- Get Started with Threat Detection Management
- Analytics Rules
- Analytics Rule Classifications
- Create an Analytics Rule
- 1. Define the analytics rule
- 2. Import the analytics rule
- 3. Enable the analytics rule
- 4. Apply the analytics rule to your environment
- factFeature Analytics Rule JSON Configuration
- profiledFeature Analytics Rule JSON Configurationh
- contextFeature Analytics Rule JSON Configuration
- numericCountProfiledFeature Analytics Rule JSON Configuration
- numericDistinctCountProfiledFeature Analytics Rule JSON Configuration
- numericSumProfiledFeature Analytics Rule JSON Configuration
- Manage Analytics Rules
- Tune Analytics Rules
- Share Analytics Rules
- Troubleshoot Analytics Rules
- Analytics Rules Syntax
- Advanced Analytics Rule Syntax vs. Analytics Rule Syntax
- Logical Expressions in Analytics Rule Syntax
- String Operations Using Analytics Rule Syntax
- Integer Operations Using Analytics Rule Syntax
- Time Operations Using Analytics Rule Syntax
- Network Operations Using Analytics Rule Syntax
- Context Operations Using Analytics Rule Syntax
- Entity Operations Using Analytics Rule Syntax
- Correlation Rule Operations Using Analytics Rule Syntax
- Monitor the Analytics Engine
- Correlation Rules
- Threat Scoring
Granular Suppression
Suppress the rule when it over-triggers on the values of a specified field.
When a rule over-triggers, it creates noise, can indicate it's detecting false positives, and cause alert fatigue. To prevent a rule from over-triggering, you can suppress the rule from triggering repeatedly when you're creating or editing the rule. With granular suppression, you can suppress the rule from triggering repeatedly on the values of a specified field only. For example, you can suppress the rule from over-triggering on a specific user or source host.
To use granular suppression, you must use the Group by Field functionality in any sequence or designate common properties for the rule.
Within the suppression period, the rule triggers on the first event with a specific field value but is suppressed for all subsequent events with the same field value. For another event with the same field but a different value, the rule triggers again. For example, let's say you designate dest_ip and src_ip as the common properties of a rule and you're using granular suppression with the dest_ip field:
For an event with
dest_ipA andsrc_ipB, the rule triggers.For an event with
dest_ipA andsrc_ipB, the rule is suppressed.For an event with
dest_ipA andsrc_ipC, the rule is suppressedFor an event with
dest_ipB andsrc_ipB, the rule triggers.For an event with
dest_ipB andsrc_ipC, the rule is suppressed.
After the suppression period, the rule triggers on all qualifying events.