Apply filters for post-processing

[ 1 About post filters ] [ 2 Data table registry for post-filters ] [ 3 What permissions do I need? ] [ 4 Creating a post filter on an alert ] [ 4.1 From the alert list ] [ 4.2 From the alert details window ] [ 5 Managing post filters ] [ 5.1 From the alert list ] [ 5.2 From the alert details window ] [ 5.3 In the post filters tab ]

About post filters

Post filters are actions to be carried out on triggered alerts when they meet specified conditions. These are processing rules to be applied after an alert is triggered.

For example, to change the priority of an alert to Very high if the triggering event contains a given username or when a single source IP scans more than a set number of ports within any 10-minute period.

A single alert may have one or several post-filters.

Data table registry for post-filters

All post-filters are registered in the devo.audit.alert.definition table at the time of creation, providing a comprehensive record of their settings. This table also registers post-filter deletion to cover their complete lifecycle for auditing purposes. Learn more about this here.

What permissions do I need?

To work with post-filters, you need one of the following permissions:

Triggered alerts (View): allows you to see existing post-filters, both in the list of triggered alerts and the post-filters tab, but you cannot create or delete them.
Triggered alerts (View) + Update status / priority: allows you to create and delete post-filters, but you cannot configure them to delete triggered alerts.
Triggered alerts (View): allows you to manage post-filters entirely (create, delete, and configure them to perform any action).

Additionally, you need to have alerts assigned with at least View access (see Assign resources to a role).

Creating a post filter on an alert

From the alert list

Post filters are created in the Overview tab of the Alerts area.

Find the desired alert on the list
Click the ellipsis menu and select New post filter.
Enter the required information in the Filter list window (see the table below for the field descriptions)
Click Save.

Name	Enter a descriptive name for the post filter. It is recommended to give it a meaningful name that helps identifying its purpose.
Extra Data	This is where you specify the condition(s) that will activate the post filter. Click Add to include a condition (you can add several). Then select a parameter in the first drop-down, an operator in the second, and write a value in the text field.
Extra Data	The options that appear in the first drop-down are those registered in the alert extradata, which depend on the query and the alert triggering method (the eventdate will always be available). The options that appear in the second drop-down depend on the data type of the parameter selected (for example, the contains operator for text strings). The text value will be automatically filled in with the value registered in the extradata for the selected parameter, but you can change it as desired. When eventdate is used in the first field, this field will show a date picker when clicking it, making it easier for you to select a date and time. This date will be shown in local time here and in all the menus it appears afterwards, such as those to manage existing post-filters.
Action	Select the action you want to perform when the alert meets the criteria: Change status - Select one from the list of possible statuses (Watched, Unread, Closed, False positive, and Suppressed). Example: you can suppress alerts that do not contain a specific key value, reducing the noise and giving you the opportunity to revisit them after those caused by a key value are dealt with. Change priority - Select one from the list of possible priority levels (Very low, Low, Normal, High, Very high). Example: you can set alerts to High priority when a key value occurs (see more about priority here). Change delivery method - Select a different delivery method for the alert. This will suppress the assigned sending policy and notify the alert through the selected method immediately after being triggered. The options available in the dropdown are all existing delivery methods of any type. Example: you can change the delivery method for a more synchronous one (such as slack) when an alert’s threshold is exceeded by a critical amount. Delete - Do not distribute the alert and remove it from the alert history. Example: you can delete alerts triggered by a specific value that is known to be harmless.

From the alert details window

You can also create a post filter from the alert details window, which is accesible by clicking an alert’s ID on the list (more info about the details window here). Simply click on the New post filter button at the top right and configure it as shown above.

Managing post filters

From the alert list

When an alert has already a post filter applied, the ellipsis menu will show the edit filter option instead of new filter. In this window, you can see all the filters applied to that specific alert and delete them, or add more filters.

From the alert details window

When an alert has already a post filter applied, the button at the top right of the alert details window becomes edit post filter (the number indicates the filters already applied). The window that opens is the same as the one shown above, where you can see all the filters applied to that specific alert and delete them, or add more filters.

In the post filters tab

All post filters created are listed in the Post filters tab of the Alerts area. Here you can review them, stop them temporarily, restart them, or permanently delete them. However, you cannot modify them, only delete them and create them again with different settings.

Click the ellipsis menu that appears at the end of the row and select:

Stop: when the filter is active, the menu shows this option to deactivate it.
- Run: when the filter is inactive, the menu shows this option to activate it again.
Delete: this option removes the filter permanently.

Related articles: