Hide Detections

I am trying to hide a number of detections where a single offender is reaching out to two or more victims. It seems the only option is to hide “any device” once you have more than one victim. I want to hide the two devices and not any device. I have looked for the unique single combination in detections where the single offender is reaching out to the single victim, but that doesn’t exist. I have also tried to create a device group with the two victim IPs and that doesn’t show as an option either.

Any ideas? Sounds like a feature request?

Thanks,
Erick

If you hover on the victims, do either of them offer you a link to ARIN? If it does, then you’re hitting a case where the system doesn’t know about that IP address as a discovered device, and therefore doesn’t consider the IP a member of your group. There are some solutions to that; let me know if you are seeing those ARIN links and we can go from there.

There are a few things at play here that may be impacting your experience. First, when you click “Hide detections like this”, the system will only allow you to create a rule that will successfully hide the detection you clicked from.

If you were to create two rules that way, it still wouldn’t hide this detection. We don’t support detection rules “teaming up” to hide a detection that neither rule can explain on its own.

Thanks for the reply. I do get the ARIN link for both devices as these are external to our network. Based on your response to the “hide any device” am I understanding that there is no way to hide that specific detection?

Thanks,
Erick

If it really is just those two IP addresses, then your best bet right now would be to enable remote discovery for those exact IP addresses. That will create device objects in the ExtraHop system, which you can then put into a group and use to hide future detections with that pair. However, I don’t think we retroactively update detections from before the config change to reference the newly-discovered devices, so that wouldn’t help with the detection you already have.

If the detection type isn’t firing frequently in your environment you could use an 8-hour hiding rule to get the old detection out of the feed. After 8 hours the rule would stop hiding new detections, but the one you initially targeted would stay hidden.