🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Alert Suppression Rules

alerts rules


Alert suppression rules may be created to mark alerts as suppressed at time of alert creation. Suppressed alerts are not included on the Secureworks® Taegis™ XDR Alert Triage Dashboard but can still be found in searches.

View Alert Suppression Rules

  1. From the Secureworks® Taegis™ XDR left-hand side navigation, select Tenant Settings → Rules. The Rules table displays.
  2. Select the Suppression Rules tab from the Rules table. The table displays all of the currently suppressed rules.

Suppression Rules

Suppression Rules

Create a Suppression Rule

There are a few ways to create an alert suppression rule.

From the Suppression Rules Table

Create a Suppression Rule from the Suppression Rules Table

Create a Suppression Rule from the Suppression Rules Table

  1. From the Suppression Rules Table, select Create Rule.
  2. Add one or more match criteria.

Note

The following characters have special meaning within regular expressions: . ^ $ * + - ? ( ) [ ] { } \ | /. For IP addresses, domain names, and other instances, take care to escape the characters with a backslash: 1\.1\.1\.1.

To escape long sequences that contain multiple characters, enclose the whole string between \Q and \E so that the string is not evaluated for regex characters. For example, escaping this full string:

\Q${jndi:ldap://log4shell-smb-21yg3cbuy21gbcy21gc321uc${lower:ten}.w.nessus.org/nessus}\E

is equivalent to:

\$\{jndi:ldap:\/\/log4shell\-smb\-21yg3cbuy21gbcy21gc321uc\$\{lower:ten\}\.w\.nessus\.org\/nessus\}

  1. Add a Name and Description to the rule.
  2. Select Save.

From an Alert

Create a Suppression Rule from a Specific Alert

Create a Suppression Rule from a Specific Alert

  1. Open the details of an alert you wish to suppress.
  2. From the alert details page, select Actions > Create Suppression Rule.
  3. The Create Suppression Rule form is pre-populated with entities from the alert. Drag and drop these entities into the box to build your rule, and/or manually add match criteria.

    • Multiple criteria are AND’ed together.
    • Criteria use PCRE regular expressions to perform matching.

Tip

Regular expression special characters (i.e. . ^ $ * + - ? ( ) [ ] { } \ | /) are automatically escaped when dragged and dropped.

  1. Add a Name and Description to the rule.
  2. Select Save.

From Query Language

Advanced suppression rules support matching on an alert's underlying event data using Query Language. For example, advanced suppression rules can leverage Query Language elements such as process.commandline, process, parent_image_path, and other event schemas.

Note

See the FAQ for additional information on advanced suppression rules.

Create an Advanced Suppression Rule

Note

Enable Preview mode to create advanced suppression rules using Query Language.

  1. Build your query in Advanced Search to verify which past alerts are to be suppressed in the future. Once you are satisfied with the results, copy the query and save it to paste into the rule builder.

  2. Navigate to Tenant Settings → Rules and select the Suppression Rules tab. The Suppression Rules table displays.

  3. Select Create Rule and configure the rule.

Note

If the Advanced Suppression Rule option is not shown, enable Preview mode first.

  1. Select Create Rule.

View Suppression Rule Details and History

Select a rule name from the Suppression Rules table to view its details and history.

View the Details of a Suppression Rule

View the Details of a Suppression Rule

The Detail tab of the suppression rule contains overview information for the rule with the criteria the rule matches on. If the rule has matched on and suppressed alerts in the last seven days, the following display:

If there has been no activity in the last seven days, this section does not display.

View the Changelog of a Rule

View the Changelog of a Rule

The History tab of the suppression rule contains a changelog of edits to the rule. Choose an audit log from the list on the left to view the diff in the right pane.

Archive and Restore a Suppression Rule

Archive and Restore Suppression Rules

Archive and Restore Suppression Rules

When viewing a suppression rule, you can archive the rule by selecting Archive and confirming the action. This will disable the rule, mark it as archived, and remove it from the default view of the Suppression Rules table.

To view archived rules, select the Showing Archived Rules toggle above the Suppression Rules table.

When viewing an archived suppression rule, you can restore the rule by selecting Restore and confirming the action. This will restore the rule in a disabled state and return it to the default view of the Suppression Rules table. Select the toggle to enable the rule.

Share a Suppression Rule

To share a suppression rule with another user within the tenant, select the Copy share link icon from the rule details for a direct URL.

Copy Link to Share Rule

Copy Link to Share Rule

Common Alert Suppression Rules

Authorized Scanner

Use Source IP Address to suppress alerts originating from an authorized scanner.

If you have multiple authorized scanners, use a regular expression to include all IP addresses into one suppression rule.

Guest Network Range

Use Source IP Address to suppress alerts from a guest network range, using a regular expression to match the entire network range.

Authorized Process Execution on Endpoint

Use a combination of patterns to match both the endpoint and process.

