What are suppressions

What is a suppression?

A suppression is similar to whitelisting. The idea is the current, enabled rules identify blacklisted actions or services. A suppression is applied to reduce or ignore normal and approved actions or services.

In addition, suppressing alerts hone each rule to more accurately fire for true positives.

Suppressions can be applied to several layers of the rule management system hierarchy. IP, Community, and Group are the three layers in which a customer can set the suppression for a rule. Global suppressions can only be applied by the Perch Security Operations Center.

Recent suppressions are visible from the dashboard (if you have any). Or from the alert suppressions page by clicking the gear icon settings from the menu and navigating to Alert Suppressions.

How to suppress alerts

So, you got an alert and now you’re wondering what to do with it. In most cases, your alerts will be managed by Perch via our 24/7 Security Operations Center (SOC). You can see this in action right on your dashboard under Recent Suppressions. However, you can always take the reigns and manage alerts on your own as you see fit.

Alerts have actionable items to the right of each alert. The Perchy icon will jump you into Perchybana. The details icon launch will jump you into the indicator detail page.

verified_user Remediation – Remediation will apply a one time suppression for the raised alert. Remediations apply to alerts that have been either corrected by the customer (ie. applied patch, updating control, config change, other), or when a rule fires true to the traffic seen and the results of the conversation lead to approved actions/services or unsuccessful attacks.

not_interested False Positive – A false positive typically originates when a rule’s definition is missing some logic and is too broad. As a result, it incorrectly identifies events that match the current rules logic even though they aren’t a legitimate security threat.