Manage data filters in Splunk Asset and Risk Intelligence
With data filters, you can block or allow particular software products or vulnerabilities to customize what Splunk Asset and Risk Intelligence discovers.
For example, if there is a specific product that isn't relevant to your investigation, you can remove that product to make triaging assets easier. To remove the product, you can add a data filter that blocks that software product from discovery. You can also block every product assigned to a particular vendor, such as Microsoft, from being discovered.
The default data filter allows all software and vulnerabilities, and it appears on the data filter table as an asterisk ( * ). Removing the default data filter without adding a custom filter blocks all software and vulnerabilities from being discovered by Splunk Asset and Risk Intelligence.
Add a data filter
To add a data filter, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Inventory data filters.
- Select whether you want to add a filter for Software or Vulnerability.
- Select the add icon ( ).
- Enter a vendor and a product for software and a signature for vulnerabilities. Do not leave a field blank. If you don't want to specify a vendor, product, or signature, enter an asterisk ( * ).
- Select whether you want to Allow or Block the vendor or product.
- Select Add.
After you add a data filter, you can modify it, clone it, or delete it using the action icons in the Data filters table.
When modifying a data filter, you can only change whether or not to block or allow the product or vendor. To edit the product or vendor, you must delete the data filter and add a new one.
Upload a list of data filters
To upload a list of data filters, complete the following steps:
- In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Inventory data filters.
- Select whether you want to add a filter for Software or Vulnerability.
- Select the upload icon ( ).
- Select Upload file and add your CSV file.
- For vulnerability filtering, include the following fields in the CSV file:
ari_allow
,ari_block
, andsignature
whereari_allow
andari_block
have a value of 0 or 1. - For software filtering, include the following fields in the CSV file:
ari_allow
,ari_block
,ari_software_product
, andari_software_vendor
whereari_allow
andari_block
have a value of 0 or 1.
Do not leave fields blank. Instead enter an asterisk ( * ).
- For vulnerability filtering, include the following fields in the CSV file:
- For Upload mode, select whether you want to merge or overwrite the existing data filters.
- Select Upload.
Manage asset inventory retention in Splunk Asset and Risk Intelligence | Customize settings in Splunk Asset and Risk Intelligence |
This documentation applies to the following versions of Splunk® Asset and Risk Intelligence: 1.0.0, 1.0.1, 1.0.2
Feedback submitted, thanks!