Create a finding exclusion rule using UEBA configuration page

Use a lookup file or field matching to create a finding exclusion rule from the UEBA configuration page.
  1. In Splunk Enterprise Security, select Configure then Findings and investigations.
  2. Select Finding exclusion rules.
  3. Select Add rule and then select either Lookup or Field match.
  4. Select a Detection to exclude risk for.
    Note: You can't change the detection associated with the rule after you add a finding exclusion rule.
  5. Enter a Name for the finding exclusion rule.
    Note: Each active rule must have a unique name.
  6. Select a Reason for the rule. Choose from the following options:
    • Remediated:
    • Accepted:
    • Detection accuracy:
  7. For lookup fields, use the drop-down menu to select a Lookup in the Conditions section.
    1. Note: When creating a lookup based exclusion, there is a delay of up to 10 minutes to replicate the lookup values to the indexers.
      Enter a Lookup field and Finding or intermediate finding field pair. For example, enter workstation as the lookup field and enter normalized_risk_object as the finding field. You can add more than one matching criteria for a lookup field. The OR operator applies when there are multiple criteria per field.
  8. For field matching, Enter a Time range in the Conditions section.
    1. Enter a Field and Matching criteria pair. This field is found in the intermediate finding that the exclusion applies to. For example, enter normalized_risk_object as the field and *_ as the matching criteria. One lookup field can map to only one finding field.
  9. (Optional) Select the icons in the Actions column to add or remove matching pairs. Each additional pair is separated by the AND operator.
  10. (Optional) Select Preview excluded findings to open a new search tab with all intermediate findings that the rule excludes.
  11. Select Add.

After you add a finding exclusion rule, you can turn it on or off on the Finding exclusion rules page using the Rule status drop-down menu. You can turn on a maximum of 2,000 field match rules at the same time. It might take up to 30 minutes for the new rule to take effect, or you can manually trigger it with the ERS Refresh button.