Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

About post filters

Post filters are actions to be carried out on triggered alerts when they meet specified conditions. These are processing rules to be applied after an alert is triggered.

For example, to change the priority of an alert to Urgent if the triggering event contains a given username or when a single source IP scans more than a set number of ports within any 10-minute period.

A single alert may have one or several post-filters.

What permissions do I need?

To access the Alerts overview area to create post filters, as well as access the Post filters tab to manage them, you need at least the View level of the Triggered alerts permission (see a detailed descriptions of the alerts permissions here).

Additionally, you need to have alerts assigned with at least View access (see Assign resources to a role).

Creating a post filter on an alert

Post filters are created in the Overview tab of the Alerts area.

  1. Find the desired alert on the list

  2. Click the ellipsis menu and select New post filter.

  3. Enter the required information in the Filter list window (see the table below for the field descriptions)

  4. Click Save.

Name

Enter a descriptive name for the post filter.

Basic Data

This area is to identify the data flow and characteristics.

Click Add to include a condition (you can add several). Then select a parameter from the drop-down and specify the value.

Extra Data

This is where you specify the condition(s) that will activate the post filter.

Click Add to include a condition (you can add several). Then select a parameter from the drop-down and specify the rule. The options that appear in the drop-down depend on the alert query.

Eventdate

Here you can choose to apply the post filter only to events generated within a specified time range (for example between 8PM and 8AM).

Select this checkbox and click Add. Then specify a time range using the time expressions in the different fields. If the alert's query contains other fields with timestamp data, you can use them to define the date range.

Action

Select the action you want to perform when the alert meets the criteria:

  • Mark as read - Marks the alert as Watched.

  • Change priority - Select from the possible priority levels.

  • False positive - Marks the alert as a false positive.

  • Change notify method - Select a different delivery method for the alert.

  • Delete - Do not distribute the alert and remove it from the alert history.

Managing post filters

In the Overview tab

When an alert has already a post filter applied, the ellipsis menu will show the edit filter option instead of new filter. In this window, you can see all the filters applied to that specific alert and delete them, or add more filters.

15_Apply a filter for post-processing.png

In the post filters tab

All post filters created are listed in the Post filters tab of the Alerts area. Here you can review them, stop them temporarily, restart them, or permanently delete them. However, you cannot modify them, only delete them and create them again with different settings.

Click the ellipsis menu that appears at the end of the row and select:

  • Stop: when the filter is active, the menu shows this option to deactivate it.

    • Run: when the filter is inactive, the menu shows this option to activate it again.

  • Delete: this option removes the filter permanently.

Related articles:

  • No labels