Skip to main content

Filters

Adding extra conditions to code before deployment with Filters | Setting up and managing Filters

S
Written by Sergey Bayrachny

In this article:

Overview

Filters are extra conditions you can add to the detection logic before deployment. Use them to exclude or include certain factors, such as specific users or hosts.

Filters are set up for specific platforms and their available content types. You can apply Filters:

  • On a rule's page before downloading or launching/deploying the code

  • As part of Presets. Link a Filter to the corresponding Preset and use it to automatically customize content deployed via Jobs. Learn more about Automation where you can apply Presets together with Filters

  • In Uncoder AI when translating a Sigma rule

On the Filters page, you can see all Filters that are available to you.

Tab

Description

Global

Created by the SOC Prime Team and shared with the companies. Users without Admin privileges can only view or copy these Filters.

My

Created by you and not shared across your company. Filters listed on this tab are available only to you.

Company

Company-wide Filters shared across all company users.

All Filters are displayed as a table with the following columns:

Column Name

Description

Name

Name defined during filter configuration

Platform

Platform and content type associated with the Filter

Type

Native content type that depends on the platform for which the Filter is intended

Created By

User who created the Filter

Last Updated By

User who made the last update to the Filter

Created

Date of the Filter creation

Updated

Date of the last update to the Filter

You can look for existing filters using the Search bar.

Filter Settings

The settings used to create or edit a Filter are as follows:

Setting name

Required/Optional

Description

Filter Name

Required

Fill in the Filter name

Share it with my team

Optional

Set this checkmark to make the Filter available to other people from your organization

Platform

Required

Select the platform from available options:

  • Microsoft Sentinel

  • Elastic (Detection Rule (Lucene))

  • Elastic (Watcher Alert)

  • Elastic (Detection Rule (EQL))

  • Falcon LogScale

  • Sumo Logic

  • Google SecOps

  • Splunk

  • AWS Athena

  • Graylog

  • Hunters

Filter Condition

Required

Use the predefined pattern to write the specific filter condition for the detection in the language format of the selected platform

Note:

  1. Multiple filters will be combined into a single condition with elements joined by the OR operator:

    • Filters are combined with an OR operator

    • Each Filter is put in parentheses

    • All Filters combined with OR are put in parentheses

    This condition will be added to the detection condition with the AND operator. So, if a Preset contains two Filters dst_ip = "1.1.1.1" and dst_user = "john" AND src_user = "mary", the detection condition after applying the Filters will look like this:

    ((dst_ip = "1.1.1.1") OR (dst_user = "john" AND src_user = "mary")) AND DETECTION_CONDITION

  2. If you want to exclude something, create an appropriate Filter condition with negation.

How To

Here you can find instructions on how to work with Presets:

Create Filter

You can create Filters for specific platforms and their available content types. There are three ways to create a Filter.

From the Filters page

On the Account icon > Platform Settings > Filters page:

  1. Click the Add Filter button in the upper right-hand corner.

  2. Specify the Filter details.

  3. Click the Create button.

After creating a Filter, it will be automatically pre-populated in the Filters setup menu for the corresponding platform in the Presets pop-up.

To access this menu, click the Filters button on the Presets pop-up.

Note:

Filters listed in the Filters setup menu in the Presets pop-up are not automatically linked to the preset selected in this pop-up. To link a filter to your preset, use the drop-down of the Filters field in the Presets pop-up.

From the Presets modal

  1. When configuring a Preset in the Presets modal, click the Filters button, and select Create Filter.

  2. Fill in the filter Name and Filter Condition.

  3. Click the Save Changes button.

This way, you can add multiple filters for the selected platform.

Note:

Filters listed in the Filters setup menu in the Presets pop-up are not automatically linked to the preset selected in this pop-up. To link a filter to your preset, use the drop-down of the Filters field in the Presets pop-up.

From a rule's page

  1. When on a rule's page, open the Filter dropdown and select the Create New Filter option.

  2. Fill in the filter Name and Condition.

  3. Click the Save Changes button.

Link Filter

To link a Filter to a Preset:

  1. Open or create a Preset in the Presets pop-up.

  2. Select one or multiple Filters in the Filters field on the tab of the selected platform and content type.

  3. Click the Save Changes button.

If you need to create a new filter, just click the Filters button in the same pop-up and proceed to adding a new Filter. After adding a new Filter, go back to the Presets pop-up and select the newly created filter in the Filters field.

Manage Filter

You can edit or delete Filters created by you:

  • On the My and Company tabs of the Filters page. Filters on the Global tab can be only copied.

    Select the corresponding icon on the right of the desired Filter name.

  • In the Presets pop-up:

    1. Click the Filters button.

    2. Select the option you need. You can delete the Filter or edit its condition directly in the Filter Condition field.

Did this answer your question?