Hi @Vignesh, There is no documented REST API, but the SA-ThreatIntelligence app exposes the alerts/suppressions service to create, read, and update (including disable and enable) suppressions. To de...
See more...
Hi @Vignesh, There is no documented REST API, but the SA-ThreatIntelligence app exposes the alerts/suppressions service to create, read, and update (including disable and enable) suppressions. To delete suppressions, use the saved/eventtypes/{name} endpoint (see https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTknowledge#saved.2Feventtypes.2F.7Bname.7D). Search, Start Time, and End Time are joined to create SPL stored as an event type named notable_suppression-{name}, e.g.: `get_notable_index` _time>1737349200 _time<1737522000 Description and status are stored as separate properties. You can confirm this in $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/eventtypes.conf: [notable_suppression-foo]
description = bar
disabled = true
search = `get_notable_index` _time>1737349200 _time<1737522000 Add -d output_mode=json to any of the following examples to change the output from XML to JSON. Create a suppression: Name: foo Description (optional): bar Search: `get_notable_index` Start Time (optional): 1/20/2025 (en-US locale in this example) End Time (optional): 1/22/2025 (en-US locale in this example) Status: Enabled curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions \
--data-urlencode name=notable_suppression-foo \
--data-urlencode description=bar \
--data-urlencode 'search=`get_notable_index` _time>1737349200 _time<1737522000' \
--data-urlencode disabled=false Read a suppression: curl -k -u admin -X GET https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo Modify a suppression: Description: baz Search: `get_notable_index` Start Time (optional): (none) End Time (optional): (none) Status: (unchanged) curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
--data-urlencode description=baz \
--data-urlencode 'search=`get_notable_index`' Disable a suppression: curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
--data-urlencode disabled=true Enable a suppression: curl -k -u admin:pass -X POST https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/alerts/suppressions/notable_suppression-foo \
--data-urlencode disabled=false Delete a suppression: curl -k -u admin:pass -X DELETE https://splunk:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/eventtypes/notable_suppression-foo