Create suppression rules for findings in Splunk Enterprise Security
Create suppression rules for findings to prevent excessive or unwanted numbers of findings from appearing on the Mission Control page in Splunk Enterprise Security.
A suppression for a finding is a search filter that hides any finding matching the search conditions. For example, you might want to prevent certain types of findings from appearing on the Mission Control page or contributing to defined alert thresholds. Findings that meet the search conditions are still created and added to the notable index. Suppressed findings continue to contribute to finding counts on the Security posture and Suppression audit dashboards.
Suppression is applied to events that are already in the notable index. A suppression filter hides findings so they are not displayed. Throttling is applied to events before they are added to the notable index. Throttling prevents findings from being created.
Create suppressions for findings
Follow these steps to create suppressions and hide findings from displaying on the Mission Control page:
- In Splunk Enterprise Security, select the Configure tab.
- Select Configurations, and then select Findings and investigations.
- Select Suppressions.
- Select +Suppression to create rules to prevent specific findings from displaying on the Mission Control page.
- Enter a Name and Description for the suppression filter.
- Enter a Search to find findings that you want to be suppressed.
The search goes directly into theeventtype
stanza, so the use of pipes is limited. You can use the macro`get_notable_index`
to create an SPL suppression search filter. However, using the macro might suppress all findings. Therefore, you must use the macro as a starting point to create the SPL search filter and modify it based on your specific requirements to suppress findings. - Set the Expiration time. This defines a time limit for the suppression filter. The expiration time does not prevent the suppression from working, so events within the specified time range will continue to be suppressed until you turn off the suppression. Findings that fall outside the expiration time are not suppressed.
Turn on or turn off suppressions for findings
Follow these steps to turn on or turn off the available suppressions in Splunk Enterprise Security:
- In Splunk Enterprise Security, select the Configure tab.
- Select Configurations, and then select Investigations and findings.
- Select Suppressions to view the list of available suppression rules.
Suppressions listings include the following information: Label, Description, Start time, Expiration time,. and Status. - Turn on or turn off specific suppression rules from this page.
Edit suppressions for findings
Follow these steps to edit the available suppressions in Splunk Enterprise Security:
- In Splunk Enterprise Security, select the Configure tab.
- Select Configurations, and then select Investigations and findings.
- Select Suppressions to view the list of available suppression rules.
- Select a suppression to open the Edit suppression page.
- Edit the Description and Search fields used for the suppression filter.
- Select Save.
Remove a suppression
Follow these steps to remove a suppression in Splunk Enterprise Security:
- From the Splunk platform toolbar, select Settings and then select Event types.
- Search for the suppression event. For example,
notable_suppression-<suppression_name>
. - Select Delete in the Actions column for the suppression.
Audit, include, or exclude suppressed findings
Audit suppressions for findings using the Audit dashboard.
Exclude suppressed findings in the metrics displayed on the Executive summary dashboard and the SOC operations dashboard so that you can triage findings faster during an investigation. You also have the option to include findings in the metrics on the Executive summary dashboard and the SOC operations dashboard if you want to verify whether some findings were overlooked.
Follow these steps to include suppressed findings:
- In the Splunk Enterprise Security app, go to Analytics.
- Select the Executive summary dashboard or the SOC operations dashboard.
- Turn on Include suppressed findings to add suppressed findings on the dashboard metrics.
By default, Include suppressed findings is turned off.
See also
For more information on dashboards, see the product documentation:
Add custom fields to add to investigation types in Splunk Enterprise Security | Modify the fields for findings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!