5 Replies Latest reply on Feb 10, 2015 5:17 AM by jhonny

    Nitro SIEM dashboard exclusion filter

    jhonny

      Hi,

       

      could anyone clarify if its possible to do IP block exclusion from filters within dashboards? Seems like setting exclusions for Target or Source IP fileds doesnt work - 10.0.0.0/8 won't exclude private IP range from our data. It does work on broader filters on the right side, but it didnt affect data on the separate dasboards.

       

      Thanks,

        • 1. Re: Nitro SIEM dashboard exclusion filter
          Peacekeeper

          Moved to SIEM forum for better attention

          • 2. Re: Nitro SIEM dashboard exclusion filter
            ryan.fitzpatrick

            I believe when creating a dashboard, one of the options you have in editing the items is the query section, where you can set filters on the dashboard queries in the view itself.

             

            Open the dashboard you want to filter IPs out of.

            Select edit view
            Select the first component added to the dashboard, on the right side, you should have edit query.
            In the edit query section, there should be a place to set filters.
            Inside the filter, select the ! and place the IP block you wish to exclude.
            Repeat for each component in the dashboard.
            Save the dashboard.

             

            **Note** NOT queries used in the SIEM are incredibly intensive due to the nature of how the SQL query processes the data. A large number of queries using NOTs, and baseline averages can cause degraded performance.

            • 3. Re: Nitro SIEM dashboard exclusion filter
              jhonny

              Thanks Ryan,

               

              yah the confusion I had is not always I am able to use subnet exclusion on the fields which contains IPs, for Source/Destination IP fields this does work, I have some custom fields as Domain which sometimes contains IPs, but sometimes domain names. And thanks or the additional info on efficiency.

              • 4. Re: Nitro SIEM dashboard exclusion filter
                ryan.fitzpatrick

                Jhonny,

                 

                You are absolutely right, the fields are indexed as certain values, IP address fields are a specialized index that can allow for advanced searches through the interpretation of the CIDR notation. Other fields such as domain, are indexed as string and do not allow for the utilization of CIDR notation due to expecting strings to be parsed into those particular fields.

                 

                To overcome the search limitation you can do regex(10\.10\.10\.[0-255]) or regex(10\.10\.10\.\d{1,3}) in a regex pattern match.

                • 5. Re: Nitro SIEM dashboard exclusion filter
                  jhonny

                  Thanks Ryan,

                   

                  yes thats what I did already, used regex instead. Thanks for the great feedback and comments.