topic Rest API for Notable Suppression in Splunk Enterprise Security

Rest API for Notable Suppression

Vignesh — Fri, 17 Jan 2025 14:51:16 GMT

Is there a rest api available for Notable Suppression ? to get the suppresssion details and modify them via rest api

Re: Rest API for Notable Suppression

tscroggins — Mon, 20 Jan 2025 18:03:58 GMT

There is no documented REST API, but the SA-ThreatIntelligence app exposes the alerts/suppressions service to create, read, and update (including disable and enable) suppressions. To delete suppressions, use the saved/eventtypes/{name} endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#saved.2Feventtypes.2F.7Bname.7D).

Search, Start Time, and End Time are joined to create SPL stored as an event type named notable_suppression-{name}, e.g.:

`get_notable_index` _time>1737349200 _time<1737522000

Description and status are stored as separate properties.

You can confirm this in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/eventtypes.conf:

[notable_suppression-foo] description = bar disabled = true search = `get_notable_index` _time>1737349200 _time<1737522000

Add -d output_mode=json to any of the following examples to change the output from XML to JSON.

Create a suppression:

Name: foo
Description (optional): bar
Search: `get_notable_index`
Start Time (optional): 1/20/2025 (en-US locale in this example)
End Time (optional): 1/22/2025 (en-US locale in this example)
Status: Enabled

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \ --data-urlencode name=notable_suppression-foo \ --data-urlencode description=bar \ --data-urlencode 'search=`get_notable_index` _time>1737349200 _time<1737522000' \ --data-urlencode disabled=false

Read a suppression:

curl -k -u admin -X GET https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo

Modify a suppression:

Description: baz
Search: `get_notable_index`
Start Time (optional): (none)
End Time (optional): (none)
Status: (unchanged)

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \ --data-urlencode description=baz \ --data-urlencode 'search=`get_notable_index`'

Disable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \ --data-urlencode disabled=true

Enable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \ --data-urlencode disabled=false

Delete a suppression:

curl -k -u admin:pass -X DELETE https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo

Re: Rest API for Notable Suppression

Vignesh — Wed, 22 Jan 2025 06:59:43 GMT

Thank you for the detailed answer its really helpful

Re: Rest API for Notable Suppression

Vignesh — Tue, 04 Mar 2025 11:36:53 GMT

Is it possible to change owner

Re: Rest API for Notable Suppression

Vignesh — Tue, 04 Mar 2025 12:00:10 GMT

is it possible to modify the owner

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
--data-urlencode description=baz \
--data-urlencode 'search=`get_notable_index`'

--data-urlencode owner="test"

Re: Rest API for Notable Suppression

tscroggins — Sat, 15 Mar 2025 19:42:10 GMT

Hi @Vignesh,

The alerts/suppressions endpoint is hard-coded to use 'nobody' as the owner, which the internal saved/eventtypes/_new endpoint interprets as the current user context.

You can change the owner and sharing scope of the event type after it's created using the saved/eventtypes/{name}/acl endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#Access_Control_List😞

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo/acl \ --data-urlencode owner=jsmith \ --data-urlencode sharing=global

You can create the event type directly using the saved/eventtypes endpoint and an alternate owner; however, you'll need to call the saved/eventtypes/{name}/acl endpoint separately to change sharing from private to global. The owner argument is required by the endpoint, so it's effectively the same number of steps as creating the suppression using the alerts/suppressions endpoint:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/jsmith/SA-ThreatIntelligence/saved/eventtypes \ --data-urlencode name=notable_suppression-foo \ --data-urlencode description=bar \ --data-urlencode search='`get_notable_index` _time>1737349200 _time<1737522000' \ --data-urlencode disabled=false curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/jsmith/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo/acl \ --data-urlencode owner=jsmith \ --data-urlencode sharing=global

Re: Rest API for Notable Suppression

tscroggins — Sat, 15 Mar 2025 19:43:33 GMT

... and the forum injected an unintended emoji. I really wish it wouldn't do that. 🙂