About Signal Suppression
This topic describes the various ways that Signals can get suppressed.
In Cloud SIEM, a suppressed Signal is a Signal that Cloud SIEM's Insight algorithm will exclude from the Insight generation process. In other words, a suppressed Signal does not contribute to or become a part of an Insight. By default, Signals are automatically suppressed for 72 hours.
Signal suppression can occur for a variety of reasons, including Entity suppression, network blocks, suppression lists, and identifying redundant Signals by our rules correlation engine. In all cases, Signals will still be generated in the suppressed state. Depending on the reason, the field suppressedReasons will be populated in the sec_signal index. For example, this may include the Signal ID of an identical Signal that caused subsequent redundant Signals to be suppressed, or it may contain the name of the network block with suppression enabled.
Set the global Signal suppression value
By default, Signals are automatically suppressed for 72 hours. You can change this value to anywhere from 24 hours to 72 hours with the Global Signal Suppression setting on the Insight Detection page. See Set Insight Generation Window and Threshold.
Suppress by Entity
You can suppress an Entity on its details page in the Cloud SIEM UI using the suppression slider.
You can suppress multiple Entities at once on the Entities list page in the Cloud SIEM UI. Note that in the screenshot below, the row for an Entity that is currently suppressed contains a Suppressed indicator.
When you checkmark one or more Entities, the Update Suppression button appears. When you click it you’re prompted to set the suppression state for the select Entities. You can also create a .csv file with your suppression changes, and use the Import Metadata button to upload it to Cloud SIEM. For details, see the View and Manage Entities topic. You can see what Entities are currently suppressed on the Entities page by filtering the list by Suppressed.
Suppress by indicator
Signals can be suppressed based on the presence of a suppressed indicator in any of the Records associated with a Signal. You create lists of indicators, which are things like IPs, hostnames, URLs, domains, and so. You can set a TTL (time to live) after which an indicator will be unsuppressed. You can create these lists on the Suppressed Lists page, available from the content menu.
Suppress by Network Block
You can suppress Signals on all of the IP addresses in a Network Block. You can see on the Network Blocks page whether or not Signals are suppressed for IPs in the block. For more information, see Create and Use Network Blocks.
Automatic suppression of redundant Signals
Cloud SIEM suppresses redundant Signals to prevent the generation of multiple, virtually identical Insights. For information about how this works, see Redundant Signal suppression.