Step 4. Filtering events

This is an optional step of the Installation Wizard. The Event filtering tab of the Installation Wizard allows you to select or create a filter whose settings specify the conditions for selecting events. You can add multiple filters to the collector. You can swap the filters by dragging them by the DragIcon icon as well as delete them. Filters are combined by the AND operator.

When configuring filters, we recommend to adhere to the chosen normalization scheme. In filters, use only KUMA service fields and the fields that you specified in the normalizer in the Mapping and Enrichment sections. For example, if the DeviceAddress field is not used in normalization, avoid using the DeviceAddress field in a filter because such filtering will not work.

To add an existing filter to a collector resource set,

Click the Add filter button and select the required filter from the Filter drop-down menu.

To add a new filter to the collector resource set:

Click the Add filter button and select Create new from the Filter drop-down menu.
If you want to keep the filter as a separate resource, select the Save filter check box. This can be useful if you decide to reuse the same filter across different services. This check box is cleared by default.
If you selected the Save filter check box, enter a name for the created filter in the Name field. The name must contain 1 to 128 Unicode characters.
In the Conditions section, specify the conditions that must be met by the filtered events:
- The Add condition button is used to add filtering conditions. You can select two values (two operands, left and right) and assign the operation you want to perform with the selected values. The result of the operation is either True or False.
  - In the operator drop-down list, select the function to be performed by the filter.
    In this drop-down list, you can select the do not match case check box if the operator should ignore the case of values. This check box is ignored if the InSubnet, InActiveList, InCategory, and InActiveDirectoryGroup operators are selected. This check box is cleared by default.
    
    Filter operators
    - =—the left operand equals the right operand.
    - <—the left operand is less than the right operand.
    - <=—the left operand is less than or equal to the right operand.
    - >—the left operand is greater than the right operand.
    - >=—the left operand is greater than or equal to the right operand.
    - inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
    - contains—the left operand contains values of the right operand.
    - startsWith—the left operand starts with one of the values of the right operand.
    - endsWith—the left operand ends with one of the values of the right operand.
    - match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
    - hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
      The value to be checked is converted to binary and processed right to left. Chars are checked whose index is specified as a constant or a list.
      
      If the value being checked is a string, then an attempt is made to convert it to integer and process it in the way described above. If the string cannot be converted to a number, the filter returns False.
    - hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
      If you do not specify the ID and severity of the vulnerability, the filter is triggered if the asset in the event being checked has any vulnerability.
    - inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
    - inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
    - inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
    - inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
    - TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
    - inContextTable—presence of the entry in the specified context table.
    - intersect—presence in the left operand of the list items specified in the right operand.
  - In the Left operand and Right operand drop-down lists, select where the data to be filtered will come from. As a result of the selection, Advanced settings will appear. Use them to determine the exact value that will be passed to the filter. For example, when choosing active list you will need to specify the name of the active list, the entry key, and the entry key field.
  - You can use the If drop-down list to choose whether you need to create a negative filter condition.
  Conditions can be deleted using the button.
- The Add group button is used to add groups of conditions. Operator AND can be switched between AND, OR, and NOT values.
  A condition group can be deleted using the button.
- By clicking Add filter, you can add existing filters selected in the Select filter drop-down list to the conditions. You can click to navigate to a nested filter.
  A nested filter can be deleted using the button.

The filter has been added.

Proceed to the next step of the Installation Wizard.

Page top