Solved: Rest API for Notable Suppression

Vignesh · ‎01-17-2025

Is there a rest api available for Notable Suppression ? to get the suppresssion details and modify them via rest api

tscroggins · ‎01-20-2025

There is no documented REST API, but the SA-ThreatIntelligence app exposes the alerts/suppressions service to create, read, and update (including disable and enable) suppressions. To delete suppressions, use the saved/eventtypes/{name} endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#saved.2Feventtypes.2F.7Bna...).

Search, Start Time, and End Time are joined to create SPL stored as an event type named notable_suppression-{name}, e.g.:

`get_notable_index` _time>1737349200 _time<1737522000

Description and status are stored as separate properties.

You can confirm this in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/eventtypes.conf:

[notable_suppression-foo]
description = bar
disabled = true
search = `get_notable_index` _time>1737349200 _time<1737522000

Add -d output_mode=json to any of the following examples to change the output from XML to JSON.

Create a suppression:

Name: foo
Description (optional): bar
Search: `get_notable_index`
Start Time (optional): 1/20/2025 (en-US locale in this example)
End Time (optional): 1/22/2025 (en-US locale in this example)
Status: Enabled

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \
    --data-urlencode name=notable_suppression-foo \
    --data-urlencode description=bar \
    --data-urlencode 'search=`get_notable_index` _time>1737349200 _time<1737522000' \
    --data-urlencode disabled=false

Read a suppression:

curl -k -u admin -X GET https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo

Modify a suppression:

Description: baz
Search: `get_notable_index`
Start Time (optional): (none)
End Time (optional): (none)
Status: (unchanged)

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode description=baz \
    --data-urlencode 'search=`get_notable_index`'

Disable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode disabled=true

Enable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode disabled=false

Delete a suppression:

curl -k -u admin:pass -X DELETE https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo

View solution in original post

Vignesh

is it possible to modify the owner

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-... \
--data-urlencode description=baz \
--data-urlencode 'search=`get_notable_index`'

--data-urlencode owner="test"

Vignesh

Is it possible to change owner

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \
    --data-urlencode name=notable_suppression-foo \
    --data-urlencode description=bar \
    --data-urlencode 'search=`get_notable_index` _time>1737349200 _time<1737522000' \
    --data-urlencode disabled=false
--data-urlencode owner="new_user"

Vignesh · ‎01-21-2025

Thank you for the detailed answer its really helpful

tscroggins · ‎01-20-2025

Hi @Vignesh,