Reduce notifications and alerts

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Elastic Security offers several features to help reduce the number of notifications and alerts generated by your detection rules. This table provides a general comparison of these features, with links for more details:

Rule action snoozing

Stops a specific rule’s notification actions from running.

Use to avoid unnecessary notifications from a specific rule. The rule continues to run and generate alerts during the snooze period, but its notification actions don’t run.

Maintenance window

Prevents all rules' notification actions from running.

Use to avoid false alarms and unnecessary notifications during planned outages. All rules continue to run and generate alerts during the maintenance window, but their notification actions don’t run.

Alert suppression

Reduces repeated or duplicate alerts.

Use to reduce the number of alerts created when a rule meets its criteria repeatedly. Duplicate qualifying events are grouped, and only one alert is created for each group.

Rule exception

Prevents a rule from creating alerts under specific conditions.

Use to reduce false positive alerts by preventing trusted processes and network activity from generating unnecessary alerts. You can configure an exception to be used by a single rule or shared among multiple rules, but they typically don’t affect all rules.