Tune detections

Detection tuning enables you to better control which detections are visible or generated for your network. There are two ways to tune a detection: you can hide a detection throughout the system based on the specific victim or offender or both, or you can add trusted domains and suppress certain detections based on suspicious domain activity.

For example, you might want to hide a vulnerability scanner detection that is expected, but occurs frequently. Or, you might have an internal device that regularly phones home to a trusted domain for an external licensing server that results in a Command-and-Control Beaconing detection.

Most detections enable you to hide a detection by creating a detection rule:

However, if the detection involves suspicious activity for a domain, you must select from the following options:

When you hide a detection, a detection rule is created on the Manage Detection Rules page. Detections that match the specified criteria are hidden from view and affect the following system areas:
  • Triggers and alerts associated with hidden detections do not run while the rule is enabled.
  • Detection markers for hidden detections are not displayed on charts.
  • Hidden detections do not appear on activity maps.
  • Detection counts on related pages, such as the Device Overview page or the Activity page, do not include hidden detections.

When you add a trusted domain, an entry is added to the Network Localities page. Future detections that target malicious domain activity for that trusted domain are suppressed. Note that you can also directly add trusted domains to the Network Localities page.

Tune a detection from a detection card

Before you begin

Users must have limited-write or higher privileges to tune a detection.
  1. Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
  2. At the top of the page, click Detections.
  3. From a detection card, click Tune.
  4. Different options appear depending on the type of detection.
    • If a form appears, complete the fields and click Save. The detection rule is added to the Manage Detection Rules page.
    • If a dialog box appears, select from the following options:
      1. Select Suppress detections that target malicious domain activity for this domain. The domain name from the detection is automatically populated in the field. Click Save. The trusted domain is added to the Network Localities page.
      2. Select Hide detections by offender, victim, or both. Then, click Next. Complete the fields for the selected detection, and then click Save. The detection rule is added to the Manage Detection Rules page.

Manage Detection Rules

You can extend the duration of a rule, re-enable a rule, and disable or delete a rule from the Manage Detection Rules page.

Click Manage Detection Rules from the lower-left corner of the Detections page.

  • After you disable or delete a rule, the rule expires immediately and associated triggers and alerts resume.
  • After you disable a rule, previously hidden detections remain hidden; ongoing detections appear.
  • Deleting a rule displays previously hidden detections.

You can temporarily show hidden detections on the Detections page by selecting the Show Hidden Detections checkbox, without disabling the detection rules. Each hidden detection includes a link to the associated detection rule, and displays the username of the user that created the rule, similar to the following figure:

Published 2023-12-05