Suppress detection alerts
editSuppress detection alerts
editAlert suppression allows you to reduce the number of repeated or duplicate detection alerts created by a custom query detection rule each time the rule runs.
Normally, when a rule matches multiple source events, multiple alerts are created, one for each event. When alert suppression is configured, matching events are grouped by a specified field, and only one alert is created for each group per rule execution. You can also specify multiple fields to group events by unique combinations of values.
The Elastic Security app displays several indicators in the Alerts table and the alert details flyout when a detection alert is created with alert suppression enabled. You can view the original events associated with suppressed alerts by investigating the alert in Timeline.
Alert suppression is not available for Elastic prebuilt rules. However, if you want to suppress alerts for a prebuilt rule, you can duplicate it, then configure alert suppression on the duplicated rule.
Configure alert suppression
editYou can configure alert suppression when you create or edit a custom query rule. When configuring the rule type (the Define rule step for a new rule, the Definition tab for an existing rule), enter one or more field names in Suppress Alerts By. Configure other rule settings, then save and enable the rule.
If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by destination.ip
of [127.0.0.1, 127.0.0.2, 127.0.0.3]
, alerts will be suppressed separately for each matching value of 127.0.0.1
, 127.0.0.2
, and 127.0.0.3
.
Use the Rule preview before saving the rule to visualize how alert suppression will affect the alerts created, based on historical data.
Confirm suppressed alerts
editThe Elastic Security app displays several indicators of whether a detection alert was created with alert suppression enabled, and how many duplicate alerts were suppressed.
-
Alerts table — Icon in the Rule column. Hover to display the number of suppressed alerts:
-
Alerts table — Column for suppressed alerts count. Select Fields to open the fields browser, then add
kibana.alert.suppression.docs_count
to the table. -
Alert details flyout — Insights section:
Investigate events for suppressed alerts
editWith alert suppression, detection alerts aren’t created for the grouped source events, but you can still retrieve the events for further analysis or investigation. Do one of the following to open Timeline with the original events associated with both the created alert and the suppressed alerts:
-
Alerts table — Select Investigate in timeline in the Actions column.
- Alert details flyout — Select Take action → Investigate in timeline.