Splunk Enterprise Security

Rest API for Notable Suppression

Vignesh
Explorer

Is there a rest api available for Notable Suppression ? to get the suppresssion details and modify them via rest api

Labels (1)
Tags (1)
0 Karma
1 Solution

tscroggins
Influencer

Hi @Vignesh,

There is no documented REST API, but the SA-ThreatIntelligence app exposes the alerts/suppressions service to create, read, and update (including disable and enable) suppressions. To delete suppressions, use the saved/eventtypes/{name} endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#saved.2Feventtypes.2F.7Bna...).

Search, Start Time, and End Time are joined to create SPL stored as an event type named notable_suppression-{name}, e.g.:

`get_notable_index` _time>1737349200 _time<1737522000

Description and status are stored as separate properties.

You can confirm this in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/eventtypes.conf:

[notable_suppression-foo]
description = bar
disabled = true
search = `get_notable_index` _time>1737349200 _time<1737522000

Add -d output_mode=json to any of the following examples to change the output from XML to JSON.

Create a suppression:

Name: foo
Description (optional): bar
Search: `get_notable_index`
Start Time (optional): 1/20/2025 (en-US locale in this example)
End Time (optional): 1/22/2025 (en-US locale in this example)
Status: Enabled

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \
    --data-urlencode name=notable_suppression-foo \
    --data-urlencode description=bar \
    --data-urlencode 'search=`get_notable_index` _time>1737349200 _time<1737522000' \
    --data-urlencode disabled=false

Read a suppression:

curl -k -u admin -X GET https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo

Modify a suppression:

Description: baz
Search: `get_notable_index`
Start Time (optional): (none)
End Time (optional): (none)
Status: (unchanged)

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode description=baz \
    --data-urlencode 'search=`get_notable_index`'

Disable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode disabled=true

Enable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode disabled=false

Delete a suppression:

curl -k -u admin:pass -X DELETE https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo

 

View solution in original post

Vignesh
Explorer

Thank you for the detailed  answer its really helpful

0 Karma

tscroggins
Influencer

Hi @Vignesh,

There is no documented REST API, but the SA-ThreatIntelligence app exposes the alerts/suppressions service to create, read, and update (including disable and enable) suppressions. To delete suppressions, use the saved/eventtypes/{name} endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#saved.2Feventtypes.2F.7Bna...).

Search, Start Time, and End Time are joined to create SPL stored as an event type named notable_suppression-{name}, e.g.:

`get_notable_index` _time>1737349200 _time<1737522000

Description and status are stored as separate properties.

You can confirm this in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/eventtypes.conf:

[notable_suppression-foo]
description = bar
disabled = true
search = `get_notable_index` _time>1737349200 _time<1737522000

Add -d output_mode=json to any of the following examples to change the output from XML to JSON.

Create a suppression:

Name: foo
Description (optional): bar
Search: `get_notable_index`
Start Time (optional): 1/20/2025 (en-US locale in this example)
End Time (optional): 1/22/2025 (en-US locale in this example)
Status: Enabled

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \
    --data-urlencode name=notable_suppression-foo \
    --data-urlencode description=bar \
    --data-urlencode 'search=`get_notable_index` _time>1737349200 _time<1737522000' \
    --data-urlencode disabled=false

Read a suppression:

curl -k -u admin -X GET https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo

Modify a suppression:

Description: baz
Search: `get_notable_index`
Start Time (optional): (none)
End Time (optional): (none)
Status: (unchanged)

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode description=baz \
    --data-urlencode 'search=`get_notable_index`'

Disable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode disabled=true

Enable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode disabled=false

Delete a suppression:

curl -k -u admin:pass -X DELETE https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo

 

Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques

Hello! We are excited to kick off a new series of blogs from SplunkTrust member ITWhisperer, who demonstrates ...

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...