The RocketCyber platform collects millions of events from various sources on a daily basis. The job of the SOC team is to analyze these events and escalate them to an incident if they are deemed to be suspicious or malicious in nature.
Sometimes, these incidents can be seen as acceptable risks, such as during a maintenance window and certain changes to systems or commands that are executed can look suspicious.
To help customers reduce the number of incidents they get notified about during these exceptions we have introduced a new feature we call Incident Suppression.
What is Incident Suppression?
Incident Suppression is a feature that allows a user of the platform to suppress the notification of an incident based on criteria that they define and with an optional duration.
The best example of using Incident Suppression is for an Office 365 user who is traveling on vacation and logging in from an unusual country. Typically this will generate an incident and a phone call from the SOC.
Using Incident Suppression you can create a rule for that specific user and country and set a duration for their vacation. During the duration that is set, you will no longer be notified about the specified user and country, however an incident will still be created and its status will be marked as suppressed. When the duration specified in the Incident Suppression has expired, notifications of any new incidents will resume as normal.
Is Incident Suppression The Same as Whitelisting?
No. Whitelisting is a methodology that will prevent an event from being generated in the platform and ultimately that prevents an Incident from being generated. Whitelisting can also prevent SOC analysts from receiving critical detection events if it is configured incorrectly.
How Do I Suppress an Incident?
- While viewing the details of an Incident there is an additional button on the top right titled Suppress
- Clicking the Suppress button will display the Create Incident Suppression view.
- On the Create Incident Suppression view you will see a number of attributes from the Incident that are available to use for suppression, as well as a Rule Name field that will allow you to specify a descriptive name of the suppression rule, further down the view you will also have options to set a duration on the Incident Suppression Rule.
- Let's start by providing a name for the Suppression Rule. In the Rule Name field, enter External Country User.
- Now we need to choose from the available criteria, the items that we want the rule to evaluate. For this example let's assume that the user has a known IP address that they are connecting from, so we will use the Remote Address attribute to specify the IP Address. The field should be pre-populated with the IP Address that generated the incident.
- Next, you should determine what type of comparison operator the Incident Suppression Rule will use for this criteria. For this example, we will choose the equals operator to specify the rule should evaluate the specified IP Address as an exact match.
- Now that we've chosen the criteria and selected an operator we can click Add to add the criteria to the rule.
Incident Suppression Scope
Incident Suppression can be scoped to various levels of an account. By default when creating an Incident Suppression it will be scoped to the context that you are currently in which could be either at the Provider or Organization Level.
If you are at the Provider Level you can also target specific accounts that the Incident Suppression should apply to.
If you choose to target specific accounts, the following will be displayed.
Within this screen you can select the specific accounts to target then click Add Account(s) to add them to the Selected Accounts list.
Incident Suppression Rule Duration
Incident Suppression rules can be configured to run for a specified duration. During the specified duration you will not be notified about incidents which meet the rule criteria. At the end of the duration Incident notifications will resume as normal.
Incident Suppression duration can be helpful for suppressing incidents during maintenance windows or for users that are traveling.
To set a duration, click on the dropdown by the word always and choose an appropriate interval.
After you choose the interval you can supply the appropriate number as shown below.
Review and Save
A summary of the Incident Suppression is displayed at the bottom of the page.
To save the Incident Suppression Rule, click the Create button.
Resolve Existing Incidents - IMPORTANT
After saving the Incident Suppression rule you must change the state of any matching incidents to Resolved. If the incidents are not resolved, then the suppression rule will not execute.
Managing Incident Suppression Rules
- From the left navigation menu click on Incidents
- Click Manage Suppression Rules
- From the Manage Suppression Rules view you will see a list of all suppression rules. The status column indicates which rules are active or expired, the user that created/modified the rule and the date and time it was last updated.
- Click View to view the details of an Incident Suppression rule or click Edit to modify the rule.