Security Information and Event Management (SIEM) can be a daunting task made harder still if you're drowning in a flood of unnecessary or low-value alerts. That's why we've made it super simple to tune out the noise with our runbook suppression management features. Helping you to identify those alerts which need your time and attention to help keep the bad guys out!
Let's get started...
Full Suppression
Full suppression is essentially disabling a runbook so that our SIEM platform no longer looks to detect and alert you about the events related to it.
A runbook can be fully suppressed/disabled by following the steps outlined below from the following views.
โ ๏ธ Important note. By suppressing/disabling a runbook you risk not detecting events relating to malicious activity. Please use this with caution.
Security Event View
Select Detection from the my.defense.com navigation
Click SIEM and then Security Events
Select a security event by clicking on the event title
From the security event show page, click Disable Runbook from the top right-hand corner
Enter a reason for disabling the runbook and click Disable runbook
Runbook View
Select Detection from the my.defense.com navigation
Click SIEM and then Runbooks
Locate the runbook you wish to disable
Click the toggle under the Enabled column heading
Enter a reason for disabling the runbook and click Disable runbook
Partial Suppression
Partial suppression or tuning a runbook's detection rules can help reduce unnecessary alerts by allowing you to exclude specific values.
A runbook can be partially suppressed/tuned by following the steps outlined below from the following views.
โ ๏ธ Important note. By partially suppressing/tuning a runbook you risk not detecting events relating to malicious activity. Please use this with caution.
Security Event View
Select Detection from the my.defense.com navigation
Click SIEM and then Security Events
Select a security event by clicking on the event title
From the security event show page, click Edit Runbook Suppression from the top right-hand corner
If the logs associated with the security event in question were received in the last 90 days, you'll be presented with a list of the logs under the Results heading. If not, you'll need to adjust the Date Range filter to find logs within the last 90 days which match the runbook's detection rule
Once you have logs under the Results heading, click the log to expand it and expose the fields and values contained within it
Locate the value you wish to suppress and select Add suppression (eye icon)
Once you're happy that you selected all of the values you wish to suppress, click Update under the Suppressions heading
Runbook View
Select Detection from the my.defense.com navigation
Click SIEM and then Runbooks
Locate the runbook you wish to partially suppress/tune and click Manage Suppression (pencil icon) under the Actions column
Use the Date Range filter to find logs within the last 90 days which match the runbook's detection rule
Once you have logs under the Results heading, click the log to expand it and expose the fields and values contained within it
Locate the value you wish to suppress and select Add suppression (eye icon)
Once you're happy that you selected all of the values you wish to suppress, click Update under the Suppressions heading
And that's it! You can now successfully manage SIEM runbooks and detection rules ๐