Has anyone worked with Activate Base Suppression Lists successfully?

I am trying to work with the suppression lists, but the documentation is somewhat incomplete. There is no mention of how a list comes into play with any of the rules. Don't the rules need to query the active list during condition check? The only described method for adding to these is manually, via the Console, but that would be prohibitive to do. I'm getting hundreds of thousands of hits per hour on some rules, and am trying to keep the generation of correlated events from inundating my DB, and stacking up millions of partial matches.

I tried adding the condition check and the event-based Name and Attacked based Suppression AL update on one rule (Multiple Denies from Same Source) and it caused the correlated event's name to vary between rule name and triggering event name, and did not suppress any of the fires.

Any assistance would be appreciated. I'm getting nowhere fast.



Parents Reply Children
  • Hi all, 

    I haven't enough time to play/test new ACTIVATE packages until now. I just checked them now, and I can say = I don't see big progress with suppression lists and support of them in latest L1/L2 packages.

    Because I have no more time to wait until it is implemented, I would like to ask you for suggestion how to approach this. I need to add/use suppression lists in L1/L2 packages - mainly ENTITY monitoring, and I would like to do it "your way". 


    Can you please suggest me a way you prefer? Where to place them, how to hook them to packages/rules.

    My first idea was to add it to main hooking filters (entity example /All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/*)... On the other hand, it will solve the false positives with L1/L2 packages. But if there are false positives in PRODUCT rules it will not help me... So maybe there is a better place - some kind of product filter "all events of product"? Or is the best way the combination of both?