Suppressing alerts

NAVIGATION Policies > Alert Suppression

SECURITY To create rules: Datto EDR subscription with analyst-level platform access or Datto AV subscription with analyst-level platform access

SECURITY To publish rules: Datto EDR subscription with administrator-level platform access or Datto AV subscription with administrator-level platform access

BEFORE YOU BEGIN The type of subscription you have may define the features available to you on this page. For a comprehensive overview of features available to Datto EDR and Datto AV customers, refer to Datto EDR and Datto AV access control.

You likely support multiple clients from a single Datto EDR or Datto AV instance in your environment, each with unique threats, risks, and requirements. If so, some alerts you receive may be applicable to some clients and inapplicable to others, resulting in false-positives. You can create rules that suppress alerts based on specific match criteria.

This article describes the process to do so.

IMPORTANT When an alert is suppressed, alert notifications will not be sent. For example, the alert will not go out to your third party integrators or ticketing systems. In addition, automated responses associated with the policy for which the alert was suppressed, are not executed.

For more information about working with alerts, refer to Working with the Alerts page, Configuring email alerts, Responding to alerts, and Datto EDR and Datto AV data retention policies

Overview

Creating suppression rules

You can create suppression rules from existing alerts or from the Policies page. Select a topic to continue.

From the Alerts page

To access the Alerts page, perform the following steps:

In the top navigation menu, click Alerts.
The page will load. You'll see a list of the threats that Datto EDR or Datto AV has detected during audits of your endpoints, with the most recent suspected malicious content displayed first.

Click the name of any alert to open its Alert Detail page.
Click Create Suppression Rule. You'll see a prompt notifying you that creating a rule will acknowledge the alert. Click Okay to continue.
Proceed to the Add rule details section of this article.

From the Policies page

To access the Policies page, perform the following steps:

To access the Policies page, in the top navigation menu, click Policies.
The page will load, with the Policy List view selected by default.

In the left navigation pane, click the Alert Suppression link.
The Alert Suppression page will open. Click Add Rule.
Proceed to the Add rule details section of this article.

Add rule details

The Add Suppression Rule page will open. Complete the following details.

Field	Definition
Name	Enter a title that describes this rule.
Description	Provide a description of the rule's purpose.
Match criteria	Select the criteria that will cause this rule to apply to an alert. You can select multiple options. You can also enable the rule for your entire tenant, specific organizations or locations, or define additional conditions based on the alert source. Wildcards are supported.

When you finish customizing the rule, click Save. You'll be redirected to the Suppression Rules page. You'll see a notification indicating that your published rules are out of date.
Click Publish Suppression Rules to deploy your newly-created rule.
Future alerts that align with the match criteria in the new rule will automatically become acknowledged and assigned a severity level of Suppressed. They will not go out to your third party integrators, such as your webhooks, external syslog collectors, or integrate with your BMS or Autotask ticketing systems. To view them, from the Alerts page, select the Severity > Suppressed filter.

Managing and publishing suppression rules

You can find your saved rules at Policies > Alert Suppression. As you navigate, you'll see the following features and fields:

IMPORTANT Publishing alert suppression rules is only available to Administrator-level Datto EDR and Datto AV users.

Page features

Feature	Definition
Search	Enter a partial or whole value to filter current view to matching records
Add Suppression Rule	Click to create a new rule; doing so initiates the workflow described in the Creating suppression rules section of this article
Publish Suppression Rules	Publishes all new rules and pending updates to existing rules; this button will be disabled if no new changes have been made since the last publish action
	Actions menu; enables you to delete or review previous versions of rules

Rules view

When you visit the Alert Suppression page, the Rules view is selected by default.

Feature	Definition
Rules	Click to switch to the Rules view
Publish History	Click to view a log of rule publication activity for your instance
Search	Enter a partial or whole value to filter current view to matching records
Add Rule	Click to create a new rule; doing so initiates the workflow described in the Creating suppression rules section of this article
Publish Rules	Click to publish new rules and rules with configuration changes since the last publish

Field name	Definition
Name	The name of the rule; clicking it will open the rule editor; for more information, refer to the Suppressing alerts section of this article
Organization	The organization to which the suppression rule applies
Location	The location to which the suppression rule applies
Author	The name of the author who created the rule
Active	Click the icon in this field to activate or deactivate the policy; indicates that the policy is active; indicates that the policy is inactive
Last Modified	The time and date the rule was last updated
Versions	Indicates how many versions of this specific rule have existed in your instance; version number iterates each time the rule is modified
	Click to delete the rule or view its previous versions

Publish History view

The Publish History view displays a log of rule publication activity for your instance.

Feature	Definition
Rules	Click to switch to the Rules view
Publish History	Click to view a log of rule publication activity for your instance
Search	Enter a partial or whole value to filter current view to matching records

Field name	Definition
Published On	The date and time of the rule's publication
Published By	The identity of the user or process that published the rule

Name	Records shown
Suppression Rules	From this view, you can create, view, and publish all alert suppression rules created for your current instance.
Publish History	This view contains a filterable list of all publish actions taken for the current instance, along with details about when the rule was published and the user account that published it.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.