Suppress specific fields in a detection for a period of time to prevent undesired findings from being added to a specific investigation.

Follow these steps to suppress specific fields in a detection:

1. In Splunk Enterprise Security, go to the Analyst queue.
2. Select the investigation for which you want to suppress the detection.
3. Go to the drop-down menu and select Suppress detection.
   Note: Suppressing detections only prevents future findings with those specific fields from being added to the investigation.
4. In the Suppress detection dialog box, add the suppression rule. For example, Suppression for user access from unknown location.
5. Specify the time for which you want the suppress the fields in the detection. For example, 1 day, 1 week, custom.
6. In the Advanced section of the Suppress detection dialog box. add a description of the suppression rule.
7. Select the fields that you want to remove from the detection SPL. For example, event_hash, rule_name.
8. Select Change fields if you want to change the fields that you want to remove from the detection.
9. Go to the Search preview window to review the SPL search for the detection with the suppressed fields.
10. Select Save.