Create a post-filter

Post-filters are actions to be taken after an alert has been triggered and meets specified conditions. For example, a post-filter can change the priority of an alert to Urgent when the event contains a specific username.

Once a post filter is configured, you cannot edit the alert. If you do it, note the filter will be automatically discarded.

Here we use the example of an alert called ISPResponseTime which is based on the siem.logtrust.web.activity table. It triggers an alert when the response time by ISP is greater than 4000 milliseconds. We will create a post-filter that will change the priority of the alert when the username value is mbollado

  1. Go to Alerts → Alerts Dashboard → Alerts History.
  2. Locate the alert for which you want to create a post-filter. In the Actions column, open the ellipsis menu, then select New Filter.

  3. The Filter List window appears. Enter the required information.

    The following table describes the fields in the window:

    Name Enter a descriptive name to the post-filter.
    Basic Data This field is only for pre-configured alerts, so no information needs to be added.
    Extra Data Specifiy the condition(s) that will activate the post-filter. Specify multiple conditions as needed by adding rows using the + button.
    Eventdate Select this check box to apply the post-filter only to events whose eventdate value is within a specified schedule. For example, disregard the events generated on Saturdays and Sundays.
    Action Select the action you want to perform: mark as read, change priority, false positive, change notify method, or delete. In this case, we are changing the priority to Very High.
  4. Click the Save button to start applying the post-filter to new alerts.  

Below we can see several instances of an alert and some different characterisitics.

  • The first two alerts have met the post filter criteria of Changing Status to Very High priority.
  • The third alert it is a false positive.
  • The last alert has no post filters. 

Managing post-filters

Once a post-filter is running, you can Stop it temporarily or you can delete it permanently.

  1. Go to Alerts → Post Filters.  
  2. In the Actions column, open the ellipsis menu. 
    • Select Stop to stop the post-filter from running. You can use the same menu later to Start it again. 
    • Select Delete to remove it from the system permanently. 

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.