Exclude intermediate findings generated by a specific detection for a set time range or indefinitely using finding exclusion rules in Splunk Enterprise Security. Finding exclusions can help you suppress known safe or irrelevant activity that might otherwise inflate entity risk scores or create alert fatigue.

Use finding exclusions to:

• Suppress findings triggered by legitimate or low-risk behavior.
• Reduce false positives from recurring patterns or process exemptions.
• Focus UEBA dashboards and risk models on meaningful anomalies.

How finding exclusions work

• UEBA dashboards and entity risk scoring (ERS)
• Detections that use risk data
• Risk-based alerting and MITRE ATT&CK mapping

Excluding findings from these risk features helps reduce noise and ensures that only relevant findings contribute to risk scores and investigations. Each rule is detection-specific, meaning it applies only to one detection that you specify when you create the exclusion.

Accessing finding exclusions

To manage finding exclusions, navigate to Configure then Findings and investigations and then Finding exclusion rules.