Background
In 2024, we introduced the Accepted Behavior feature to our XDR products, which introduced Suppression Rules.
Suppression rules help reduce noise by automatically closing detections that are known to be acceptable.
However, to avoid creating blind spots, it’s important to routinely review older rules, confirm they still reflect current business reality, and update or disable them when needed.
This article explains why regular reviews matter, how the portal highlights older rules, and how to maintain an effective and compliant suppression rule set over time.
Why regular review of suppression rules is important
Business and environment changes
What was acceptable to suppress at one point may no longer be acceptable later. For example, if an organization stops using a particular tool that was previously allowed, an old suppression rule could hide genuinely suspicious activity if that tool reappears.
Risk of over-suppression
Suppression rules automatically close BCDs. If they are too broad or no longer well targeted, they can silence meaningful detections and reduce overall security visibility.
Evolving detection behavior
Detection logic and key detections can change over time. A BCD that was previously fully suppressed can become visible again if a new, non-suppressed key detection is added, so existing rules need to stay aligned with current behavior.
Forward-only effect
Suppression rules apply only to future BCDs, not to those created before the rule existed. Reviewing rules helps ensure they are still justified and useful for upcoming detections.
No automatic validation
There is no built-in way to verify that a suppression rule still matches the detections it was intended to cover. Without review, redundant, ineffective, or overlapping rules can remain in place.
Regular reviews keep suppression rules precise, justified, and aligned with current risk and usage, helping prevent blind spots while keeping the rule set manageable.
How the portal notifies users about old rules
The portal helps you identify outdated suppression rules by showing banners when rules have not been updated recently.
Per-rule banner
In the Suppression rule summary, a banner is displayed for each rule that hasn’t been updated for over 30 or 90 days.
Page-level banner
On top of the Suppression rule page, a banner appears after reaching the 90-day period and includes a link that lists all outdated suppression rules. You can also access the outdated list via View dropdown.
Step-by-step guide to reviewing and updating old rules
- List your active rules: Start by reviewing all active suppression rules (use the banners/system view to quickly filter to older rules).
- Confirm the original rationale: Revisit why each rule was created and confirm the suppressed behavior is still expected and acceptable.
- Check alignment with current detections: Detection behavior can evolve over time. Ensure each rule still matches how detections work today.
- Tighten scope for precision: Evaluate each rule’s conditions so it suppresses only the intended behavior. Rules that are too broad can hide meaningful detections and reduce visibility into security-relevant activity.
- Identify overlap and duplicates: Look for rules that duplicate or partially overlap others (especially where wildcards or broad conditions were used).
- Update or disable: If a rule is still required but imprecise, update it. If it’s no longer needed, disable it. Removing unused rules also helps stay within system limits for active suppression rules.
- Monitor after changes: Suppression rules apply only to future detections, so monitor new detections after changes to confirm the rule behaves as expected.
Best practices for maintaining effective suppression rules
- Keep rules precise: Target only the specific behavior that is known and accepted.
- Avoid over-suppression: Reduce noise without removing meaningful security signals.
- Review regularly: Environments, tools, and acceptable behavior change over time.
- Disable rules that are no longer needed: Keep the rule set manageable and preserve capacity for new rules.
- Watch for overlapping or duplicate rules: Regular reviews help remove redundant coverage.
- Monitor behavior after changes: Confirm that new detections behave as expected after rule updates.
- Use wildcards carefully: Poorly scoped wildcards can suppress unrelated detections and make rules hard to reason about.
- Treat rules as owned configuration: Assign ownership and maintain rules as part of ongoing security hygiene.
Compliance and retention information
Retention of suppression rules
Suppression rules are not deleted. This helps preserve configuration history and the context behind why detections were suppressed, supporting reference and audit needs.
Retention of suppressed incidents
Incidents that are automatically closed due to suppression rules are not deleted. Suppressed incidents are retained the same way as other incidents (for example, those resolved as accepted behavior). Suppression affects visibility and status, not data retention.
Retention period after subscription ends
When a customer subscription ends, data is not removed immediately. There is a short retention period after the last subscription expires during which customer data is still kept. After this period, the data is deleted in line with standard data removal processes described in the Elements privacy policy.
Compliance context
Because suppression rules and related incidents are retained for the duration of the customer relationship, they can support compliance, audit, and traceability requirements. This includes being able to understand why certain detections were suppressed and how incidents were handled over time.