionality is in technical preview for event correlation rules only and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
46
33
47
-
1. When configuring the rule type (the **Define rule** step for a new rule, or the **Definition** tab for an existing rule), specify how you want to group events for alert suppression:
34
+
::::
48
35
49
-
***Custom query, indicator match, threshold, event correlation, new terms, {{ml}}, and {{esql}} rules:** In **Suppress alerts by**, enter 1-3 field names to group events by the fields' values.
50
-
***Threshold rule:** In **Group by**, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together.
36
+
You can configure alert suppression when [creating](/solutions/security/detect-and-alert/create-detection-rule.md) or editing a rule.
51
37
52
-
::::{note}
53
-
If you specify a field with multiple values, alerts with that field are handled as follows:
38
+
1. When configuring the rule (the **Define rule** step for a new rule, or the **Definition** tab for an existing rule), specify how you want to group duplicate events for alert suppression:
54
39
55
-
***Custom query or threshold rules:**Alerts are grouped by each unique value. For example, if you suppress alerts by`destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts will be suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`.
56
-
***Indicator match, event correlation (non-sequence queries only), new terms, {{esql}}, or {{ml}} rules:** Alerts with the specified field name and identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group.
57
-
***Event correlation (sequence queries only) rules:**If the specified field contains an array of values, suppression only happens if the field’s values are an exact match and in the same order. For example, if you specify the field `myips`and one sequence alert has [1.1.1.1, 0.0.0.0] and another sequence alert has [1.1.1.1, 192.168.0.1], neither of those alerts will be suppressed, despite sharing an array element.
40
+
***All rule types except the threshold rule:**In **Suppress alerts by**, enter 1-3 field names to group events by the fields' values.
41
+
42
+
If you specify a field with multiple values, duplicate events are grouped, and only one alert is created for each group. Note how each rule type is handled:
58
43
59
-
::::
44
+
***Custom query rules:** Duplicate events are grouped by each unique value and an alert is created for each group. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, events are grouped separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3` and an alert is created for each group.
60
45
61
-
2. If available, select how often to create alerts for duplicate events:
46
+
***Indicator match, event correlation (non-sequence queries only), new terms, {{esql}}, or {{ml}} rules:** Events with identical array values are grouped together. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts with the entire array are grouped and only one alert is created for the group.
47
+
48
+
***Event correlation (sequence queries only) rules:** Events with an exact match are grouped. Note that the event's field values must be identical and in the same order. For example, if you specify the field `myips` and one sequence alert has `[1.1.1.1, 0.0.0.0]` and another sequence alert has `[1.1.1.1, 192.168.0.1]`, neither of those alerts are suppressed, despite sharing an array element.
49
+
50
+
***Threshold rule only:** In **Group by**, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together.
51
+
52
+
If you specify a field with multiple values, duplicate events are grouped by each unique value. For example, if you suppress alerts by `destination.ip` of `[127.0.0.1, 127.0.0.2, 127.0.0.3]`, alerts are suppressed separately for each value of `127.0.0.1`, `127.0.0.2`, and `127.0.0.3`.
53
+
54
+
2. Choose how often to create alerts for duplicate events. This interval is called the _suppression window_.
62
55
63
56
::::{note}
64
-
Both options are available for custom query, indicator match, event correlation, new terms, {{esql}}, and {{ml}} rules. Threshold rules only have the **Per time period** option.
65
-
::::
57
+
58
+
Note the following about your rule's suppression window:
66
59
60
+
* {applies_to}`stack: ga 9.0` {applies_to}`stack: ga 9.1` Avoid closing alerts generated for suppression before the suppression window ends. Closing alerts early can interrupt alert suppression or cause unexpected changes.
61
+
* {applies_to}`stack: ga 9.2` Configure the `securitySolution:suppressionBehaviorOnAlertClosure` advanced setting to...
62
+
63
+
::::
67
64
68
65
***Per rule execution**: Create an alert each time the rule runs and an event meets its criteria.
69
-
***Per time period**: Create one alert for all qualifying events that occur within a specified time window, beginning from when an event first meets the rule criteria and creates the alert.
66
+
***Per time period**: Create one alert for all qualifying events that occur within a specified time window, beginning from when an event first meets the rule criteria and creates the alert. This is the only option available when configuring alert suppression for threshold rules.
70
67
71
68
For example, if a rule runs every 5 minutes but you don’t need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it’ll suppress any subsequent qualifying events.
0 commit comments