Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Configure per-panel filtering in Splunk Enterprise Security

Some dashboards in Splunk Enterprise Security include the per-panel filter option, which can filter items out of dashboard views, making it easier to find those events that require investigation.

  • If you determine that an event is a threat, use the per-panel filter to add the item to your blacklist of known threats.
  • If you determine that an event is not a threat, you can add it to your whitelist to remove it from the dashboard view.

The per-panel filter button appears only if the user has permission. To configure this permission, see Configure users and roles in the Installation and Configuration manual.

Whitelist events

After you determine that an event is not a threat, you can whitelist the event to hide it from the dashboard view. After you whitelist an event, the summary statistics continue to calculate whitelisted items, but the whitelisted items are not displayed in the dashboard.

Whitelist an event

Use the per-panel filter to whitelist, or filter, events on a dashboard.

For example, to whitelist traffic events on the Traffic Size Analysis dashboard:

  1. Use the checkboxes to select the items to filter.
  2. Click Per-panel Filter in the top right corner to display options for events that can be filtered in this dashboard.
  3. Select the radio button to filter events on this dashboard.
    For example, on the Traffic Size Analysis dashboard, you can either filter events so that they no longer appear or highlight them so that they are flagged as important.
  4. Click Save when you are done.

In this example, after an item is added to the whitelist, it is no longer considered a threat and no longer appears on the Traffic Size Analysis dashboard.

Remove an item from the whitelist

  1. Click Per-panel Filter, then View/edit lookup file to see the list of entries currently being filtered.
  2. Right-click a cell in the table to view the context menu.
  3. Select Remove row to remove the row containing the whitelisted item.
  4. Click Save.

Blacklist events

An event can also be blacklisted. Blacklisting an item means that you have identified an event that is known to be malicious, or thought to communicate with a command and control server that is known to be malicious. Anytime the event or string shows up in the data, you will want to investigate the system, the user associated with the system, and the web activity to understand the nature and possible proliferation of the threat.

Blacklisting an event or string is similar to whitelisting. Events can only be blacklisted after they have been filtered from the dashboard.

To blacklist a traffic event on, for example, the Traffic Size Analysis dashboard, do the following:

  1. Click Per-panel Filter, then View/edit lookup file to see the list of entries currently being filtered.
  2. Locate the entry you want to add to the blacklist. Under the filter column, double-click the word whitelist to edit the cell. Delete "whitelist" and type "blacklist".
  3. Click Save.

Edit the per-panel filter list

To see a current list of per-panel filters by dashboard, select Configure > Content Management. Lookups with a description indicating that they are a per-panel filter show the current per-panel filters for the dashboard in the lookup name. Events added to the whitelist for a dashboard are listed in that lookup.

For example, the Threat Activity Filter lookup displays the filters for the Threat Activity dashboard.

Edit the per-panel filter lookup.

  1. Open the filter list for the relevant dashboard. The name of the filter, for example ppf_threat_activity, shows in the upper left-hand corner.
  2. To edit a field, select a cell and begin typing.
  3. To insert or remove a row or column in the filter, right-click the field for edit options. Removing a row adds that item back to the dashboard panel view and removes it from the whitelist.
  4. To "blacklist" an item, use the editor to add a new row to the table and use "blacklist" in the "filter" column.
  5. Click Save to save your changes.

Audit per-panel filters

Changes made to the per-panel filters are logged in the per-panel filtering audit logs. The lookup editor and the per-panel filter module modify per-panel filters. Use the Per-Panel Filter Audit dashboard to audit per-panel filters.

Last modified on 14 September, 2018
Customize the menu bar in Splunk Enterprise Security
Create a Splunk Web message in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters