Resolved: Service Event Rule set to supress but still alerting team

I set up this Service Event Rule on our AWS: Guard Duty integration. I’m attempting to supress the alerts coming from Guard Duty that have a severity rating of 1, 2, or 3. This is the severity rating in the Guard Duty alert (in the JSON sent to the integration), not the severity rating PagerDuty assigns (info, warn, error, critical).

However, despite this showing what recent alerts it would have filtering, those events didn’t get filtered and still sent notifications to my team.

“Suppression, as opposed to setting alert severity, allows you to send events to PagerDuty without triggering any notifications. Suppressed alerts are stored in PagerDuty and available for forensics, analysis, and context, but do not create incidents. (”

Here is what the service event rule looks like with the highlighted field on the right.

Nothing was set in the customize event fields, and the ‘At these times’ tab is set to always.

Despite having these set, they still created an incident and alerted my team

Does anyone have any ideas on what I am doing wrong? Thank you!

Just a quick check that your suppression rule is towards the top of your list of rules on the service? You may have another rule that allows those alerts to pass through!

It also looks like you have “detail” and “details” in the conditions. Which one is right?

Thank you Doug, it was that “detail” vs “details” condition. Don’t I feel silly :sweat_smile:

1 Like