VOOZH about

URL: https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/suppressions/

⇱ Suppressions

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/suppressions.md. A documentation index is available at /llms.txt.

Suppressions

Available for:

Cloud SIEM | Workload Protection | App and API Protection

Overview

Suppressions are specific conditions for when a signal should not be generated, which can improve the accuracy and relevance of the signals that are generated.

Suppression evaluation

There are two types of suppression queries: suppression on signal attributes and suppression on log or event attributes. Signal-based suppressions are only evaluated at the time a signal is created. They are not re-evaluated when a signal is updated. Log and event attribute suppressions prevent matching events from new signals and updated existing signals. Datadog recommends using log and event attribute suppressions to reliably exclude specific activity.

Suppression routes

You can set up a suppression query within an individual detection rule, or define a separate suppression rule to suppress signals across one or more detection rules.

Detection rules

When you create or modify a detection rule, you can define a suppression query to prevent a signal from getting generated. For example, add a rule query to determine when a detection rule triggers a security signal. You can also customize the suppression query to suppress signals for a specific attribute value.

Suppression rules

Use suppression rules to set general suppression conditions across multiple detection rules instead of setting up suppression conditions for each individual detection rule. For example, you can set up a suppression rule to suppress any signal that contains a specific IP.

Suppressions configuration

Suppression list

The suppression list provides a centralized and organized way for you to manage suppressions across multiple detection rules.

Create a suppression rule

  1. Navigate to the Suppressions page.
  2. Click + New Suppression.
  3. Enter a name for the suppression query.
  4. Add a description to provide context on why this suppression is being applied.
  5. Optionally, add an expiration date on which this suppression will be deactivated.
  6. Select the detection rules you want to apply this suppression to. You can select multiple detection rules.
  7. In the Add Suppression Query section, you have the option to enter suppression queries so that a signal is not generated when the values are met. For example, if a user john.doe is triggering a signal, but their actions are benign and you no longer want signals triggered from this user, input the log query: @user.username:john.doe.
    Suppression rule queries are based on signal attributes.
  8. Additionally, you can add a log exclusion query to exclude logs from being analyzed. These queries are based on log attributes. Note: The legacy suppression was based on log exclusion queries, but it is now included in the suppression rule’s Add a suppression query step.

Restrict edit permissions

By default, all users have view and edit access to suppressions. To use granular access controls to limit the roles that may edit a suppression rule:

  1. Click the vertical three-dot menu for the rule and select Permissions.
  2. Click Restrict Access. The dialog box updates to show that members of your organization have Viewer access by default. Use that dropdown menu to select one or more roles, teams, or users that may edit the suppression rule.
  3. Click Add.
  4. Click Save.

Note: To maintain your edit access to the rule, Datadog requires you to include at least one role that you are a member of before saving.

To restore access to a rule:

  1. Click the vertical three-dot menu for the rule and select Permissions.
  2. Click Restore Full Access.
  3. Click Save.

Further reading

Additional helpful documentation, links, and articles: