Document toolboxDocument toolbox

Apply a filter for post-processing

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
3 min read
[ 1 Creating a post-filter on an alert ] [ 2 Managing post-filters ]

Post filters are actions to be carried out on triggered alerts when they meet specified conditions. These are processing rules to be applied after an alert is triggered. For example, to change the priority of an alert to Urgent if the triggering event contains a given username. A single alert may have one or several post-filters.

Let's take the example of a threat-detection alert that triggers when a single source IP address scans a large number of ports within any 10-minute period. We can create a post filter that sets the alert priority to High when the number of ports tried in a 10-minute period is greater than or equal to 1000.

Creating a post-filter on an alert

To create a post-filter, find the desired alert in the Alerts Dashboard, click the ellipsis menu, and select New Filter (visit Managing triggered alerts for more information).

Enter the required information In the Filter List window and click Save (see the information about the different fields in the table below).

Name

Enter a descriptive name for the post filter.

Basic Data

This field is to identify the data flow and characteristics for preconfigured alerts.

Extra Data

This is where you specify the condition(s) that will activate the post filter. The available options that appear in the drop-down depend on the alert query. Don't forget to click the add button to save each condition statement.

Eventdate

Select this checkbox to apply the post-filter only to events whose eventdate value is within a specified time range. Say, if you only want to apply post-processing to the events generated between 8PM and 8AM.

When selected, fields appear that allows you to specify a time range. If the alert's query contains other fields with timestamp data, they will also appear in this form so that you can define the date range based on that field's values instead of the eventdate values. Don't forget to click the add button to save each time statement.

Action

Select the action you want to perform when the alert meets the criteria. Choose from:

  • Mark as read - Marks the alert as Watched.

  • Change priority - Select from the possible priority levels.

  • False positive - Marks the alert as a false positive.

  • Change notify method - Select a different delivery method for the alert.

  • Delete - Do not distribute the alert and remove it from the alert history.

Managing post-filters

All established post-filters are listed in the Post filters tab of the Alerts area. Here you can review the list of established filters, stop a filter temporarily, restart it, or permanently delete it. However, you cannot modify post-filters so if you want to do so, you need to delete them first and create them again.

Click the ellipsis menu that appears at the end of the row and select:

  • Select Stop to stop the post-filter from running. When it is stopped, the menu will show Run instead so you can activate it again. 

  • Select Delete to remove it permanently.



Related articles:

Â