We utilise Enterprise Security and have a large number of detections that we use. We have recently put in some testing hardware that could trigger any one of these alerts and I am trying to find out if there is someway that we could suppress or exclude a device if that host potentially triggered these rules. Is there a way to effectively do a global "ignore any alerts from xxxx" without having to edit every single rule?
Hi @willadams,
no, for my knowledge, there isn't any exclusion list in ES, the only way is to customize your correlation searches.
It could be a good idea to submit this request to Splunk Ideas for the new features of ES.
Ciao.
Giuseppe