Make Suppression Rules Temporary

Many security information and event management (SIEM) tools have a machine learning component that falls into the category of Artificial Intelligence. Their sophistication increases as they gather data from machine learning components. Training comes from the user in the form of the changes made to rules, data sources, and other variations to make SIEM function in a specific environment, but poorly thought-out rules can sway decisions in the wrong direction. In order to shut down problems they must be cut off at the source, often with filtering rules. These are different from suppression rules, which can take data away from your view but not actually shut off the event. Suppression rules are useful in situations where an event is causing an overload of alarms that you need to keep from view for a short period of time, but it is important not to make this type of view permanent. Take into account the machine learning and AI capabilities of your tools when you’re working with you SIEM, threat hunting, and other cybersecurity tools. What you put in will determine the outcome for your work and for the work of others on your team.