Skip to content

Commit

Permalink
Update risk_guide_searches.md
Browse files Browse the repository at this point in the history 
suggest notable suppression instead of editing macro
  • Loading branch information
@7thdrxn
7thdrxn authored Oct 1, 2024
1 parent a35b38e commit e1c0aec
Showing 1 changed file with 4 additions and 8 deletions.
12 changes: 4 additions & 8 deletions docs/searches/risk_guide_searches.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,16 +52,12 @@ index=notable eventtype=risk_notables
## Structural Changes
### Notable Macro to Edit for QA Risk Notables
### Notable Suppression for QA Risk Notables
Add `| eval QA=1` to the end of your Risk Incident Rules, editing the macro `get_notable_index` from the default to begin "QA" mode.
```shell title="default"
index=notable
```
Add `| eval QA=1` to the end of your Risk Incident Rules, then go to Configure → Incident Management → Notable Event Suppressions, and create a new suppression for:
```shell title="QA mode"
index=notable NOT QA=1
index=notable QA=1
```
This will keep Risk Notables out of your Incident Review queue while you develop RBA.
Expand Down Expand Up @@ -194,4 +190,4 @@ For tuning Risk Incident Rules that don't rely on an accretive score to alert, b
<img class="github-avatar" src="https://avatars.githubusercontent.com/u/12771156?v=4){ class="github-avatar"/>
</a>
<span class="zts-tooltip-text">@7thdrxn - Haylee Mills</span>
</div>
</div>

0 comments on commit e1c0aec

Please sign in to comment.