Hi, it would be nice if there would be possibility to filter/display additional info for IDS/IPS/Threats if this has been blocked or allowed by IDS/IPS/FW based e.g. on action field etc.
Is this possible to add?
Great idea! The next version of the InfoSec app (tentatively scheduled to be released this month) will have the filter/visualization with allowed and blocked events.
The screenshot below is the updated IDS/IPS dashboard where you can click on the Allowed and Blocked numbers to filter results for the rest of the dashboard panels.
Please keep suggestions like this coming.
View solution in original post
Version 1.4.0 - great work! Thanks!
Just a quick comment that this is now available in the InfoSec app version 1.4.0 on Splunkbase: https://splunkbase.splunk.com/app/4240/