Filters

Filter resources are used to select events based on user-defined conditions.

This is not true only when filters are used in the collector service, in which the filters select all events that DO NOT satisfy filter conditions.

Filters can be used in collector services, enrichment rule resources, aggregation rule resources, response rule resources, correlation rule resources, and destination resources either as separate filter resources or as built-in filters stored in the service or resource where they were created.

Available settings for filter resources:

• Name (required)—a unique name for this type of resource. Must contain from 1 to 128 Unicode characters. Inline filters are created in other resources or services and do not have names.
• Tenant (required)—name of the tenant that owns the resource.
• Conditions settings block—here you can formulate filtering criteria by creating filter conditions and groups of filters, and by adding existing filter resources.

  You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT. Groups, conditions, and existing filter resources can be added to groups of filters.

  You can use the Add filter button to add an existing filter resource, which should be selected in the Select filter drop-down list.

  You can use the Add condition button to add a string containing fields for identifying the condition (see below).

  Conditions, groups, and filters can be deleted by using the button.

Settings of conditions:

• If (required)—in this drop-down list, you can specify whether or not to use the inverted function of the operator.
• Left operand and Right operand (required)—used to specify the values that the operator will process. The available types depend on the selected operator.

  Operands of filters

  • Event field—used to assign an event field value to the operand. Advanced settings:
    • Event field (required)—this drop-down list is used to select the field from which the value for the operand should be extracted.
  • Active list—used to assign an active list record value to the operand. Advanced settings:
    • Active list (required)—this drop-down list is used to select the active list.
    • Key fields (required)—this is the list of event fields used to create the Active list entry and serve as the Active list entry key.
    • Event field (required unless the inActiveList operator is selected)—used to enter the name of the active list field from which the value for the operand should be extracted.
  • Dictionary—used to assign a dictionary resource value to the operand. Advanced settings:
    • Name (required)—this drop-down list is used to select the Dictionary.
    • Key fields (required)—this is the list of the event fields used to form the Dictionary value key.
  • Constant—used to assign a custom value to the operand. Advanced settings:
    • Value (required)—here you enter the constant you want to assign to the operand.
  • List—used to assign multiple custom values to the operand. Advanced settings:
    • Value (required)—here you enter the list of constants you want to assign to the operand. When you type the value in the field and press ENTER, the value is added to the list and you can enter a new value.
  • TI—used to read the CyberTrace threat intelligence (TI) data from the events. Advanced settings:
    • Feed (required)—this field is used to specify the CyberTrace threat category.
    • Key fields (required)—this drop-down list is used to select the event field containing the CyberTrace threat indicators.
    • Field (required)—this field is used to specify the CyberTrace feed field containing the threat indicators.
• Operator (required)—used to select the condition operator.

  In this drop-down list, you can select the Ignore case check box if the operator should ignore the case of values. This check box is ignored if the InSubnet, InActiveList, InCategory, and InActiveDirectoryGroup operators are selected.

  Filter operators

  • = – the left operand equals the right operand.
  • <—the left operand is less than the right operand.
  • <=—the left operand is less than or equal to the right operand.
  • >—the left operand is greater than the right operand.
  • >=—the left operand is greater than or equal to the right operand.
  • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
  • contains—the left operand contains values of the right operand.
  • startsWith—the left operand starts with one of the values of the right operand.
  • endsWith—the left operand ends with one of the values of the right operand.
  • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
  • inActiveList—this filter has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
  • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
  • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
  • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.

The available operand kinds depends on whether the operand is left (L) or right (R).

Available operand kinds for left (L) and right (R) operands

Operator	Event field type	Active list type	Dictionary type	Constant type	List type	TI type
=	L,R	L,R	L,R	R	R	L,R
>	L,R	L,R	L,R	R		L,R
>=	L,R	L,R	L,R	R		L,R
<	L,R	L,R	L,R	R		L,R
<=	L,R	L,R	L,R	R		L,R
contains	L,R	L,R	L,R	R	R	L,R
startsWith	L,R	L,R	L,R	R	R	L,R
endsWith	L,R	L,R	L,R	R	R	L,R
match	L	L	L	R	R	L
inSubnet	L,R	L,R	L,R	R	R	L,R
inCategory	L	L	L	R	R
inActiveDirectoryGroup	L	L	L	R	R
inActiveList		L
TIDetect

Page top