Create a finding exclusion rule using asset or user analysis

Use field matching to create a finding exclusion rule from the asset or user analysis page.
  1. In Splunk Enterprise Security, select Analytics then UEBA.
  2. Select either UEBA user analysis or UEBA asset analysis.
  3. Select a user or an asset to see the analysis dashboard.
  4. In the Detections panel, select the configuration icon ( ) for a detection to open the Add finding exclusion rule dialog box.
    Note: Once a finding exclusion rule is created in context of a detection, you can't change the detection associated to that rule. You can create another exclusion rule for a different detection.
  5. Enter a Name for the finding exclusion rule.
    Note: Each active rule must have a unique name.
  6. Select a Reason for the rule. Choose from the following options:
    • Remediated
    • Accepted
    • Detection accuracy
  7. Enter a Time range in the Conditions section.
  8. Enter a Field and Matching criteria pair. This field is found in the intermediate finding that the exclusion applies to. For example, enter normalized_risk_object as the field and *_ as the matching criteria. One lookup field can map to only one finding field.
  9. (Optional) Select the icons in the Actions column to add or remove field matching pairs. Each additional pair is separated by the AND operator.
  10. (Optional) Select Preview excluded findings to open a new search tab with all intermediate findings that the rule excludes.
  11. Select Add.

After you add a finding exclusion rule, you can turn it on or off on the Finding exclusion rules page using the Rule status drop-down menu. You can turn on a maximum of 2,000 field match rules at the same time. It might take up to 30 minutes for the new rule to take effect, or you can manually trigger it with the ERS Refresh button.