I am trying to work with the suppression lists, but the documentation is somewhat incomplete. There is no mention of how a list comes into play with any of the rules. Don't the rules need to query the active list during condition check? The only described method for adding to these is manually, via the Console, but that would be prohibitive to do. I'm getting hundreds of thousands of hits per hour on some rules, and am trying to keep the generation of correlated events from inundating my DB, and stacking up millions of partial matches.
I tried adding the condition check and the event-based Name and Attacked based Suppression AL update on one rule (Multiple Denies from Same Source) and it caused the correlated event's name to vary between rule name and triggering event name, and did not suppress any of the fires.
Any assistance would be appreciated. I'm getting nowhere fast.