AlienVault® USM Anywhere™

Suppressing/Unsuppressing Events

Role Availability Read-Only Analyst   Manager

Not all eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. found during monitoringProcess of collecting all device status and event information and processing normalized events for evidence of vulnerabilities, possible attacks, and other malicious activity. are necessary in managing your environment. Frequently, there are events that create a noisy environment, making it difficult to monitor other events that require more attention. You can identify these events and suppress them before executing any processing by the correlation engineUsed in systems management tools to aggregate, normalize, and analyze event log data, using predictive analytics and fuzzy logic to alert the systems administrator when there is a problem.. It is also possible that you may not want to suppress the events as you might have to be aware of other impacted systems.

USM Anywhere saves the events that match a suppression rule, but does not correlate these suppressed events. By default, USM Anywhere hides these suppressed events. If you want to see these events, click Suppressed in the Search & Filters area. The suppressed events will be displayed in the table along with all events. See To only display the suppressed events if you want to display just the suppressed events.

Note: The suppression rule you create will apply to future events. It also will apply to events of the current day, up to 10K events.

To suppress an event

  1. Go to Activity > Events.
  2. Click the event you want to suppress.
  3. Click Suppress Event.

To unsuppress an event

  1. Go to Activity > Events.
  2. Search the suppressed events by using the filter Suppressed. See Searching Events for more information.
  3. Click the event you want to unsuppress.
  4. Click Unsuppress Event.

To only display the suppressed events

  1. Go to Activity > Events.
  2. In the Search & Filters area, click Not Suppressed to remove the Suppressed: False filter, and then click Suppressed to add the Suppressed: True filter.
  3. To see events suppressed by a certain rule, in the upper left corner of the page, click the Configure Filters link.
  4. In the Search filters field, enter Suppress.
  5. Select the Suppress Rule Name filter.
  6. Click the icon to pass the selected filter from the available filters to the selected ones.
  7. Click Apply.

    The page reloads and the Suppress Rule Name filter is added at the bottom left corner.

  8. Search the Suppress Rule Name filter and click the rule.
  9. If no rule name displays, it is because of these reasons:

    • There are no events suppressed by the rule.
    • The Suppressed filter is not enabled.

    See Searching Events for more information about the icons below the filters.

Note: You can save the view for later use. See Event Views for more information about how to create a configuration view.