Warning: You are viewing an older version of this documentation. Most recent is here: 40.0.1
Events Filtering¶
Filters¶
This system allows you to filter some network security monitoring events based on some criteria. The objectives is to lower the amount of generated data by applying some specific filters.
DNS events filter¶
There is 2 filters available there: domains and servers filters.
The domain filters will suppress all events about DNS queries to any of the domains specified in the list. All DNS name
under a domain are dropped. For instance, if example.com is specified a DNS query to example.com
or my.example.com will not be logged.
The servers filters allows you to control the list of servers to ignore. All DNS queries to the specified servers will not be logged.
Flow filters¶
The flow events can create a huge amount of data. These filters limit the number of events by not logging the flow event if ever the age of the flow is below a certain limit.
TCP flow events min age filter¶
Don’t log all events of type flow for the TCP protocol if their age is below the specified limit.
UDP flow events min age filter¶
Don’t log all events of type flow for the UDP protocol if their age is below the specified limit.
Flow events min age filter¶
Don’t log all events of type flow for the specified list of IP protocols if their age is below the specified limit.
Enrichment options¶
These filters will add information to the generated events.
Create FQDN like fields from network definitions¶
When Network definitions is used, it creates fields containing the path of an IP address in the hierarchical tree as a list. For example, we can have
['Servers', 'Paris', 'my Company']
This filter will add fields whom value is a string representing the path. Our previous example will trigger creation of fields with value
servers.paris.my-company
Depending on the original events, generated fields are among:
net_info.src_agg: aggregated path of the source IP address
net_info.dest_agg: aggregated path of the destination IP address
alert.source.net_info_agg: aggregated path of the attacker IP address
alert.target.net_info_agg: aggregated path to the target IP address
Add field with lateral movement information¶
If network definitions is used, this filter will add to alerts events a tag named alert.lateral if ever the source and destination IPs share a network in the network definitions. Its value will be the longest common aggregated path.
For instance if we have an event with:
net_info.src_agg: servers.paris.my-company
net_info.dest_agg: wifi.paris.my-company
Then the alert event will be added:
alert.lateral: paris.my-company
Add some signature information in alerts¶
This filter adds a sig object in the alert events. It contains the creation and update
dates of the signature.