https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142807#M509 <P>One associated default correlation search for which I cannot suppress notables is 'threat list activity detected'. thanks.</P> Fri, 18 Jul 2014 13:32:28 GMT some_guy 2014-07-18T13:32:28Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142805#M507 <P>Having an issue within Splunk ES Incident Review. </P> <P>The option to suppress events from most correlation searches works fine. A handful of events <BR /> do NOT offer the option to suppress. </P> <P>The offending non-suppressible events are a consequence of the same few correlation searches. No other commonalities exist, as far as I'm able to tell. My user context has full rights to the instance, so I'm stumped. </P> Tue, 15 Jul 2014 13:51:14 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142805#M507 some_guy 2014-07-15T13:51:14Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142806#M508 <P>Do you happen to know which correlation searches this happens with? It might be that they are missing the workflow actions to allow you to suppress them. I can verify if that is the case.</P> Fri, 18 Jul 2014 05:42:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142806#M508 LukeMurphey 2014-07-18T05:42:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142807#M509 <P>One associated default correlation search for which I cannot suppress notables is 'threat list activity detected'. thanks.</P> Fri, 18 Jul 2014 13:32:28 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142807#M509 some_guy 2014-07-18T13:32:28Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142808#M510 <P>Did you ever figure this issue out?</P> Tue, 22 Dec 2015 19:03:18 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142808#M510 AndySplunks 2015-12-22T19:03:18Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142809#M511 <P>It appears this article may help you. The section labeled "Suppress notable events from new correlation searches" appears to have the answer to your question.</P> <P><A href="http://docs.splunk.com/Documentation/ES/2.4/Install/NotableEventSuppression">http://docs.splunk.com/Documentation/ES/2.4/Install/NotableEventSuppression</A></P> Tue, 22 Dec 2015 19:12:02 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-Incident-Review-Suppression/m-p/142809#M511 AndySplunks 2015-12-22T19:12:02Z