Suppressing specific AWS and workload behavior anomaly alerts reduces the number of alerts and allows you to focus on the assets that are most important to you.
To use policies to suppress specific behavior anomaly alerts, follow these steps:
- Navigate to MONITOR > Policies.
- Behavior anomaly rules are available for AWS and Workload policy types.
In the Behavior Anomaly Rules table, locate the event you want to suppress and expand it.
- Click CLONE.
- Enter a name for the event.
- Use the available columns to define the conditions for suppressing this event.
You must select EXCLUDE to suppress the event for the specified conditions.
Example: For the New External Server IP Address event, you could add these conditions: IP ADDRESS EXCLUDE h1, h2 AND PORT EXCLUDE a1, a2. Below is a screenshot of an example.
This will exclude the event of type New External Server IP Address only when the ip address matches h1 or h2 and the port matches a1 or a2.
- Ensure the rule is enabled and click Save.
- Ensure the system-defined rule that you cloned remains enabled.
After you suppress an alert, Lacework does not generate an event for the conditions you specified.
If you disable the Lacework rules category from which a rule was cloned, that setting takes precedence, meaning the entire category of that event type is disabled.