FAQ

How do I know if an alert has been suppressed?

Suppressed alerts are marked with a feedback label of Suppressed.

Suppressed Alert

Suppressed Alert

What are global and tenant rules?

Tenant rules are specific to the tenant and only suppress alerts for that individual tenant. Global rules apply to ALL Secureworks® Taegis™ XDR tenants. Global rules are commonly created to triage alert floods until the alerting rule or detector is tuned. Global rules are read-only. Please contact support if you have questions about a global rule.

How can I search for suppressed alerts?

Suppressed alerts have the feedback label Suppressed. You can search for them using the following query:
from alert where suppressed = true

To exclude suppressed alerts from your results, add a NOT to the labelName criteria match:

from alert where suppressed = false

Another method is to run a pivot search from the rule itself. Open up a rule, find the search query at the bottom of the details, and select the new tab icon. This opens up an Advanced Search that is pre-populated with the query. These results include only alerts that were suppressed by this specific rule.

Can I add suppressed alerts to an investigation?

Yes, suppressed alerts can still be added to new or existing investigations.

Can I change the feedback label on a suppressed alert?

Yes, in the alert detail view, you can remove the feedback label or change the label.

Can I audit rule manager activity?

Yes, actions in the rules manager are viewable by navigating to Tenant Settings → Audit Logs. Audit logs will have the category of Rules.

Additionally, a changelog of edits to the rule is available from the rule itself. See View Suppression Rule Details and History.

When an alert is suppressed, how do I know which rule suppressed the alert?

When viewing an alert detail, at the bottom of the alert, open Alert Data. Inside the JSON, locate the labels_data.labels object, which contains the label_id attribute with the rule ID.

A future release will provide the rule name that can be selected to navigate to the rule.

What regular expression features do the rules support?

The alert suppression engine utilizes Hyperscan to apply regular expressions. Hyperscan supports the pattern syntax used by the PCRE library libpcre, described at http://www.pcre.org/. However, not all constructs available in libpcre are supported. The use of unsupported constructs will result in compilation errors. 1

For domain names or IP addresses, do I need to do anything special to handle the dots?

Yes, you need to escape the dots using a backslash. In regular expressions, a dot means to match any single character except newline.

Example: 192\.168\.1\.1 or www\.secureworks\.com

What entities can I match against?

The best way to build a suppression rule is to leverage entities listed on an existing alert. To view entities available on an alert when viewing an Alert Detail:
  1. Open the JSON tab.
  2. Scroll down to entities and select to expand the JSON object.
  3. Observe entities listed on the alert.

Note

If the alert does NOT have entities, that alert is not able to be suppressed yet at this time. Efforts are under way to add alert suppression to all alerts.

Alert Entities

Alert Entities

When building your rule, you can pick entities from a drop down. The following entities can be used to create alert suppression rules. Unique entities are parsed from the individual events included in the alert.

Entity Prefix Entity Description
authDomainName Active Directory Domain
sourceUserName Auth Source Username
sourceAuthDomainName Auth Source Domain Name
targetUserName Auth Target Username
targetAuthDomainName Auth Target Domain Name
computerName Computer Name
decodedScriptSha1 Decoded Script SHA1
destHostName Destination Hostname
destIpAddress Destination IP Address
destIpGeo Destination IP Geolocation
destMacAddress Destination MAC Address
dnsName DNS Name
fileMd5 File MD5
fileName File Name
fileSha1 File SHA1
fileSha256 File SHA256
fileSha512 File SHA512
ipAddress IP Address
city IP Address Geolocation City
country IP Address Geolocation Country
latLon IP Address Latitude,Longitude
macAddress MAC Address
programMd5 Program MD5
programName Program Name
programSha1 Program SHA1
programSha256 Program SHA256
programSha512 Program SHA512
registryName Registry Name
registryPath Registry Path
scriptSha1 Script SHA1
sensorHostId Sensor Host ID
sensorId Sensor ID
sourceIpAddress Source IP Address
sourceIpGeo Source IP Geolocation
sourceMacAddress Source MAC Address
topPrivateIpDomain Top Private IP Domain
userName Username
workstationName Workstation Name

Which detectors support alert suppression?

The following detectors currently support alert suppression:
Detectors Supporting Alert Suppression

FAQ for Query Language Advanced Suppression Rules

Do advanced suppression rules remain enabled if the rule author changes their profile settings back to Production stable?

Yes, the rules remain active. The author will be able to view the rule in read-only mode when using Production Stable. To edit the rule, the author must change their profile back to Preview mode.

Are there limitations to using Query Language for advanced suppression rules?

The following Query Language features are not supported at this time:

The following schemas are not supported at this time:

How can I create an advanced suppression rule for alerts containing a specific commandline?

To suppress by commandline, use the process.commandline schema in the Query Language for the advanced suppression rule.

from alert where process.commandline contains 'your_string'

 

On this page: