Some dashboards in Splunk Enterprise Security include the Advanced Filter option, which can filter items out of dashboard views ("per-panel filtering") making it easier to find those events that require investigation.
- If you determine that an event is a threat, use the Advanced Filter editor to add the item to your blacklist of known threats.
- If you determine that an event is not a threat, you can add it to your whitelist to remove it from the dashboard view.
Note: The Advanced Filter icon won't appear unless the user has permission. To configure this permission, see Configure users and roles in the Installation and Configuration manual.
After you determine that an event is not a threat, you can whitelist the event to hide it from the dashboard view. The summary statistics will continue to calculate whitelisted items, but they will not be displayed in the dashboard.
To whitelist an event
Use the Advanced Filter to whitelist, or filter, events on a dashboard.
For example, to whitelist traffic events on the Traffic Size Analysis dashboard:
- Use the checkboxes to select the items to filter.
- Click Advanced Filter... in the top right corner to display options for events that can be filtered in this dashboard.
- Select the radio button to filter events on this dashboard. For example, on the Traffic Size Analysis dashboard, you can either filter events so that they no longer appear or highlight them so that they are flagged as important.
- Click Save when you are done.
Note: Filtered events are not removed from the calculations for this dashboard, only removed from view.
In this example, after an item is added to the whitelist, it is considered good (not a threat) and will no longer show up on the Traffic Size Analysis dashboard.
To remove an item from the whitelist
- Click Advanced Filter, then View/edit lookup file to see the list of entries currently being filtered.
- Right-click a cell in the table to view the context menu.
- Select Remove row to remove the row containing the whitelisted item.
- Click Save.
An event can also be blacklisted. Blacklisting an item means that you have identified an event that is known to be malicious, or thought to communicate with a command and control server that is known to be malicious. Anytime the event or string shows up in the data, you will want to investigate the system, the user associated with the system, and the web activity to understand the nature and possible proliferation of the threat.
Blacklisting an event or string is similar to whitelisting. Events can only be blacklisted after they have been filtered from the dashboard.
To blacklist an event
To blacklist a traffic event on, for example, the Traffic Size Analysis dashboard, do the following:
- From the Advanced Filter page, click View/edit lookup files to see the list of entries currently being filtered.
- Locate the entry you want to add to the blacklist. Under the filter column, double-click the word whitelist to edit the cell. Delete "whitelist" and type "blacklist".
- Click Save.
Edit the per-panel filter list
To see a current list of per-panel filters by dashboard, navigate to Configure > Data Enrichment > Lists and Lookups. Lists with a description indicating that they are a dashboard filter will show the current per-panel filters for that dashboard. Events added to the whitelist for a dashboard will be listed here.
For example, the Threat Activity Filter list displays the filters for the Threat Activity dashboard.
Edit the per-panel filter list.
- Open the filter list for the relevant dashboard. The name of the filter, for example
ppf_threat_activity, is shown in the upper left-hand corner.
- To edit a field, select a cell and begin typing.
- To insert or remove a row or column in the filter, right-click the field for edit options. Removing a row adds that item back to the dashboard panel view and removes it from the whitelist.
- To "blacklist" an item, use the editor to add a new row to the table and use "blacklist" in the "filter"column.
- Click Save when you are finished.
Audit per-panel filters
Changes made to the per-panel filters are logged in the per-panel filtering audit logs. The lookup editor and the per-panel filter module modify per-panel filters. Use the Per-Panel Filter Audit dashboard to audit per-panel filters.
This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.6.0 Cloud only
Feedback submitted, thanks!