Filter indicator records in Splunk Phantom
When you first install Splunk Phantom, industry-standard indicator records are generated for events coming in. This can result in the generation of a large volume of indicator records many of which might not be necessary for your system. You can filter out certain indicators to decrease the number of indicator records that are generated.
Create a filter
To filter out certain indicators, follow these steps:
- From the main menu, select Administration.
- Select Event Settings > Indicators.
- To filter out certain indicator records, uncheck the box by the field name of the record you don't want to generate indicators for. If you have created any custom CEF fields, by default those fields don't have indicator records. If you want to create indicators for these fields, make sure to check the box next to the field name.
- After you have made any changes, click Save Changes.
- (Optional) To sort by data type, click Data Type and choose how you would like to sort the fields. You can also search for indicators by data type in the search bar to add them to the filter.
- (Optional) Click Field Type to sort the fields based on default or custom fields.
- (Optional) Use the search bar to search for specific fields.
- (Optional) Use the Total Count column to see the number of each type of indicator record across the system.
This filter applies only to events coming in after the filter is set and does not apply to indicator records that were previously created.
Last modified on 09 April, 2020
| Create custom fields to filter Splunk Phantom events | Track information about an event or case using HUD cards |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Download manual
Feedback submitted, thanks!