You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Suppress detection alerts

Reduce noise from rules that create repeated or duplicate alerts.

Technical preview

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types:

Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values.

The Elastic Security app displays several indicators in the Alerts table and the alert details flyout when a detection alert is created with alert suppression enabled. You can view the original events associated with suppressed alerts by investigating the alert in Timeline.

Note

Alert suppression is not available for Elastic prebuilt rules. However, if you want to suppress alerts for a prebuilt rule, you can duplicate it, then configure alert suppression on the duplicated rule.

Configure alert suppression

You can configure alert suppression when you create or edit a supported rule type. Refer to Create a detection rule or Create a detection rule for detailed instructions.

  1. When configuring the rule type (the Define rule step for a new rule, or the Definition tab for an existing rule), specify how you want to group events for alert suppression:

    • Custom query rule: In Suppress alerts by, enter 1-3 field names to group events by the fields' values.
    • Threshold rule: In Group by, enter up to 3 field names to group events by the fields' values, or leave the setting empty to group all qualifying events together.

    Note

    If you specify a field with multiple values, an alert grouping is created for each value. For example, if you suppress alerts by destination.ip of [127.0.0.1, 127.0.0.2, 127.0.0.3], alerts will be suppressed separately for each value of 127.0.0.1, 127.0.0.2, and 127.0.0.3.

  2. If available, select how often to create alerts for duplicate events:

    • Per rule execution: (Custom query rules only) Create an alert each time the rule runs and meets its criteria.

    • Per time period: Create one alert for all qualifying events within a specified time window, beginning when the rule first meets its criteria and creates the alert. (This is the only option available for threshold rules.)

      For example, if a rule runs every 5 minutes but you don't need alerts that frequently, you can set the suppression time period to a longer time, such as 1 hour. If the rule meets its criteria, it creates an alert at that time, and for the next hour, it'll suppress any subsequent qualifying events.

  3. (Custom query rules only) Under If a suppression field is missing, choose how to handle events with missing suppression fields (events in which one or more of the Suppress alerts by fields don't exist):

    • Suppress and group alerts for events with missing fields: Create one alert for each group of events with missing fields. Missing fields get a null value, which is used to group and suppress alerts.
    • Do not suppress alerts for events with missing fields: Create a separate alert for each matching event. This basically falls back to normal alert creation for events with missing suppression fields.
  4. Configure other rule settings, then save and enable the rule.

Tip

Use the Rule preview before saving the rule to visualize how alert suppression will affect the alerts created, based on historical data.

Confirm suppressed alerts

The Elastic Security app displays several indicators of whether a detection alert was created with alert suppression enabled, and how many duplicate alerts were suppressed.

  • Alerts table — Icon in the Rule column. Hover to display the number of suppressed alerts:

  • Alerts table — Column for suppressed alerts count. Select Fields to open the fields browser, then add kibana.alert.suppression.docs_count to the table.

  • Alert details flyout — Insights section:

Investigate events for suppressed alerts

With alert suppression, detection alerts aren't created for the grouped source events, but you can still retrieve the events for further analysis or investigation. Do one of the following to open Timeline with the original events associated with both the created alert and the suppressed alerts:

  • Alerts table — Select Investigate in timeline in the Actions column.

  • Alert details flyout — Select Take actionInvestigate in timeline.

On this page