Apply a filter for post-processing
Post filters are actions to be carried out on triggered alerts when they meet specified conditions. These are processing rules to be applied after an alert is triggered. For example, to change the priority of an alert to Urgent if the triggering event contains a given username. A single alert may have one or several post-filters.
Creating a post-filter on an alert
Let's take the example of a threat-detection alert that triggers when a single source IP address scans a large number of ports within any 10-minute period. We create a post filter that sets the alert priority to High when the number of ports tried in a 10-minute period is greater than or equal to 1000.
To create a post-filter, find the desired alert in the Alerts Dashboard, click the ellipsis menu, and select New Filter (visit Managing triggered alerts for more information).
Enter the required information In the Filter List window and click Save (see the information about the different fields in the table below).
Name | Enter a descriptive name for the post filter. |
---|---|
Basic Data | This field is only for preconfigured alerts, so no information needs to be added. |
Extra Data | This is where you specify the condition(s) that will activate the post filter. Don't forget to click the add button to save each condition statement. |
Eventdate | Select this checkbox to apply the post-filter only to events whose eventdate value is within a specified time range. Say, if you only want to apply post-processing to the events generated between 8PM and 8AM. When selected, fields appear that allows you to specify a time range. If the alert's query contains other fields with timestamp data, they will also appear in this form so that you can define the date range based on that field's values instead of the eventdate values. |
Action | Select the action you want to perform when the alert meets the criteria. Choose from:
In our case, we are changing the priority to High. |
Managing post-filters
All established post-filters are listed in the Post Filters tab of the Alerts area. Here you can review the list of established filters, stop a filter temporarily, restart it, or permanently delete it. However, you cannot modify post-filters so if you want to do so, you need to delete them first and create them again.
Click the ellipsis menu that appears at the end of the row and select:
Select Stop to stop the post-filter from running. When it is stopped, the menu will show Run instead so you can activate it again.Â
Select Delete to remove it permanently.
Related articles: