Options to Suppress Alert Emails and Close Alerts Independently of "False Positive" Tagging #1162
Labels
needs-triage
Needs to be triaged
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature
Introduce new options within the UTMStack platform (either within the tagging rule configuration or as separate settings) to control alert email notifications and the automatic closing of alerts, independent of marking an alert as a "False Positive."
Use Case
Feature Request Title: Options to Suppress Alert Emails and Close Alerts Independently of "False Positive" Tagging
Feature Description:
Introduce new options within the UTMStack platform (either within the tagging rule configuration or as separate settings) to control alert email notifications and the automatic closing of alerts, independent of marking an alert as a "False Positive."
Problem Statement:
Currently, the primary mechanism to prevent alert emails and potentially close alerts seems to be tied to identifying an event as a "False Positive" through tagging rules. However, there are scenarios, particularly in incident response automation (IRA), where an alert might be valid but is being actively managed and resolved by automated systems. In such cases, receiving redundant email notifications for already handled incidents can be noisy and inefficient. Furthermore, marking an alert as a "False Positive" prevents it from being triggered or processed by incident response automation workflows, even if the initial detection was valid and requires automated action. Simply marking an alert as a "False Positive" might not accurately reflect the situation, as the initial alert was indeed valid and required attention.
Proposed Solution
Implement the following distinct options:
Suppress Alert Email Notification: An option (e.g., a checkbox within a tagging rule or a separate rule/policy setting) that, when applied to an alert, prevents the sending of email notifications. Ideally, this suppression could be conditionally triggered based on the outcome of associated Incident Response Automation (IRA) execution. For instance, if the IRA runs successfully and returns an exit status of 0 (indicating no errors), the email notification could be automatically suppressed. This would ensure that human analysts are not flooded with emails for incidents that have been automatically remediated without issues.
Automatically Close Alert: An option (similarly configurable) that, when applied to an alert, automatically closes the alert within the UTMStack interface after a defined condition is met (e.g., a specific tag is applied, a certain timeframe elapses, or an external system signals resolution via API). Similar to email suppression, it would be beneficial if this automatic closure could be linked to the successful execution of an IRA. If the IRA completes with an exit status of 0, the alert could be automatically closed, providing a clear indication that the incident has been handled.
In essence, it would be valuable to have the ability to configure tagging rules or alert policies such that the suppression of email notifications and the automatic closure of alerts are contingent upon the successful (exit status 0) execution of any associated Incident Response Automation workflows triggered by that alert. This would create a more intelligent and automated alert handling process.
Other Information
No response
Acknowledgements
The text was updated successfully, but these errors were encountered: