Filters

Filters are used to select events based on user-defined conditions.

This is not true only when filters are used in the collector service, in which the filters select all events that DO NOT satisfy filter conditions.

Filters can be used in the following KUMA services and features:

• Collector.
• Correlator.
• Storage.
• KUMA agents.
• Correlation rules.
• Enrichment rules.
• Aggregation rules.
• Destinations.
• Response rules.
• Segmentation rules.

You can use standalone filters or built-in filters that are stored in the service or resource where they were created.

For these resources, you can enable the display of control characters in all input fields except the Description field.

Available settings for filters:

• Name (required)—a unique name for this type of resource. Must contain 1 to 128 Unicode characters. Inline filters are created in other resources or services and do not have names.
• Tenant (required)—name of the tenant that owns the resource.
• The Conditions group of settings lets you formulate filtering criteria by creating filter conditions and groups of filters, or by adding existing filters.

  You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT. You can add groups, conditions, and existing filters to groups of filters. Conditions placed in the NOT subgroup are combined with the AND operator.

  You can use the Add filter button to add an existing filter, which you can select in the Select filter drop-down list.

  You can use the Add condition button to add a string containing fields for identifying the condition (see below).

  Conditions, groups, and filters can be deleted by using the button.

Settings of conditions:

• When (required)—in this drop-down list, you can specify whether or not to use the inverted function of the operator.
• Left operand and Right operand (required)—used to specify the values that the operator will process. The available types depend on the selected operator.

  Operands of filters

  • Event field—used to assign an event field value to the operand. Advanced settings:
    • Event field (required)—this drop-down list is used to select the field from which the value for the operand should be extracted.
  • Active list—used to assign an active list record value to the operand. Advanced settings:
    • Active list (required)—this drop-down list is used to select the active list.
    • Key fields (required)—this is the list of event fields used to create the Active list entry and serve as the Active list entry key.
    • Field (required unless the inActiveList operator is selected)—used to enter the Active list field name from which the value for the operand should be extracted.
  • Dictionary—used to assign a dictionary resource value to the operand. Advanced settings:
    • Dictionary (required)—this drop-down list is used to select the dictionary.
    • Key fields (required)—this is the list of the event fields used to form the dictionary value key.
  • Constant—used to assign a custom value to the operand. Advanced settings:
    • Value (required)—here you enter the constant that you want to assign to the operand.
  • Table—used to assign multiple custom values to the operand. Advanced settings:
    • Dictionary (required)—this drop-down list is used to select a Table-type dictionary.
    • Key fields (required)—this is the list of the event fields used to form the dictionary value key.
  • List—used to assign multiple custom values to the operand. Advanced settings:
    • Value (required)—here you enter the list of constants that you want to assign to the operand. When you type the value in the field and press ENTER, the value is added to the list and you can enter a new value.
  • TI—used to read the CyberTrace threat intelligence (TI) data from the events. Advanced settings:
    • Feed (required)—this field is used to specify the CyberTrace threat category.
    • Key fields (required)—this drop-down list is used to select the event field containing the CyberTrace threat indicators.
    • Field (required)—this field is used to specify the CyberTrace feed field containing the threat indicators.
• Operator (required)—used to select the condition operator.

  In this drop-down list, you can select the do not match case check box if the operator should ignore the case of values. This check box is ignored if the inSubnet, inActiveList, inCategory, InActiveDirectoryGroup, hasBit, inDictionary operators are selected. This check box is cleared by default.

  Filter operators

  • =—the left operand equals the right operand.
  • <—the left operand is less than the right operand.
  • <=—the left operand is less than or equal to the right operand.
  • >—the left operand is greater than the right operand.
  • >=—the left operand is greater than or equal to the right operand.
  • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
  • contains—the left operand contains values of the right operand.
  • startsWith—the left operand starts with one of the values of the right operand.
  • endsWith—the left operand ends with one of the values of the right operand.
  • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
  • hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).

    The value to be checked is converted to binary and processed right to left. Chars are checked whose index is specified as a constant or a list.

    If the value being checked is a string, then an attempt is made to convert it to integer and process it in the way described above. If the string cannot be converted to a number, the filter returns False.

  • hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.

    If you do not specify the ID and severity of the vulnerability, the filter is triggered if the asset in the event being checked has any vulnerability.

  • inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
  • inContextTable checks whether or not an entry exists in the context table. This operator has only one operand. Its values are selected in the Key fields field and are compared with the values of entries in the context table selected from the drop-down list of context tables.
  • inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
  • inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
  • inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
  • TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.

The available operand kinds depends on whether the operand is left (L) or right (R).

Available operand kinds for left (L) and right (R) operands

Operator	Event field type	Active list type	Dictionary type	Table type	TI type	Constant type	List type
=	L,R	L,R	L,R	L,R	L,R	R	R
>	L,R	L,R	L,R	L,R	L	R
>=	L,R	L,R	L,R	L,R	L	R
<	L,R	L,R	L,R	L,R	L	R
<=	L,R	L,R	L,R	L,R	L	R
inSubnet	L,R	L,R	L,R	L,R	L,R	R	R
contains	L,R	L,R	L,R	L,R	L,R	R	R
startsWith	L,R	L,R	L,R	L,R	L,R	R	R
endsWith	L,R	L,R	L,R	L,R	L,R	R	R
match	L	L	L	L	L	R	R
hasVulnerability	L	L	L	L
hasBit	L	L	L	L		R	R
inActiveList
inDictionary
inCategory	L	L	L	L		R	R
inActiveDirectoryGroup	L	L	L	L		R	R
TIDetect

The filters listed in the table below are included in the KUMA kit.

Predefined filters

Filter name	Description
[OOTB][AD] A member was added to a security-enabled global group (4728)	Selects events of adding a user to an Active Directory security-enabled global group.
[OOTB][AD] A member was added to a security-enabled universal group (4756)	Selects events of adding a user to an Active Directory security-enabled universal group.
[OOTB][AD] A member was removed from a security-enabled global group (4729)	Selects events of removing a user from an Active Directory security-enabled global group.
[OOTB][AD] A member was removed from a security-enabled universal group (4757)	Selects events of removing a user from an Active Directory security-enabled universal group.
[OOTB][AD] Account Created	Selects Windows user account creation events.
[OOTB][AD] Account Deleted	Selects Windows user account deletion events.
[OOTB][AD] An account failed to log on (4625)	Selects Windows logon failure events.
[OOTB][AD] Successful Kerberos authentication (4624, 4768, 4769, 4770)	Selects successful Windows logon events and events with IDs 4769, 4770 that are logged on domain controllers.
[OOTB][AD][Technical] 4768. TGT Requested	Selects Microsoft Windows events with ID 4768.
[OOTB][Net] Possible port scan	Selects events that may indicate a port scan.
[OOTB][SSH] Accepted Password	Selects events of successful SSH connections with a password.
[OOTB][SSH] Failed Password	Selects attempts to connect over SSH with a password.

Page top