LimaCharlie suppression capability enables users to specify a maximum number of times a select action will trigger within a defined period. When that threshold is reached, LimaCharlie will suppress the action (that action will no longer take place). For example, if the same event occurs on the same machine (or on different machines within the same tenant) again and again, you can suppress the duplicate alert for the user-specified time.

The suppression mechanism is a part of the Response, optionally with each action. The suppression only applies to the specified action, enabling you to say, for example: “generate a LimaCharlie detection every time X happens but only send a PagerDuty alert once per hour”. In other words, you can have one rule that has multiple actions with different suppression.

An example of a D&R rule with suppression is provided below.

Detection:

event: NEW_PROCESS
op: contains
path: event/COMMAND_LINE
value: lc_tracer

Response:

- action: report
name: trace-test
- action: output
name: google-chat
suppression:
is_global: true
keys:
- '{{ .event.FILE_PATH }}'
- '{{ .event.USER_NAME }}'
max_count: 1
period: 60s

In this example, you have two actions:

  • The report means that the Alert / Detection will always be generated for retention and outputs.

  • The output action (in this case we are sending a message to Google Chat) will send a message at most once per 60 seconds per Unique( FILE_PATH + USER_NAME ). The is_global (off by default) means that we want this suppression to work across all sensors within the organization (tenant). If is_global was not set, or set to False, then it would be per-sensor. So you can have the suppression logic deduplicate across multiple rules even.

How is this different from false positive (FP) rules?

False positive (FP) rules are designed to be used for detections (alerts). If there is an action defined in the response part of the rule (i.e., send an output, trigger a PagerDuty alert, etc.), this action will trigger while the detection can be eliminated by the FP rule. This leaves a gap where a user may have a D&R rule that generates a detection and sends a PagerDuty alert, and if they eliminate the alert part of the response with an FP rule, the PagerDuty alert will still fire. The suppression capability gives users greater control over response actions as well as detections (alerts).

Did this answer your question?