Solved: Rest API for Notable Suppression

Vignesh · ‎01-17-2025

Is there a rest api available for Notable Suppression ? to get the suppresssion details and modify them via rest api

tscroggins · ‎01-20-2025

There is no documented REST API, but the SA-ThreatIntelligence app exposes the alerts/suppressions service to create, read, and update (including disable and enable) suppressions. To delete suppressions, use the saved/eventtypes/{name} endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#saved.2Feventtypes.2F.7Bna...).

Search, Start Time, and End Time are joined to create SPL stored as an event type named notable_suppression-{name}, e.g.:

`get_notable_index` _time>1737349200 _time<1737522000

Description and status are stored as separate properties.

You can confirm this in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/eventtypes.conf:

[notable_suppression-foo]
description = bar
disabled = true
search = `get_notable_index` _time>1737349200 _time<1737522000

Add -d output_mode=json to any of the following examples to change the output from XML to JSON.

Create a suppression:

Name: foo
Description (optional): bar
Search: `get_notable_index`
Start Time (optional): 1/20/2025 (en-US locale in this example)
End Time (optional): 1/22/2025 (en-US locale in this example)
Status: Enabled

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \
    --data-urlencode name=notable_suppression-foo \
    --data-urlencode description=bar \
    --data-urlencode 'search=`get_notable_index` _time>1737349200 _time<1737522000' \
    --data-urlencode disabled=false

Read a suppression:

curl -k -u admin -X GET https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo

Modify a suppression:

Description: baz
Search: `get_notable_index`
Start Time (optional): (none)
End Time (optional): (none)
Status: (unchanged)

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode description=baz \
    --data-urlencode 'search=`get_notable_index`'

Disable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode disabled=true

Enable a suppression:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
    --data-urlencode disabled=false

Delete a suppression:

curl -k -u admin:pass -X DELETE https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo

View solution in original post

Vignesh

is it possible to modify the owner

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-... \
--data-urlencode description=baz \
--data-urlencode 'search=`get_notable_index`'

--data-urlencode owner="test"

Vignesh

Is it possible to change owner

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \
    --data-urlencode name=notable_suppression-foo \
    --data-urlencode description=bar \
    --data-urlencode 'search=`get_notable_index` _time>1737349200 _time<1737522000' \
    --data-urlencode disabled=false
--data-urlencode owner="new_user"

tscroggins

Hi @Vignesh,

The alerts/suppressions endpoint is hard-coded to use 'nobody' as the owner, which the internal saved/eventtypes/_new endpoint interprets as the current user context.

You can change the owner and sharing scope of the event type after it's created using the saved/eventtypes/{name}/acl endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#Access_Control_List😞

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo/acl \
    --data-urlencode owner=jsmith \
    --data-urlencode sharing=global

You can create the event type directly using the saved/eventtypes endpoint and an alternate owner; however, you'll need to call the saved/eventtypes/{name}/acl endpoint separately to change sharing from private to global. The owner argument is required by the endpoint, so it's effectively the same number of steps as creating the suppression using the alerts/suppressions endpoint:

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/jsmith/SA-ThreatIntelligence/saved/eventtypes \
    --data-urlencode name=notable_suppression-foo \
    --data-urlencode description=bar \
    --data-urlencode search='`get_notable_index` _time>1737349200 _time<1737522000' \
    --data-urlencode disabled=false

curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/jsmith/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo/acl \
    --data-urlencode owner=jsmith \
    --data-urlencode sharing=global

tscroggins

... and the forum injected an unintended emoji. I really wish it wouldn't do that. 🙂

Vignesh · ‎01-21-2025

Thank you for the detailed answer its really helpful

tscroggins · ‎01-20-2025