cancel
Showing results for 
Search instead for 
Did you mean: 
jhonny
Level 7
Report Inappropriate Content
Message 1 of 6

Nitro SIEM dashboard exclusion filter

Hi,

could anyone clarify if its possible to do IP block exclusion from filters within dashboards? Seems like setting exclusions for Target or Source IP fileds doesnt work - 10.0.0.0/8 won't exclude private IP range from our data. It does work on broader filters on the right side, but it didnt affect data on the separate dasboards.

Thanks,

5 Replies

Re: Nitro SIEM dashboard exclusion filter

Moved to SIEM forum for better attention

Re: Nitro SIEM dashboard exclusion filter

I believe when creating a dashboard, one of the options you have in editing the items is the query section, where you can set filters on the dashboard queries in the view itself.

Open the dashboard you want to filter IPs out of.

Select edit view
Select the first component added to the dashboard, on the right side, you should have edit query.
In the edit query section, there should be a place to set filters.
Inside the filter, select the ! and place the IP block you wish to exclude.
Repeat for each component in the dashboard.
Save the dashboard.

**Note** NOT queries used in the SIEM are incredibly intensive due to the nature of how the SQL query processes the data. A large number of queries using NOTs, and baseline averages can cause degraded performance.

jhonny
Level 7
Report Inappropriate Content
Message 4 of 6

Re: Nitro SIEM dashboard exclusion filter

Thanks Ryan,

yah the confusion I had is not always I am able to use subnet exclusion on the fields which contains IPs, for Source/Destination IP fields this does work, I have some custom fields as Domain which sometimes contains IPs, but sometimes domain names. And thanks or the additional info on efficiency.

Re: Nitro SIEM dashboard exclusion filter

Jhonny,

You are absolutely right, the fields are indexed as certain values, IP address fields are a specialized index that can allow for advanced searches through the interpretation of the CIDR notation. Other fields such as domain, are indexed as string and do not allow for the utilization of CIDR notation due to expecting strings to be parsed into those particular fields.

To overcome the search limitation you can do regex(10\.10\.10\.[0-255]) or regex(10\.10\.10\.\d{1,3}) in a regex pattern match.

jhonny
Level 7
Report Inappropriate Content
Message 6 of 6

Re: Nitro SIEM dashboard exclusion filter

Thanks Ryan,

yes thats what I did already, used regex instead. Thanks for the great feedback and comments.