Manage data filters in Splunk Asset and Risk Intelligence

Note: Splunk Asset and Risk Intelligence is not compatible with Splunk Enterprise 9.1.2 due to known issues SPL-237796, SPL-248319 where search results in "results" have more rows than expected. Upgrade to Splunk Enterprise 9.1.3 to use Splunk Asset and Risk Intelligence.

With data filters, you can block or allow particular software products or vulnerabilities to customize what Splunk Asset and Risk Intelligence discovers.

For example, if there is a specific product that isn't relevant to your investigation, you can remove that product to make triaging assets easier. To remove the product, you can add a data filter that blocks that software product from discovery. You can also block every product assigned to a particular vendor, such as Microsoft, from being discovered.

Note: The default data filter allows all software and vulnerabilities, and it appears on the data filter table as an asterisk ( * ). Removing the default data filter without adding a custom filter blocks all software and vulnerabilities from being discovered by Splunk Asset and Risk Intelligence.

Add a data filter

To add a data filter, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Inventory data filters.
  2. Select whether you want to add a filter for Software or Vulnerability.
  3. Select the add icon ( add ).
  4. Enter a vendor and a product for software and a signature for vulnerabilities. Do not leave a field blank. If you don't want to specify a vendor, product, or signature, enter an asterisk ( * ).
  5. Select whether you want to Allow or Block the vendor or product.
  6. Select Add.

After you add a data filter, you can modify it, clone it, or delete it using the action icons in the Data filters table.

Note: When modifying a data filter, you can only change whether or not to block or allow the product or vendor. To edit the product or vendor, you must delete the data filter and add a new one.

Upload a list of data filters

To upload a list of data filters, complete the following steps:

  1. In Splunk Asset and Risk Intelligence, select Admin then Data sources and then Inventory data filters.
  2. Select whether you want to add a filter for Software or Vulnerability.
  3. Select the upload icon ( upload ).
  4. Select Upload file and add your CSV file.
    • For vulnerability filtering, include the following fields in the CSV file: ari_allow, ari_block, and signature where ari_allow and ari_block have a value of 0 or 1.
    • For software filtering, include the following fields in the CSV file: ari_allow, ari_block, ari_software_product, and ari_software_vendorwhere ari_allow and ari_block have a value of 0 or 1.
    Note: Do not leave fields blank. Instead enter an asterisk ( * ).
  5. For Upload mode, select whether you want to merge or overwrite the existing data filters.
  6. Select Upload.