Muting rules
Muting allows you to ignore authorized and expected behaviors to identify anomalies for the specific host. When a rule is muted, any detection related to it has will have a status of Muted. This means a notification will not be generated for the detection. A muted detection will auto-resolve after the specified time frame or can be resolved manually.
Mute all rules for devices
Muting a device for all rules. This is most commonly used for sandboxes and vulnerability scanners. These hosts will constantly trigger detections, while they are doing their job. Muting such devices is typically a first step when getting started with FortiNDR Cloud.
To mute a device for all rules:
- Click the Detections tab.
- In the toolbar, click the gear icon at the right side of the page and select Muted Devices. The Muted Devices dialog opens.
- Click Add New device Range.
- In the Device IP or Range field, enter an IP address or CIDR range.
- Click Add Devices.
Mute a rule
Muting a rule will cause all its future detections to be muted, regardless the of the device that triggered the rule. Muting a rule is common for posture-focused rules that detect approved behavior.
To mute a rule:
- Click the Detections tab.
- Click the menu icon at in the last column at the right side of the page, and select Mute rule.
- In the Mute Rule dialog that opens:
- (Optional) In the Comments field
- Click Mute Rule.
Mute a detection in a rule
You can mute a specific device for a specific rule. This is commonly used for suspicious behaviors from approved devices, such as remote access from an administrator workstation. Detections that contain a muted rule are appended with Muted in the Status of column of the Detections Table.
To mute a rule in a detection:
- Click the Detections tab and open a rule in the list.
- In the Impacted Devices tab, select the detection that contains the device and rule.
- Click the Actions menu at the right side of the page and selectMute device for rule
- In the Mute Device dialog that opens:
- (Optional) In the Comments field
- Click Mute Rule.
Alliteratively, you can go to Detections > Detections Table. In the Action column, click the menu and select Mute device for rule. |