Configure per-panel filtering in Splunk Enterprise Security
Some dashboards in Splunk Enterprise Security include the per-panel filter option, which can filter items out of dashboard views, making it easier to find the events that require investigation. You can use per-panel filtering to do the following:
- If you determine that an event is a threat, use the per-panel filter to add the item to your deny list of known threats.
- If you determine that an event is not a threat, you can add it to your allow list to remove it from the dashboard view.
The per-panel filter button appears only if the user has permission to use the per-panel filter option.
Allow events in the allow list to remove them from the dashboard view
After you determine that an event is not a threat, you can allow the event so that you can hide it from the dashboard view. After you allow an event, the summary statistics continue to calculate allowed items, but these items are not displayed in the dashboard.
Allow an event in the allow list
Use the per-panel filter to allow or filter events on a dashboard. For example, to allow traffic events on the Traffic Size Analysis dashboard:
Follow these steps to allow an event in the allow list so that you can filter it out from dashboard view:
- In the Splunk Enterprise Security app, go to the dashboard on which you want to use the per-panel filter option. For example, if you want to go to the Traffic size analysis dashboard, select Analytics and then select Security intelligence and then select Protocol intelligence.
The per-panel filter button appears only if the user has permission to use the per-panel filter option.
- Go to Traffic size details and select the check boxes for items to filter.
- Select Per-panel Filter option to display options for events that can be filtered in this dashboard.
- Select the radio button for Filter out these results to filter events so that they no longer appear on this dashboard. Alternatively, you can also select the radio button for Highlight these results to highlight them on this dashboard.
For example, on the Traffic Size Analysis dashboard, you can either filter events so that they no longer appear or highlight them so that they are flagged as important. - Select Save.
In this example, after you add an item to the allow list, it is no longer considered a threat and no longer appears on the Traffic size analysis dashboard.
Remove an item from the allow list
Follow these steps to remove an item from the allow list:
- In the Splunk Enterprise Security app, go to the dashboard on which you want to use the per-panel filter option. For example, if you want to go to the Traffic size analysis dashboard, select Analytics and then select Security intelligence and then select Protocol intelligence.
The per-panel filter button appears only if the user has permission to use the per-panel filter option.
- Select the Per-panel filter option, then select View/edit lookup file to see the list of entries currently being filtered.
- Select a cell in the table to view the context menu.
- Select Remove row to remove the row containing the allowed item.
- Select Save.
Exclude events that need a review
You can also exclude an event. Excluding an item means that you have identified an event that is known to be malicious, or thought to communicate with a command and control server that is known to be malicious. Anytime the event or string shows up in the data, you might want to investigate the system, the user associated with the system, and the web activity to understand the nature and possible proliferation of the threat.
Excluding an event or string is similar to allowing it. You can exclude events only after they have been filtered from the dashboard.
Follow these steps to exclude a traffic event from the Traffic size analysis dashboard as an example:
- In the Splunk Enterprise Security app, go to the dashboard on which you want to use the per-panel filter option. For example, if you want to go to the Traffic size analysis dashboard, select Analytics and then select Security intelligence and then select Protocol intelligence.
The per-panel filter button appears only if the user has permission to use the per-panel filter option.
- Select the Per-panel Filter option, then select View/edit lookup file to see the list of entries currently being filtered.
- Locate the entry you want to add to the exclusion list.
- Under the filter column, double-select the word Allowlist to edit the cell.
- Delete Allowlist and enter Denylist.
- Select Save.
Edit the per-panel filter list
To see a current list of per-panel filters by dashboard, select Security content and then select Content management. Lookups with a description indicating that they have a per-panel filter option show the current per-panel filters for the dashboard in the lookup name. Events added to the allow list for a dashboard are listed in that lookup.
For example, the Threat Activity Filter lookup displays the filters for the Threat findings dashboard.
Follow these steps to edit the per-panel filter lookup:
- In the Splunk Enterprise Security app, go to the dashboard on which you want to use the per-panel filter option. For example, if you want to go to the Traffic size analysis dashboard, select Analytics and then select Security intelligence and then select Protocol intelligence.
The per-panel filter button appears only if the user has permission to use the per-panel filter option.
- Select the Per-panel Filter option, then select View/edit lookup file. This opens the .csv lookup file.
- To edit a field, select a cell and enter a value.
- To insert or remove a row or column, select the field for edit options. Removing a row adds that item back to the dashboard panel view and removes it from the allow list.
- To exclude an item, use the editor to add a new row to the table and use denylist in the filter column.
- Select Save to save your changes.
Audit per-panel filters
Changes made to the per-panel filters are logged in the per-panel filtering audit logs. The lookup editor and the per-panel filter module modify per-panel filters.
See also
For more information on configuring user roles and per-panel filtering in Splunk Enterprise Security, see the product documentation:
- Per-Panel Filter Audit in the Use Splunk Enterprise Security manual.
- Configure users and roles in Splunk Enterprise Security in the Install and Upgrade Splunk Enterprise Security manual.
Customize the menu bar in Splunk Enterprise Security | Pair Splunk Enterprise Security with Splunk SOAR |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!