Suppressing alerts
NAVIGATION Policies > Alert Suppression
SECURITY To create rules: Datto EDR subscription with analyst-level platform access or Datto AV subscription with analyst-level platform access
SECURITY To publish rules: Datto EDR subscription with administrator-level platform access or Datto AV subscription with administrator-level platform access
BEFORE YOU BEGIN The type of subscription you have may define the features available to you on this page. For a comprehensive overview of features available to Datto EDR and Datto AV customers, refer to Datto EDR and Datto AV access control.
You likely support multiple clients from a single Datto EDR or Datto AV instance in your environment, each with unique threats, risks, and requirements. If so, some alerts you receive may be applicable to some clients and inapplicable to others, resulting in false-positives. You can create rules that suppress alerts based on specific match criteria.
This article describes the process to do so.
IMPORTANT When an alert is suppressed, alert notifications will not be sent. For example, the alert will not go out to your third party integrators or ticketing systems. In addition, automated responses associated with the policy for which the alert was suppressed, are not executed.
For more information about working with alerts, refer to Working with the Alerts page, Configuring email alerts, Responding to alerts, and Datto EDR and Datto AV data retention policies
Overview
Creating suppression rules
You can create suppression rules from existing alerts or from the Policies page. Select a topic to continue.
From the Alerts page
To access the Alerts page, perform the following steps:
-
In the top navigation menu, click Alerts.
-
The page will load. You'll see a list of the threats that Datto EDR or Datto AV has detected during audits of your endpoints, with the most recent suspected malicious content displayed first.
-
Click the name of any alert to open its Alert Detail page.
-
Click Create Suppression Rule. You'll see a prompt notifying you that creating a rule will acknowledge the alert. Click Okay to continue.
-
Proceed to the Add rule details section of this article.
From the Policies page
To access the Policies page, perform the following steps:
-
To access the Policies page, in the top navigation menu, click Policies.
-
The page will load, with the Policy List view selected by default.
-
In the left navigation pane, click the Alert Suppression link.
-
The Alert Suppression page will open. Click Add Rule.
-
Proceed to the Add rule details section of this article.
Add rule details
-
The Add Suppression Rule page will open. Complete the following details.
Field Definition Name
Enter a title that describes this rule.
Description Provide a description of the rule's purpose.
Select the criteria that will cause this rule to apply to an alert. You can select multiple options. You can also enable the rule for your entire tenant, specific organizations or locations, or define additional conditions based on the alert source. Wildcards are supported.
-
When you finish customizing the rule, click Save. You'll be redirected to the Suppression Rules page. You'll see a notification indicating that your published rules are out of date.
-
Click Publish Suppression Rules to deploy your newly-created rule.
-
Future alerts that align with the match criteria in the new rule will automatically become acknowledged and assigned a severity level of Suppressed. They will not go out to your third party integrators, such as your webhooks, external syslog collectors, or integrate with your BMS or Autotask ticketing systems. To view them, from the Alerts page, select the Severity > Suppressed filter.
Managing and publishing suppression rules
You can find your saved rules at Policies > Alert Suppression. As you navigate, you'll see the following features and fields:
IMPORTANT Publishing alert suppression rules is only available to Administrator-level Datto EDR and Datto AV users.
Name | Records shown |
Suppression Rules |
From this view, you can create, view, and publish all alert suppression rules created for your current instance. |
Publish History |
This view contains a filterable list of all publish actions taken for the current instance, along with details about when the rule was published and the user account that published it. |
Feature | Definition |
Search |
Enter a partial or whole value to filter current view to matching records |
Add Suppression Rule |
Click to create a new rule; doing so initiates the workflow described in the Creating suppression rules section of this article |
Publish Suppression Rules |
Publishes all new rules and pending updates to existing rules; this button will be disabled if no new changes have been made since the last publish action |
Actions menu; enables you to delete or review previous versions of rules |
When you visit the Alert Suppression page, the Rules view is selected by default.
Feature | Definition |
Rules |
Click to switch to the Rules view |
Publish History |
Click to view a log of rule publication activity for your instance |
Search |
Enter a partial or whole value to filter current view to matching records |
Add Rule |
Click to create a new rule; doing so initiates the workflow described in the Creating suppression rules section of this article |
Publish Rules | Click to publish new rules and rules with configuration changes since the last publish |
Field name | Definition |
Name |
The name of the rule; clicking it will open the rule editor; for more information, refer to the Suppressing alerts section of this article |
Organization |
The organization to which the suppression rule applies |
Location |
The location to which the suppression rule applies |
Author |
The name of the author who created the rule |
Active |
Click the icon in this field to activate or deactivate the policy; indicates that the policy is active; indicates that the policy is inactive |
Last Modified |
The time and date the rule was last updated |
Versions |
Indicates how many versions of this specific rule have existed in your instance; version number iterates each time the rule is modified |
Click to delete the rule or view its previous versions |
The Publish History view displays a log of rule publication activity for your instance.
Feature | Definition |
Rules |
Click to switch to the Rules view |
Publish History |
Click to view a log of rule publication activity for your instance |
Search |
Enter a partial or whole value to filter current view to matching records |
Field name | Definition |
Published On |
The date and time of the rule's publication |
Published By |
The identity of the user or process that published the rule |