Create suppression rules for findings in Splunk Enterprise Security

(Refer to this: https://docs.splunk.com/Documentation/ES/7.3.1/Admin/Customizenotables)

Hide findings from the Mission Control page by creating a suppression. A suppression is a search filter that hides specific findings from display and can be used to stop excessive or unwanted numbers of findings from appearing on the Mission Control page. Findings that meet the search conditions are still created and added to the Findings index. Suppressed findings continue to contribute to the count of findings on the Security Posture and Audit dashboards.

You can create a suppression filter using one of the following methods:

• Create a suppression from the Mission Control page.
• Create a suppression from the Configure menu.

Create a suppression from the Configure menu

Follow these steps to create a suppression using the Configure menu in the Splunk Enterprise Security app:

1. Select Configure > Incident Management > Notable Event Suppressions.
2. Click Create New Suppression.
3. Enter a Name and Description for the suppression filter.
4. Enter a Search to find notable events that you want to be suppressed.
   The search goes directly into the eventtype stanza, so the use of pipes is limited. See eventtypes.conf in the Splunk Enterprise Admin Manual.
   The macro `get_notable_index` can be used to create an SPL suppression search filter. However, using the macro might suppress all notables. Therefore, you must use the macro as a starting point to create the SPL search filter and modify it based on your specific requirements to suppress notables.
5. Set the Expiration Time. This defines a time limit for the suppression filter. The expiration time does not prevent the suppression from working, so events within the specified time range will continue to be suppressed until you disable the suppression. Notable events that fall outside the expiration time are not suppressed.

Edit notable event suppressions

1. Select Configure > Incident Management > Notable Event Suppressions.
2. Select a notable event suppression to open the Edit Notable Event Suppression page.
3. Edit the Description and Search fields used for the suppression filter.
4. Click Save.

Disable notable event suppressions

1. Select Configure > Incident Management > Notable Event Suppressions.
2. Select Disable in the Status column for the notable event suppression.

Remove a notable event suppression

1. From the Splunk platform toolbar, select Settings > Event types.
2. Search for the the suppression event: notable_suppression-<suppression_name>.
3. Select delete in the Actions column for the notable event suppression.

Audit notable event suppressions

Audit notable event suppressions with the Suppression Audit dashboard. See Suppression Audit in Use Splunk Enterprise Security.

See also

To prevent findings that meet certain conditions from being created, see Throttle the number of response actions generated by a correlation search. See Suppress a notable event. See Create a suppression from Notable Event Suppressions.

Include or exclude suppressed notables in dashboard metrics

Exclude suppressed notables in the metrics displayed on the Executive dashboard and the SOC Operations dashboard so that you can triage notables faster during an investigation. You also have the option to include notables in the metrics on the Executive dashboard and the SOC Operations dashboard if you want to verify whether some notables were overlooked.

Follow these steps to include suppressed notables:

• On the Splunk Enterprise Security app, go to Security Posture.
• Select Executive Summary dashboard or SOC Operations dashboard.
• Turn on Include suppressed notables to add suppressed notables on the dashboard metrics.

By default, '''Include suppressed notables''' is turned off.

For more information on the Executive Summary dashboard, see Executive Summary dashboard.
For more information on the SOC Operations dashboard, see SOC Operations dashboard.