Alert suppression

Overview

To reduce alert noise and avoid repeated notifications for the same issue, Cayosoft Guardian allows you to suppress alerts based on defined thresholds.

Follow these steps to configure alert suppression for a specific threat rule.

Configuring alert suppression

1. Navigate to Threat Detection > Threat Definitions from the left-hand menu.
2. Select the rule for which you want to configure suppression.
3. In the rule Properties pane, switch to the Suppression tab.
4. Check the box Suppress excessive alerts. A tooltip will appear stating that each time before raising an alert, Cayosoft Guardian checks the total number of existing alerts created by this rule in the specified interval of time. If the limit is reached, new alerts will not be created, and rule execution will be paused for a specified interval of time.
   
   
    
5. Set suppression thresholds:
   1. Suppress new alerts if the total number of existing alerts is greater than - Enter the maximum number of alerts (e.g., 5). If this number is exceeded, new alerts will not be generated.
   2. Count alerts in the specified interval - Define the number of alerts (e.g., 10) and the time window (e.g., Minutes, Hours, Days) during which they are counted.
   3. Pause execution of the rule for the specified interval - Enter a value (e.g., 12 Hours) and the time window (e.g., Minutes, Hours, Days) to temporarily pause this rule once suppression is triggered. For example, if the number of existing alerts exceeds 5, and 10 or more alerts have been generated in the last few minutes, Cayosoft Guardian will:

      1. Stop creating new alerts

      2. Pause rule execution for 12 hours

6. Click Save to apply changes.