Filter indicator records in
When you first install , industry-standard indicator records are generated for events coming in. This can result in the generation of a large volume of indicator records many of which might not be necessary for your system.
As of release 6.0.0: To reduce the number of indicator records, only generates records that are associated with default and custom fields that are present in your indicator list, located under Administration > Event Settings > Indicators. Any records associated with fields that are not present in your indicator list are automatically deleted.
Create a filter
To filter out certain indicators, follow these steps:
- From the Home menu, select Administration.
- Select Event Settings > Indicators.
- To filter out certain indicator records, uncheck the box by the field name of the record you don't want to generate indicators for. If you have created any custom CEF fields, by default those fields don't have indicator records. If you want to create indicators for these fields, make sure to check the box next to the field name.
- After you have made any changes, click Save Changes.
- (Optional) To sort by data type, click Data Type and choose how you would like to sort the fields. You can also search for indicators by data type in the search bar to add them to the filter.
- (Optional) Click Field Type to sort the fields based on default or custom fields.
- (Optional) Use the search bar to search for specific fields.
- (Optional) Use the Total Count column to see the number of each type of indicator record across the system.
This filter applies only to events coming in after the filter is set and does not apply to indicator records that were previously created.
Create custom fields to filter events
Track information about an event or case using HUD cards
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1