Vendor devices can send a lot of signals to Workbench and not all signals indicate an issue to be examined. Much of the time, the vendor logs are full of benign issues. Suppressions are created by the SOC analysts to filter the noise so they can focus on the higher fidelity signals from the vendor devices in your environment. Suppression rules can be created just for your environment or, if the SOC analysts see the same benign vendor noise across multiple customers, they create suppression rules that apply for everyone. Ruxie automatically closes alerts that match a suppression rule.
After the tuning process is complete, some devices are noisier than others, in that they send a lot of information to Workbench. It's possible some devices have more suppressions listed than other devices.
You can view suppressions by selecting Detections > Suppressions.
You can only view the suppressions here. You can't edit or change any of them. If you see a suppression you have a question about, disagree with, or you want removed, select Copy link to rule, and paste in a communication to us.
On this screen, you see the following:
-
Along the top of this screen, you can use the lists to sort the items you view.
-
Active suppressions: These green suppressions are active for your environment. If this suppression is one of those that SOC analysts created for all customers, you see that at the top of the suppression. The rest of the screen shows you the specific rules for this suppression. As you can see below, typically, suppressions are very targeted and specific to filter out only the noise the SOC analysts determine is benign.
-
Expired suppressions: These grey suppressions are inactive for your environment. They may have been created during the tuning process or were a threat that was corrected in your environment.
-
Needs review: These red suppressions are awaiting internal review by a member of the SOC before they go live.