Events Filtering

Filters

This system allows you to filter some network security monitoring events based on some criteria. The objectives is to lower the amount of generated data by applying some specific filters.

DNS events filter

There is 2 filters available there: domains and servers filters.

The domain filters will suppress all events about DNS queries to any of the domains specified in the list. All DNS name under a domain are dropped. For instance, if example.com is specified a DNS query to example.com or my.example.com will not be logged.

The servers filters allows you to control the list of servers to ignore. All DNS queries to the specified servers will not be logged.

Flow filters

The flow events can create a huge amount of data. These filters limit the number of events by not logging the flow event if ever the age of the flow is below a certain limit.

TCP flow events min age filter

Don’t log all events of type flow for the TCP protocol if their age is below the specified limit.

UDP flow events min age filter

Don’t log all events of type flow for the UDP protocol if their age is below the specified limit.

Flow events min age filter

Don’t log all events of type flow for the specified list of IP protocols if their age is below the specified limit.

Enrichment options

These filters will add information to the generated events.

Create FQDN like fields from network definitions

When Network definitions is used, it creates fields containing the path of an IP address in the hierarchical tree as a list. For example, we can have

['Servers', 'Paris', 'my Company']

This filter will add fields whom value is a string representing the path. Our previous example will trigger creation of fields with value

servers.paris.my-company

Depending on the original events, generated fields are among:

  • net_info.src_agg: aggregated path of the source IP address

  • net_info.dest_agg: aggregated path of the destination IP address

  • alert.source.net_info_agg: aggregated path of the attacker IP address

  • alert.target.net_info_agg: aggregated path to the target IP address

Add field with lateral movement information

If network definitions is used, this filter will add to alerts events a tag named alert.lateral if ever the source and destination IPs share a network in the network definitions. Its value will be the longest common aggregated path.

For instance if we have an event with:

  • net_info.src_agg: servers.paris.my-company

  • net_info.dest_agg: wifi.paris.my-company

Then the alert event will be added:

alert.lateral: paris.my-company

Add some signature information in alerts

This filter adds a sig object in the alert events. It contains the creation and update dates of the signature.