Apply a filter for post-processing
Post filters are actions to be carried out on triggered alerts when they meet specified conditions. These are processing rules to be applied after an alert is triggered. For example, to change the priority of an alert to Urgent if the triggering event contains a given username. A single alert may have one or several post filters.
Creating a post filter on an alert
Let's take the example of a threat-detection alert that triggers when a single source IP address scans a large number of ports within any 10-minute period. We create a post filter that sets the alert priority to High when the number of ports tried in a 10-minute period is greater than or equal to 1000.
- Go to Alerts → Alerts Dashboard. Find an occurrence of the alert for which you want to create the post filter in the Alerts History.
- In the Actions column, open the ellipsis menu, then select New Filter.
The Filter List window appears. Enter the required information.
Name Enter a descriptive name for the post filter. Basic Data This field is only for preconfigured alerts, so no information needs to be added. Extra Data
This is where you specify the condition(s) that will activate the post filter. Don't forget to click the add button to save each condition statement.
Eventdate Select this checkbox to apply the post filter only to events whose eventdate value is within a specified time range. Say, if you only want to apply post-processing to the events generated between 8PM and 8AM. When selected, fields appear that allow you to specify a time range. If the alert's query contains other fields with timestamp data, they will also appear in this form so that you can define the date range based on that field's values instead of the eventdate values. Action Select the action you want to perform when the alert meets the criteria. Choose from:
- Mark as read - Marks the alert as Watched.
- Change priority - Select from the possible priority levels.
- False positive - Marks the alert as a false positive.
- Change notify method - Select a different delivery method for the alert.
- Delete - Do not distribute the alert and remove it from the alert history.
Click the Save button. The filter will be active from this moment on.
Here we can see that the filter has been applied to a triggered alert because the number of port tests exceeds 1000:
Managing post filters
All established post filters are listed in the Post Filters tab of the Alerts area. Here you can review the list of established filters, stop a filter temporarily, restart it, or you can delete it permanently.
You cannot modify post filters. Instead, you need to delete the filter and recreate it.
- Go to Alerts, then select the Post Filters tab.
- In the Actions column, open the ellipsis menu of an alert.
- Select Stop to stop the post-filter from running. You will use the same menu later to Start it again.
- Select Delete to remove it permanently.