-
Hi Valentin,
Great question! “Generate the alert” does not mean creating a duplicate of the existing alert manually.
Accordingly, when a suppression rule hides a false positive, the system does not ignore that activity permanently. If the Automated Investigation and Response (AIR) engine later detects that the same activity is actually malicious, it will automatically reactivate and generate a new alert.
In other words, suppressing the false positive does not turn off detection; it just filters out the known noise. The security posture stays intact because a new alert will still be raised if the macro activity ever becomes a genuine threat.
Hope that clears it up! Let us know if you have further questions.
Best regards,
Irene @ Tutorials Dojo
