Example: Creating a Suppression Rule for VPC Flow Logs

Role Availability Read-Only Investigator Analyst Manager

In this example, we are going to create a suppression rule to suppress VPC Flow Logs events Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall.. This way you will avoid noise in your list of events.

To create a VPC Flow Logs Suppression Rule

  1. Go to Activity > Events.
  2. Enter VPC in the search field.
  3. Click the icon.
  4. Select one of the events.
  5. Select Create Rule > Create Suppression Rule.
  6. These property values are selected:

    Create a VPC Flow Logs Suppression Rule

  7. Click Next.

    Rules Verifications Dialog Box

    Important: A dialog box opens if there are warning messages. Click Cancel to review the warning messages, or click Accept to continue creating the rule.

  8. Enter a name for the rule, for example Suppress VPC Flow Logs.
  9. (Optional.) Enter a description for identifying this rule.
  10. Modify these two options:

    • Occurrences: Specify the number of event occurrences that produce a match on the conditional expression to trigger the rule. You can enter the number of occurrences or use the arrow to scroll the value up or down. You need to enter a number between 1 and 100.
    • Length: Specify the length of the timespan used to identify a match for multiple occurrences. Enter the number and choose a value of seconds, minutes, or hours.

      This duration identifies the amount of time that transpires from the beginning to the end of the occurrence. If the number of occurrences is not met within this period, the rule is not a match.

      Specify multiple occurances to match for the rule

      In this example, the rule applies when the configured conditions happen five times every three hours.

    These two options function together to specify the number of occurrences within a time period that will produce a match for the rule. For example, you can define a rule to trigger an alarm Alarms provide notification of an event or sequence of events that require attention or investigation. for an unauthorized access An incident-type categorization that may be a precursor to other actions or stages of an attack. attempt when a failed SSH Program to securely log into another computer over a network, execute commands in a remote machine, and move files from one machine to another through Secure Copy (SCP). login Log in (verb): Process in which an individual gains access to a computer system after providing sufficient credentials to authenticate their unique identity. Login (noun): User credentials, typically a username and matching password. occurs three times within a five-minute window.

  11. Click Save.
  12. The suppression rule has been created. You can see it from Settings > Rules. See Suppression Rules from the Orchestration Rules Page for more information.

    Important: It takes a few minutes for an orchestration rule to become active.