Filters
Filters let you select events based on specified conditions.
The collector service uses filters to filter out events that you do not want to send to KUMA. That is, an event that matches the filter condition is NOT sent to KUMA.
Filters can be used in the following KUMA services and features:
- Collector.
- Correlator.
- Storage.
- KUMA agents.
- Correlation rules.
- Enrichment rules.
- Aggregation rules.
- Destinations.
- Response rules.
- Segmentation rules.
You can use standalone filters or built-in filters that are stored in the service or resource where they were created.
For these resources, you can enable the display of control characters in all input fields except the Description field.
Available settings for filters:
- Name (required)—a unique name for this type of resource. Must contain 1 to 128 Unicode characters. Inline filters are created in other resources or services and do not have names.
- Tenant (required)—name of the tenant that owns the resource.
- Description—up to 4,000 Unicode characters describing the filter.
- The Conditions group of settings lets you formulate filtering criteria by creating filter conditions and groups of filters, or by adding existing filters.
To create filtering criteria, you can use builder mode or source code mode. The builder mode is used by default.
In builder mode, you can create or edit filter criteria by selecting filter conditions and operators from drop-down lists.
In source code mode, you can use text commands to create and edit search queries.
You can freely switch between modes when creating filtering criteria. To switch to source code mode, click the Code button. When switching between modes, the created condition filters are preserved. If the filter code is not displayed on the Code tab after linking the created filter to the resource, go to the Builder tab and then go back to the Code tab. The filter code is displayed.
Creating conditions in builder mode
You can create filtering criteria in builder mode using the following buttons:
- Add condition adds a string with fields for defining a condition.
- Add group adds a group of filters. Group operators can be switched between AND, OR, and NOT. You can add groups, conditions, and existing filters to groups of filters. Conditions placed in the NOT subgroup are combined with the AND operator.
To replace an operator in the created condition, click the operator that you want to replace and select the new operator from the drop-down list.
To delete an operator in the created condition, click the operator that you want to delete and press Backspace.
To alter the sequence of filter conditions, click 
and drag and drop the condition to the new location.
Conditions, groups, and filters can be deleted by using the 
button.
Settings of conditions:
- When (required)—in this drop-down list, you can specify whether or not to use the inverted function of the operator.
- Left operand and Right operand (required)—used to specify the values that the operator will process. The available types depend on the selected operator.
- Operator (required)—used to select the condition operator.
In this drop-down list, you can select the do not match case check box if the operator should ignore the case of values. This check box is ignored if the inSubnet, inActiveList, inCategory, InActiveDirectoryGroup, hasBit, inDictionary operators are selected. This check box is cleared by default.
The available operand kinds depends on whether the operand is left (L) or right (R).
Available operand kinds for left (L) and right (R) operands
Operator | Event field type | Active list type | Dictionary type | Context table type | Table type | TI type | Constant type | List type |
= | L,R | L,R | L,R | L,R | L,R | L,R | R | R |
> | L,R | L,R | L,R | L,R (only when looking up a table value by index) | L,R | L | R |
|
>= | L,R | L,R | L,R | L,R (only when looking up a table value by index) | L,R | L | R |
|
< | L,R | L,R | L,R | L,R (only when looking up a table value by index) | L,R | L | R |
|
<= | L,R | L,R | L,R | L,R (only when looking up a table value by index) | L,R | L | R |
|
inSubnet | L,R | L,R | L,R | L,R | L,R | L,R | R | R |
contains | L,R | L,R | L,R | L,R | L,R | L,R | R | R |
startsWith | L,R | L,R | L,R | L,R | L,R | L,R | R | R |
endsWith | L,R | L,R | L,R | L,R | L,R | L,R | R | R |
match | L | L | L | L | L | L | R | R |
hasVulnerability | L | L | L | L | L |
|
|
|
hasBit | L | L | L | L | L |
| R | R |
inActiveList |
|
|
|
|
|
|
|
|
inDictionary |
|
|
|
|
|
|
|
|
inCategory | L | L | L | L | L |
| R | R |
inContextTable |
|
|
|
|
|
|
|
|
inActiveDirectoryGroup | L | L | L | L | L |
| R | R |
TIDetect |
|
|
|
|
|
|
|
|
.png)
You can use hotkeys when managing filters. Hotkeys are described in the table below.
Hotkeys and their functions
Key | Function |
|---|---|
e | Invokes a filter by the event field |
d | Invokes a filter by the dictionary field |
a | Invokes a filter by the active list field |
c | Invokes a filter by the context table field |
t | Invokes a filter by the table field |
f | Invokes a filter |
t+i | Invokes a filter using TI |
Ctrl+Enter | Finish editing a condition |
The usage of extended event schema fields "string", "number", or "float" types is the same as the usage of fields of the KUMA event schema.
When using filters with extended event schema fields of the "Array of strings", "Array of numbers", and "Array of floats" types, you can use the following operations:
- The "contains" operation returns True if the specified substring is present in the array, otherwise it returns False.
- The "match" operation matches the string against a regular expression.
- The "intersec" operation.
Creating conditions in source code mode
The code editor mode allows you to quickly edit conditions, select and copy blocks of code.
On the right side of the builder, you can find the navigator, which lets you to navigate the filter code.
Line wrapping is performed automatically at AND, OR, NOT logical operators, or at commas that delimit the items in the list of values.
Names of resources used in the filter are automatically specified. Fields containing the names of linked resources cannot be edited. The names of shared resource categories are not displayed in the filter if you do not have the "Access to shared resources" role. To view a list of resources for the selected operand inside an expression, press Ctrl+Space. This displays a list of resources.
The filters listed in the table below are included in the KUMA kit.
Predefined filters
Filter name | Description |
[OOTB][AD] A member was added to a security-enabled global group (4728) | Selects events of adding a user to an Active Directory security-enabled global group. |
[OOTB][AD] A member was added to a security-enabled universal group (4756) | Selects events of adding a user to an Active Directory security-enabled universal group. |
[OOTB][AD] A member was removed from a security-enabled global group (4729) | Selects events of removing a user from an Active Directory security-enabled global group. |
[OOTB][AD] A member was removed from a security-enabled universal group (4757) | Selects events of removing a user from an Active Directory security-enabled universal group. |
[OOTB][AD] Account Created | Selects Windows user account creation events. |
[OOTB][AD] Account Deleted | Selects Windows user account deletion events. |
[OOTB][AD] An account failed to log on (4625) | Selects Windows logon failure events. |
[OOTB][AD] Successful Kerberos authentication (4624, 4768, 4769, 4770) | Selects successful Windows logon events and events with IDs 4769, 4770 that are logged on domain controllers. |
[OOTB][AD][Technical] 4768. TGT Requested | Selects Microsoft Windows events with ID 4768. |
[OOTB][Net] Possible port scan | Selects events that may indicate a port scan. |
[OOTB][SSH] Accepted Password | Selects events of successful SSH connections with a password. |
[OOTB][SSH] Failed Password | Selects attempts to connect over SSH with a password. |
