6.6 Automatic Alert Suppression
Behavior Detection provides actions that enable an analyst to specify that the system close a particular entity’s alerts on a specific scenario automatically. This is called Alert Suppression. The system runs the Alert Suppression algorithm to close newly-generated alerts that match an active suppression rule.
Note:
Alert Suppression tables use full refresh data loading. The data is first truncated and then new data is inserted. Complete data must be provided every time these commands are executed.Defining the Suppress Alert Algorithm
The Suppress Alert algorithm does not suppress locked alerts. The system locks an alerts while an analyst takes an action on it, and then unlocks the alert when the analyst releases it. The system skips all locked alerts until the next time it runs the Suppress Alert component. When a user takes an action on an existing alert to suppress future alerts, the suppression rule populates the KDD_AUTO_SUPPR_ALERT table with the criteria for automatically suppressing and canceling suppression of the alerts.
Running the Suppression Job
The suppression job is part of the Behavior Detection subsystem. OFSBD provides default job templates and job template groups for running Auto-Close Alert. You can modify these jobs using the Administration Tools. Refer to the Administration Tools User Guide for more information.
- Verify that the dispatcher is running.
- Run the start_mantas.sh script as follows:
start_mantas.sh 507where, 507 is the job template that OFSBD provides to run the suppression job algorithm.