Suppressing specific AWS and host behavior anomaly alerts reduces the number of alerts and allows you to focus on the assets that are most important to you.
To use policies to suppress specific behavior anomaly alerts, follow these steps:
- Click Policies.
- Anomaly policies are available for AWS and host policy domains.
- Filter for anomaly policies and either AWS or host to locate the event you want to suppress.
- Click Clone.
- Enter a name for the event.
- Define the expressions for suppressing the event.
You must select EXCLUDE to suppress the event for the specified expressions.
Example: For the New External Server IP Address event, you could add these expressions: IP ADDRESS EXCLUDE 10.0.10.1,10.0.10.2 AND PORT EXCLUDE 80,443. Below is a screenshot of an example.
This will exclude the event of type New External Server IP Address only when the IP address matches 10.0.10.1 or 10.0.10.2 and the port matches 80 or 443.
The table below provides parameter value examples.
- Ensure the policy is enabled and click Save.
- Ensure the default policy that you cloned remains enabled.
After you suppress an alert, Lacework does not generate an event for the expressions you defined.
If you disable the default policy category from which a policy was cloned, that setting takes precedence, meaning the entire category of that event type is disabled.
Example Parameter Values
You can also use the * wildcard when defining parameter values.
|IP_ADDR||192.0.2.0 - Note that IP ranges are not supported. However, you can use the * wildcard to simplify some exceptions. For example, you can add 192.0.2.0 as 192.0.* if you have a common range.|