IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Add detection alerts to cases Visual event analyzer »
Elastic Docs Elastic Security Solution [8.6] Detections and alerts Manage detection alerts

Suppress detection alerts

edit

Suppress detection alerts

edit

Requirements and notices

Alert suppression requires a Platinum or higher subscription.

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by a custom query detection rule each time the rule runs.

Normally, when a rule matches multiple source events, multiple alerts are created, one for each event. When alert suppression is configured, matching events are grouped by a specified field, and only one alert is created for each group per rule execution. You can also specify multiple fields to group events by unique combinations of values.

The Elastic Security app displays several indicators in the Alerts table and the alert details flyout when a detection alert is created with alert suppression enabled. You can view the original events associated with suppressed alerts by investigating the alert in Timeline.

Alert suppression is not available for Elastic prebuilt rules. However, if you want to suppress alerts for a prebuilt rule, you can duplicate it, then configure alert suppression on the duplicated rule.

Configure alert suppression

edit

You can configure alert suppression when you create or edit a custom query rule. When configuring the rule type (the Define rule step for a new rule, the Definition tab for an existing rule), enter one or more field names in Suppress Alerts By. Configure other rule settings, then save and enable the rule.

If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by destination.ip of [127.0.0.1, 127.0.0.2, 127.0.0.3], alerts will be suppressed separately for each matching value of 127.0.0.1, 127.0.0.2, and 127.0.0.3.

Use the Rule preview before saving the rule to visualize how alert suppression will affect the alerts created, based on historical data.

Confirm suppressed alerts

edit

The Elastic Security app displays several indicators of whether a detection alert was created with alert suppression enabled, and how many duplicate alerts were suppressed.

  • Alerts table — Icon in the Rule column. Hover to display the number of suppressed alerts:

    Suppressed alerts icon and tooltip in Alerts table

  • Alerts table — Column for suppressed alerts count. Select Fields to open the fields browser, then add kibana.alert.suppression.docs_count to the table.

    Suppressed alerts count field column in Alerts table

  • Alert details flyout — Insights section:

    Suppressed alerts Insights section in alert details flyout

Investigate events for suppressed alerts

edit

With alert suppression, detection alerts aren’t created for the grouped source events, but you can still retrieve the events for further analysis or investigation. Do one of the following to open Timeline with the original events associated with both the created alert and the suppressed alerts:

  • Alerts table — Select Investigate in timeline in the Actions column.

    Investigate in timeline button
  • Alert details flyout — Select Take actionInvestigate in timeline.
« Add detection alerts to cases Visual event analyzer »