Get started building custom filter expressions in LEM
This section provides information to help you write custom filter expressions in LEM.
About custom filter expressions
The Filter Creation screen is similar to the Rule Creation screen, but creating filters is more forgiving. Filters report when events occur, so there is no harm if you create an unusual filter with logic issues. Create filters using the Filters Creation screen to familiarize yourself with the logic and tools required to create well-crafted rules.
When creating filter expressions, your conditions can be broad or specific. For example, the All Events filter does not include specific conditions. As a result, it captures all events, regardless of the source or event type. Conversely, the User Logons filter includes one condition: UserLogon Exists. This filter only captures events with the UserLogon event type.
To create a custom filter, click Monitor, click in the Filters toolbar, and then select Create. When completed, the Filter Creation screen appears, providing the tools you need to create a custom filter.
Event filters are based on specific events or event groups listed in the left window pane. You can configure your new event by dragging and dropping the event attributes into the Conditions and Notifications configuration boxes. When a LEM Agent or Manager reports an event that matches the event filter conditions, the event message appears in the events grid when the filter is active.
Each new filter is added to the Filters pane. Selecting a filter activates the filter in the events grid. The events grid only displays event messages that meet your filter requirements.
Examine the default filters included with LEM
The LEM console includes a variety of filters that support security industry best practices. The following steps describe how to open a filter and view the filter expression.
On the LEM toolbar, click Monitor.
In the Filters pane, select the filter you want to examine.
Click , and then select Edit.
The filter expression opens in the Filter Creation pane.
The Conditions box appears in the Monitor view when you click in the Filters toolbar and select New Filter. Use the Conditions box in conjunction with the Filters pane to configure the conditions that determine events reported by a filter. Conditions are the various rules that state when the filter is to display an event message.
To define conditions, drag event variables from the events, event groups, and fields lists into the conditions box. Use the Conditions connectors to configure how these variables compare to other items, such as time of day sets, connector profiles, user-defined groups, constants, and other event fields.
You can also compare groups with AND/OR conditions. The AND conditions state which events must occur together before the filter shows an event. The OR conditions state that if any one of several conditions occur, the filter shows the event. The combined conditions dictate when the event filter displays an event. The filter ignores (and does not display) any events that do not meet these conditions.
The Conditions connectors enable you to configure relationships between events in the Conditions box and to establish conditions when the event filter displays the event message.
Below is an example of the Conditions box.
The following table describes each feature of the Conditions box.
|1||Group||Configures groups based on the fields you drag from the Filters pane. Click ▼ to collapse an expanded group.|
|2||Nested group||Deletes a condition or group, as well as any nested groups. Click to create the nested group.|
|3||Delete||Deletes a condition or group, as well as any nested groups. Click to delete the group.|
|4||Event variable||Stores event variables (such as events, event groups, and fields) dragged from the Filters pane. As event messages stream into the console, the filter analyzes the values associated with each event variable to determine if the event message meets the filter conditions.|
|5||Operator||Describes how the filter compares the event variable to another item to determine if the event meets the filter conditions. Click the operator icon to cycle through and select an operator. Press Ctrl and click the operator icon to select an operator from a drop-down list.|
Displays the non-event items from the Filters pane. Drag and drop a list item into this field to define conditions based on your selected filter.
Some event variables automatically add a blank constant as the list item. You can overwrite the constant with another list item or click the constant to add a specific value for the constant. For example, clicking a text Constant turns the field into an editable text box so you can type specific text. The text field also allows wildcard characters.
Each list item has an icon that corresponds to the list it came from. These icons let you to quickly identify what kinds of items are defining your filter’s conditions.
Refines your conditions by comparing one group of conditions to another. You can drag event variables and other items from the list pane into the nested group boxes to create the logic for highly-complex and exact conditions. This example above shows one nested group.
|8||Boolean AND operator||Combines or excludes keywords or fields in a search using the Boolean AND operator.|
|9||Boolean OR operator||Combines or excludes keywords or fields in a search using the Boolean OR operator.|