About SEM filters
Network activity generates events and alerts, some of which are of interest or use at any particular time. SEM filters capture and display the events and alerts that meet your specific requirements.
You can turn filters on and off, pause filters to sort or investigate events, perform actions to respond to events, and configure filters to notify you when they capture an event. Filters can also be used with dashboard widgets that display charts and graphs to visually represent the event data.
Filter conditions can be broad or specific. For example:
- The default "All" filter captures all events, regardless of the source or event type
- The filter "User Account Changes" in the Change Management group of filters, only captures one event: Auditable User Events Occurred
- The filter "FTP Traffic" in the group of filter, captures any of the following events:
- Network Audit Alerts.EventInfo is equal to *FTP*
- Network Audit Alerts.SourcePort is equal to 20
- Network Audit Alerts.SourcePort is equal to 21
- Network Audit Alerts.DestinationPort is equal to 20
- Network Audit Alerts.DestinationPort is equal to 21
Filters and rules
Create filters when you want to group a type of event. For example, you can create filters to collect all events from your domain controllers, or all events for a specific type of user.
Create rules when you want SEM to act in response to one or more events. See Create rules that respond to security events for more information.
Use filters to group a type of event or to monitor specific events
You can create filters to collect all events from your firewalls, domain controllers, specific user types, and recurring, expected events.
You can also create custom filters to specific events. The following table lists the filter types you can create in SEM.
| Filter type | Use |
|---|---|
| Change management filter | Monitors configuration changes users implement in your network |
| High volume event filter | Monitors traffic spikes or unexpected off-peak traffic. |
| General interest filter |
Monitors logs in failures and failed authentications. A failed authentication is an event triggered by three logon failures by the same account within an extremely short period of time.
|
| Rule scenario event filter | Determines if you have the appropriate events to create a rule for a specific scenario. |
| Daily problem event filter | Monitors basic operational problems (such as account lockouts) in real time. |
Default filters included with SEM
SEM includes filters that support best practices in the security industry. You can modify these filters to meet your needs, or you can create an unlimited number of custom filters. A single set of filters can monitor data collected across multiple SEM Managers.
Locate and view filters
Click the Live Events tab on the toolbar to locate a filter. Expand a category (such as Overview or IT Operations) to view its filters. The number of events that match the filter's criteria is displayed on-screen. Click a filter to display the filtered events in the log viewer table. Initially, all events are displayed.
SEM filter categories
By default, filters in the Filters pane are grouped into the following categories:
- Overview
- Security
- IT Operations
- Change Management
- Authentication
- Endpoint Monitoring
- Compliance
Learn about creating filters here.
Default filters included with SEM
The following default filters are included with SEM.
Overview filters
| Name | Description | Default Status |
|---|---|---|
| All Events | Displays all events from all sources. | On |
Security filters
| Name | Description | Default Status |
|---|---|---|
| Incidents | Filters all events categorized as Incidents. | On |
| Security Events |
Filters events categorized as attack activity or potentially suspicious. |
On |
| Network Event Threats | Filters events with source or destination detected in the threat intelligence feed as potentially bad actors. | On |
| All Firewall Events | Filters events from firewall devices that match the targeted name. | On |
| All Threat Events | Filters all events with the source or destination detected in the threat intelligence feed as potentially bad actors. | On |
| Denied ACL Traffic | Filters events from network devices that indicate denied ACL activity. | Off |
| Unusual Network Traffic | Filters unusual network traffic and scans. | On |
| Blocked Web Traffic | Filters events from proxy servers or other web servers that blocked an attempt to access a URL. | On |
| Proxy Bypassers | Filters web traffic users who are bypassing your proxy server. | Off |
| Web Traffic - Spyware | Filters web traffic events to potential spyware sites. | Off |
| Virus Attacks | Filters events that indicate potential virus detection. | On |
| IDS Scan / Attack Activity | Filters security events detected by IDS tools (such as Snort). | On |
| Security Processes | Filters security-related process activities. | On |
| File Audit Failures | Filters events that indicate failed attempts to access files. | On |
IT Operations filters
| Name | Description | Default Status |
|---|---|---|
| All Domain Controller Events | Displays all traffic from machines in the Domain Controllers tool profile. | Off |
| All Web Traffic |
Filters all web traffic-related events from network devices, proxy servers, and web servers. |
On |
| Software Installation/Update | Filters events related to software installation and updates. | On |
| Service Events | Filters events related to starting and stopping services, as well as service warnings and information. | On |
| System Events | Filters events related to system availability and status information. | On |
| Error Events | Filters events from all sources that contain "error". | On |
| Warning Events | Filters events from all sources that contain "warning". | On |
| Windows Error Events | Filters events from Microsoft Windows event logs that contain "error". | On |
| Error Events for Device | Filters events from a specific device that contain "error". | Off |
| Web Traffic for Source Machine | Filters web traffic emanating from a certain source machine. | Off |
| All Network Traffic | Filters all network traffic-related events from all devices and systems. | On |
| FTP Traffic | Filters TCP traffic events between one or more FTP ports reported by any device or system. | On |
| SNMP Traffic | Filters UDP traffic events between one or more SNMP ports reported by any device or system. |
On |
| SMTP Traffic | Filters UDP traffic events between one or more SMTP ports reported by any device or system. | On |
Change Management filters
| Name | Description | Default Status |
|---|---|---|
| General Change Management | Filters all events that indicate changes to devices, systems, users, groups, and domains. | On |
| User Account Changes |
Filters changes to existing user accounts. |
On |
| Machine Account Changes | Filters changes to existing machine accounts. | On |
| Group Changes | Filters creation, deletion, and changes to groups. | On |
| Domain & Membership Changes | Filters new and deleted domain accounts (including users/groups) and domain changes. | On |
| Device/System Policy Changes | Filters events related to policy changes on devices and systems. | On |
| All File Audit Activity | Filters events related to all types of audited file access. | On |
| USB File Auditing | Filters file-related alerts from Agents running USB Defender | On |
Authentication filters
| Name | Description | Default Status |
|---|---|---|
| User Logons | Filters all types of user logons. | On |
| Interactive User Logons |
Filters background network logon types. |
On |
| Remote User Logons | Filters events that indicate remote Windows system logons. | On |
| Failed Logons | Filters events that indicate failed logon attempts to devices and systems. | On |
| Account Lockouts | Filters events that indicate an account was locked out. | On |
| Authentication Event Threats | Filters authentication events with a source or destination detected in the threat intelligence feed as potentially bad actors. | On |
| Admin Account Authentication | Filters authentication events related to specified administrative accounts. | Off |
Endpoint Monitoring filters
| Name | Description | Default Status |
|---|---|---|
| Workstation Logon/Logon Failure Activity | Filters non-network workstation logon/logon failure to a domain or local account. | On |
| Local Account Authentication/Changes |
Filters any user-related audit events that are not to or from the corporate domain. |
On |
| Software Installed on Workstations | Filters software installations on workstation systems. | On |
| USB-Defender Events | Filters USB Defender events. | On |
| Workstation Events with Threats | Filters all events detected on endpoints with a source or destination detected in the threat intelligence feed as potentially bad actors. | On |
Compliance filters
| Name | Description | Default Status |
|---|---|---|
| Top PCI Events | Filters the most common PCI events of interest, which include change management, unexpected file access, incidents, and attacks. | Off |
| Top HIPAA Events |
Filters file activity, changes, and incidents related to HIPAA events. |
Off |
| Top Banking Compliance Events | Filters common banking compliance events, including change management, users and groups, and potentially suspicious attack activity. | Off |