Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Configure per-panel filtering in Splunk Enterprise Security

Some dashboards in Splunk Enterprise Security include the per-panel filter option, which can filter items out of dashboard views, making it easier to find those events that require investigation.

  • If you determine that an event is a threat, use the per-panel filter to add the item to your deny list of known threats.
  • If you determine that an event is not a threat, you can add it to your allow list to remove it from the dashboard view.

The per-panel filter button appears only if the user has permission. To configure this permission, see Configure users and roles in the Installation and Configuration manual.

Allow events

After you determine that an event is not a threat, you can allow the event in order to hide it from the dashboard view. After you allow an event, the summary statistics continue to calculate allowed items, but these items are not displayed in the dashboard.

Allow an event

Use the per-panel filter to allow, or filter, events on a dashboard.

For example, to allow traffic events on the Traffic Size Analysis dashboard:

  1. Use the checkboxes to select the items to filter.
  2. Click Per-panel Filter in the top right corner to display options for events that can be filtered in this dashboard.
  3. Select the radio button to filter events on this dashboard.
    For example, on the Traffic Size Analysis dashboard, you can either filter events so that they no longer appear or highlight them so that they are flagged as important.
  4. Click Save when you are done.

In this example, after an item is added to the allow list, it is no longer considered a threat and no longer appears on the Traffic Size Analysis dashboard.

Remove an item from the allow list

  1. Click Per-panel Filter, then View/edit lookup file to see the list of entries currently being filtered.
  2. Right-click a cell in the table to view the context menu.
  3. Select Remove row to remove the row containing the allowed item.
  4. Click Save.

Exclude events

An event can also be excluded. Excluding an item means that you have identified an event that is known to be malicious, or thought to communicate with a command and control server that is known to be malicious. Anytime the event or string shows up in the data, you will want to investigate the system, the user associated with the system, and the web activity to understand the nature and possible proliferation of the threat.

Excluding an event or string is similar to allowing it. Events can only be excluded after they have been filtered from the dashboard.

To exclude a traffic event on, for example, the Traffic Size Analysis dashboard, do the following:

  1. Click Per-panel Filter, then View/edit lookup file to see the list of entries currently being filtered.
  2. Locate the entry you want to add to the exclusion list. Under the filter column, double-click the word whitelist to edit the cell. Delete whitelist and type blacklist.
  3. Click Save.

Edit the per-panel filter list

To see a current list of per-panel filters by dashboard, select Configure > Content > Content Management. Lookups with a description indicating that they are a per-panel filter show the current per-panel filters for the dashboard in the lookup name. Events added to the allow list for a dashboard are listed in that lookup.

For example, the Threat Activity Filter lookup displays the filters for the Threat Activity dashboard.

Edit the per-panel filter lookup.

  1. Open the filter list for the relevant dashboard. The name of the filter, for example ppf_threat_activity, shows in the upper left-hand corner.
  2. To edit a field, select a cell and begin typing.
  3. To insert or remove a row or column in the filter, right-click the field for edit options. Removing a row adds that item back to the dashboard panel view and removes it from the allow list.
  4. To exclude an item, use the editor to add a new row to the table and use blacklist in the filter column.
  5. Click Save to save your changes.

Audit per-panel filters

Changes made to the per-panel filters are logged in the per-panel filtering audit logs. The lookup editor and the per-panel filter module modify per-panel filters. Use the Per-Panel Filter Audit dashboard to audit per-panel filters.

Last modified on 19 January, 2022
Customize the menu bar in Splunk Enterprise Security   Create a Splunk Web message in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters