cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 6

Nitro SIEM dashboard exclusion filter

Hi,

could anyone clarify if its possible to do IP block exclusion from filters within dashboards? Seems like setting exclusions for Target or Source IP fileds doesnt work - 10.0.0.0/8 won't exclude private IP range from our data. It does work on broader filters on the right side, but it didnt affect data on the separate dasboards.

Thanks,

5 Replies
Highlighted

Re: Nitro SIEM dashboard exclusion filter

Moved to SIEM forum for better attention

Highlighted

Re: Nitro SIEM dashboard exclusion filter

I believe when creating a dashboard, one of the options you have in editing the items is the query section, where you can set filters on the dashboard queries in the view itself.

Open the dashboard you want to filter IPs out of.

Select edit view
Select the first component added to the dashboard, on the right side, you should have edit query.
In the edit query section, there should be a place to set filters.
Inside the filter, select the ! and place the IP block you wish to exclude.
Repeat for each component in the dashboard.
Save the dashboard.

**Note** NOT queries used in the SIEM are incredibly intensive due to the nature of how the SQL query processes the data. A large number of queries using NOTs, and baseline averages can cause degraded performance.

Highlighted
Level 7
Report Inappropriate Content
Message 4 of 6

Re: Nitro SIEM dashboard exclusion filter

Thanks Ryan,

yah the confusion I had is not always I am able to use subnet exclusion on the fields which contains IPs, for Source/Destination IP fields this does work, I have some custom fields as Domain which sometimes contains IPs, but sometimes domain names. And thanks or the additional info on efficiency.

Highlighted

Re: Nitro SIEM dashboard exclusion filter

Jhonny,

You are absolutely right, the fields are indexed as certain values, IP address fields are a specialized index that can allow for advanced searches through the interpretation of the CIDR notation. Other fields such as domain, are indexed as string and do not allow for the utilization of CIDR notation due to expecting strings to be parsed into those particular fields.

To overcome the search limitation you can do regex(10\.10\.10\.[0-255]) or regex(10\.10\.10\.\d{1,3}) in a regex pattern match.

Highlighted
Level 7
Report Inappropriate Content
Message 6 of 6

Re: Nitro SIEM dashboard exclusion filter

Thanks Ryan,

yes thats what I did already, used regex instead. Thanks for the great feedback and comments.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community