Suppressing alerts

NAVIGATION  Policies > Alert Suppression

SECURITY  To create rules:  Datto EDR subscription with analyst-level platform access or Datto AV subscription with analyst-level platform access

SECURITY  To publish rules:  Datto EDR subscription with administrator-level platform access or Datto AV subscription with administrator-level platform access

BEFORE YOU BEGIN  The type of subscription you have may define the features available to you on this page. For a comprehensive overview of features available to Datto EDR and Datto AV customers, refer to Datto EDR and Datto AV access control.

You likely support multiple clients from a single Datto EDR or Datto AV instance in your environment, each with unique threats, risks, and requirements. If so, some alerts you receive may be applicable to some clients and inapplicable to others, resulting in false-positives. You can create rules that suppress alerts based on specific match criteria.

This article describes the process to do so.

IMPORTANT  When an alert is suppressed, alert notifications will not be sent. For example, the alert will not go out to your third party integrators or ticketing systems. In addition, automated responses associated with the policy for which the alert was suppressed, are not executed.

For more information about working with alerts, refer to Working with the Alerts page, Configuring email alerts, Responding to alerts, and Datto EDR and Datto AV data retention policies

Overview

Creating suppression rules

You can create suppression rules from existing alerts or from the Policies page. Select a topic to continue.

From the Alerts page

To access the Alerts page, perform the following steps:

  1. In the top navigation menu, click Alerts.

  2. The page will load. You'll see a list of the threats that Datto EDR or Datto AV has detected during audits of your endpoints, with the most recent suspected malicious content displayed first.

  1. Click the name of any alert to open its Alert Detail page.

  2. Click Create Suppression Rule. You'll see a prompt notifying you that creating a rule will acknowledge the alert. Click Okay to continue.

  3. Proceed to the Add rule details section of this article.

From the Policies page

To access the Policies page, perform the following steps:

  1. To access the Policies page, in the top navigation menu, click Policies.

  2. The page will load, with the Policy List view selected by default.

  1. In the left navigation pane, click the Alert Suppression link.

  2. The Alert Suppression page will open. Click Add Rule.

  3. Proceed to the Add rule details section of this article.

Add rule details

  1. The Add Suppression Rule page will open. Complete the following details.

    Field Definition

    Name

    Enter a title that describes this rule.

    Description

    Provide a description of the rule's purpose.

    Match criteria

    Select the criteria that will cause this rule to apply to an alert. You can select multiple options. You can also enable the rule for your entire tenant, specific organizations or locations, or define additional conditions based on the alert source. Wildcards are supported.

  1. When you finish customizing the rule, click Save. You'll be redirected to the Suppression Rules page. You'll see a notification indicating that your published rules are out of date.

  2. Click Publish Suppression Rules to deploy your newly-created rule.

  3. Future alerts that align with the match criteria in the new rule will automatically become acknowledged and assigned a severity level of Suppressed. They will not go out to your third party integrators, such as your webhooks, external syslog collectors, or integrate with your BMS or Autotask ticketing systems. To view them, from the Alerts page, select the Severity > Suppressed filter.

Managing and publishing suppression rules

You can find your saved rules at Policies > Alert Suppression. As you navigate, you'll see the following features and fields:

IMPORTANT  Publishing alert suppression rules is only available to Administrator-level Datto EDR and Datto AV users.