Suppress specific fields for detections in Splunk Enterprise Security
Suppress specific fields in a detection for a period of time to prevent undesired findings from being added to a specific investigation.
Follow these steps to suppress specific fields in a detection:
- In Splunk Enterprise Security, go to the Analyst queue.
- Select the investigation for which you want to suppress the detection.
- Go to the drop-down menu and select Suppress detection.
Suppressing detections only prevents future findings with those specific fields from being added to the investigation.
- In the Suppress detection dialog box, add the suppression rule. For example, Suppression for user access from unknown location.
- Specify the time for which you want the suppress the fields in the detection. For example, 1 day, 1 week, custom.
- In the Advanced section of the Suppress detection dialog box. add a description of the suppression rule.
- Select the fields that you want to remove from the detection SPL. For example, event_hash, rule_name.
- Select Change fields if you want to change the fields that you want to remove from the detection.
- Go to the Search preview window to review the SPL search for the detection with the suppressed fields.
- Select Save.
Create multiple versions of a detection in Splunk Enterprise Security | Monitor your security operations center with findings in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!