Can we hide detections from all vulnerability scanners defined in a device group?

Unbeknownst to me, our customer has recently kicked off some vulnerability scanning, so during a review of detections, there were a number of detections that fired and during the review I realized these devices were valid vulnerability scanners. So I confirmed the list of known vulnerability scanners used in the environment, built a device group and expected to be able to disable detections generated by these devices, but found that I’m only able to create a rule based on an actual detection, not based on a known set of devices. This means I need to wait for Reveal to detect the interesting event fire a detection then I will have to go in and hide that specific detection unless I’m missing something.

Am I missing this ability to hide ANY and ALL detections detected for the devices in the device group or is this something that can be done another way?

2 Likes

I have the same problem. I asked ExtraHop for this enhancement. Unfortunately currently there is no way to add detection rules in advance. There is also no published catalog of detections. You can however create Device Groups for both the victims and the offenders in advance. When the detections trigger you can create a rule and assign to your Device Groups. I recommend you create a trigger and send detections to your SIEM/Syslog system. :fire:

1 Like