How to suppress alerts in SecOps

If your goal is to close/group alerts[1-10] after alert[0] triggers theres a few things you should try: 

1. If it is a YARA-L Rule: you can add exclusions and group alerts in SIEM before it creates the SecOps Case: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#match_section_syntax
2. You can define Rule/Alert Specific alert groupings in the SOAR settings with a time frame of up to 24 hours: https://cloud.google.com/chronicle/docs/soar/investigate/working-with-alerts/alert-grouping-mechanism-admin
3.  You could add logic to your playbook so that one of the first steps is to search for similar alerts in the last x time then if it finds a match upon the criteria you define (same alert name, user/host/IP/file/etc.) then it will close out the new alert as a "duplicate" 

Those are the quicker solutions, a longer and more advanced solution would be to build some sort of suppression/automation system in SecOps using the available integrations from the marketplace and custom SOAR actions. 

YARA-L has a new feature: Suppression of alerts. 
 

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#suppression_window

rule SuppressionWindowExample {
  // Other rule sections

  outcome:
    $suppression_key = $hostname

  options:
    suppression_window = 5m
}

rule SuppressionWindowExample {
  // Other rule sections

  outcome:
    $suppression_key = $hostname

  options:
    suppression_window = 5m
}

Hii, we have the following structure of a rule as example.
 

rule XXX_failed_Bob_connection_to_ip {

  meta:

  xxxxxxxxxxxxxxxx

  events:

    $e.metadata.event_type = "NETWORK_CONNECTION"

    $e.target.ip = $target

    $target IN %Bob_IP.IP_Address

    $e.security_result.action != "ALLOW"

  outcome:

    $risk_score = 0

    $hostname = array_distinct($e.intermediary.hostname)

    $action = array_distinct($e.security_result.action)

    $source_ip = array_distinct($e.principal.ip)

    $destination_ip = array_distinct($target)

    $source_port = array_distinct($e.principal.port)

    $destination_port = array_distinct($e.target.port)

    $event_type = array_distinct($e.metadata.product_event_type)

    $suppression_key = $source_ip

  options:  -- its showing error on this portion, perhaps not recognising it. 

    suppression_window = 12h

  condition:

    $e

}    

Understand that this suppresion does not work with multi events rules where match is involved?  is that right ?
This rule above is single event rule. we do not have a match block. We do have a condition block. Kindly advise how should we proceed in order to suppress the rule? (orange is what i tried adding in to exisitng running rul)

Try moving the options section after the condition section.

Hello all,

SecOps recently updated the suppression function within Yara-L. It is now possible to suppress any type of rule.
For single-event rules, add the placeholder $suppression-key with the value that will be used as the basis for suppression. After that, after the condition field, add options: suppression_window = 1d (or the time you want to suppress).

outcome:
    $suppresion_key = $user

condition:
    $e

options:
    suppression_window = 1d // suppress for one day by user

In the case of multi-event, add the options and the basis for suppression will be the values of your match.

match:
    $user over 1h
condition:
    $e1 and $e2
options:
    suppression_window = 1d //suppress for one day by user

Reference used:

Adding for wider completeness, looking from the ground up:

Converting a single event rule to use a match window (e.g. 1 hour) will essentially group multipl events under 1 Alert.  However this migth affect the latency from ingest to alert.

Using suppression (mentioned above) can prevent further events firing until

If an Alert is firing out of control, you can combine it with Composite rules to add additional logic (i.e. rule chaining)

If you want the Alerts to reach SOAR you can then do Alert grouping, with some playbook design you can close the Alert without following any other logic

HTH