Does the 'Hide Alert' option in Defender remove the data from the corresponding table?

%3CLINGO-SUB%20id%3D%22lingo-sub-2681219%22%20slang%3D%22en-US%22%3EDoes%20the%20'Hide%20Alert'%20option%20in%20Defender%20remove%20the%20data%20from%20the%20corresponding%20table%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2681219%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20trying%20to%20suppress%20an%20alert%20based%20on%20command-line%20containing%20a%20specific%20file%20name%20which%20doesn't%20seem%20to%20currently%20be%20possible.%20We%20were%20planning%20to%20instead%20suppress%20alerts%20based%20on%20the%26nbsp%3B%20Processname%20and%20create%20a%20custom%20detection%20rule%20to%20exclude%20command-lines%20containing%20the%20specific%20file%20name%20and%20alert%20on%20the%20rest.%20My%20question%20is%2C%20will%20the%20alert%20data%20still%20be%20present%20in%20the%20'AlertInfo'%2C%20'%3CSPAN%3EAlertEvidence%3C%2FSPAN%3E'%20tables%20after%20creating%20the%20suppression%20rule%20with%20the%20'Hide%20Alert'%20option%20or%20should%20we%20be%20using%20the%20%22Resolve%20Alert%22%20option%20instead%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We are trying to suppress an alert based on command-line containing a specific file name which doesn't seem to currently be possible. We were planning to instead suppress alerts based on the  Processname and create a custom detection rule to exclude command-lines containing the specific file name and alert on the rest. My question is, will the alert data still be present in the 'AlertInfo', 'AlertEvidence' tables after creating the suppression rule with the 'Hide Alert' option or should we be using the "Resolve Alert" option instead? 

0 Replies