misje
commented
5 months ago Two new settings help configure this: One that ignores a set of rule_ids for incident creation, and one that ignores rule_ids altogether.
I would rather want something more customiseable, like a lambda expression that lets you ignore an alert with the whole alert and also the enriched entity as context. I'll leave this issue open until I've found a satisfying solution.
A lot of sightings/incidents are generated because IP addresses with IoCs are spotted in sshd logs. The user needs a way to distinguish sightings/incidents where the IoC is attempting to access a publicly-exposed ssh port, from a very different case where a process etc. is connecting to the observable the other way around.