Versions Compared

Version Old Version 10 New Version 11
Changes made by

Borja Moro Moreno

Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
typeflat

...

For example, to change the priority of an alert to Urgent Very high if the triggering event contains a given username or when a single source IP scans more than a set number of ports within any 10-minute period.

...

Additionally, you need to have alerts assigned with at least View access (see Assign resources to a role).

Creating a post filter on an alert

...

can use them to define the date range

Here you can choose to apply the post filter only to events generated within a specified time range (for example between 8PM and 8AM).

Select this checkbox and click Add. Then specify a time range using the time expressions in the different fields. If the alert's query contains other fields with timestamp data, you

Name

Enter a descriptive name for the post filter.

Image Removed

Basic Data

This area is to identify the data flow and characteristics.

Click Add to include a condition (you can add several). Then select a parameter from the drop-down and specify the value.It is recommended to give it a meaningful name that helps identifying its purpose.

10_Apply a filter for post-processing.pngImage Added

Extra Data

This is where you specify the condition(s) that will activate the post filter.

Click Add to include a condition (you can add several). Then select a parameter from in the first drop-down and specify the rule. , an operator in the second, and write a value in the text field.

  • The options that appear in the first drop-down are those registered in the alert extradata, which depend on the

alert query.

Eventdate

  • query and the alert triggering method (the eventdate will always be available).

  • The options that appear in the second drop-down depend on the data type of the parameter selected (for example, the contains operator for text strings).

  • The text value will be automatically filled in with the value registered in the extradata for the selected parameter, but you can change it as desired.

Action

Select the action you want to perform when the alert meets the criteria:

  • Mark as read - Marks the alert as Watched.

  • Change status - Select one from the list of possible statuses (Watched, Unread, Closed, False positive, and Suppressed).
    Example: you can suppress alerts that do not contain a specific key value, reducing the noise and giving you the opportunity to revisit them after those caused by a key value are dealt with.

  • Change priority - Select one from the list of possible priority levels .False positive - Marks the alert as a false positive(Very low, Low, Normal, High, Very high).
    Example: you can set alerts to High priority when a key value occurs (see more about priority here).

  • Change notify method - Select a different delivery method sending policy for the alert.
    Example: you can change the sending policy to one that has 24/7 coverage when an alert based on thresholds exceeds them by a critical amount.

  • Delete - Do not distribute the alert and remove it from the alert history.
    Example: you can delete alerts triggered by a specific value that is known to be harmless.

From the alert details window

...

Click the ellipsis menu that appears at the end of the row and select:

  • Stop: when the filter is active, the menu shows this option to deactivate it.

    • Run: when the filter is inactive, the menu shows this option to activate it again.

  • Delete: this option removes the filter permanently.

...

Related articles:

Child pages (Children Display)
depth1
allChildrentrue
style
pageManage triggered alerts
sortAndReverse
first0