I would like to get some clarification on two things about suppression via options which are not clear based on the official documentation Options section syntax | Google Security Operations | Google Cloud Documentation
1.) For single event queries, is it possible to use more than one variable for the suppression key? For example, $suppression_key = $hostname, $cmd does not work (editor throws an error), but using a strings.concat for the two variables does not throw an error
outcome:
$hostname = $e.principal.hostname
$user = $e.principal.user.userid
$cmd = $e.target.process.command_line
$suppression_key = strings.concat($hostname, $cmd)
2.) This statement from the doc If you don't specify a suppression_key, all query instances are suppressed globally during the window. What does this exactly mean, the entire rule is suppressed, regardless of what events are matched, during the specified window?
