Tune Detections with Group for Victim

Should we be able to tune/hide detections by using a group for the Victim field?

I’m trying to hide a detection and, while I have group options for the Offender field, the only options I see for the Victim field are the IP address of the detection victim and Any Device

Hi @cjdavis,

The detection hiding options shown are based on the particular detection you clicked to hide. For the offender and victim dropdowns, this means that only device groups that contain the offender or victim are shown, as these are the groups that directly relate to that detection.

When the offender or victim is an IP address that is not associated with a discovered device (as is typically the case with an external IP address) it is not part of any device groups. In this case, the only options are to hide detections in which the victim is that specific IP address or any device at all.

Is there a specific device group you want to ignore as victims in for a certain detection type? If so, you can do this by clicking the Tune button on another one of these detections where the victim is a discovered device in your environment.

I should have been clearer in my original post. The victim for the detection I’m looking at is an IP address associated with a discovered device that is part of a device group, but the group is not shown as an option for the Victim field.

I added the subnet containing the victim IP to remote device discovery, then created a group that included the discovered devices (and IP addresses).

Thanks for the clarification.

If the victim dropdown has only two options (the IP address or “Any Device”) then what has likely happened is that victim IP address was not associated with a discovered device.

If you configured the remote device discovery after the detection occurred, then that could explain it as newly discovered devices are not retroactively mapped to existing detections. But you should see your group listed in future detections.

If the remote device discovery was already in place, then the cause is less clear. In that case, could you tell us the detection type in question?

I did configure the device discovery post-detection, so the above answers my question.
Thanks for the insight.