Get started building custom filter expressions in SEM
This section provides information to help you write custom filter expressions in SEM.
See also: Create filters with the SEM Console for step-by-step instructions.
About custom filter expressions
The Filter Creation screen is similar to the Rule Creation screen, but creating filters is more forgiving. Filters report when events occur, so there is no harm if you create an unusual filter with logic issues. Create filters using the Filters Creation screen to familiarize yourself with the logic and tools required to create well-crafted rules.
When creating filter expressions, your conditions can be broad or specific. For example, the All Events filter does not include specific conditions. As a result, it captures all events, regardless of the source or event type. Conversely, the User Logons filter includes one condition: UserLogon Exists. This filter only captures events with the UserLogon event type.
To create a custom filter, see Create filters in the SEM Console.
Event filters are based on specific events or event groups listed in the left window pane. You can configure your new event by dragging and dropping the event attributes into the Conditions and Notifications configuration boxes. When a SEM Agent or Manager reports an event that matches the event filter conditions, the event message appears in the events grid when the filter is active.
Each new filter is added to the Filters pane. Selecting a filter activates the filter in the events grid. The events grid only displays event messages that meet your filter requirements.
Examine the default filters included with SEM
The SEM console includes a variety of filters that support security industry best practices. The following steps describe how to open a filter and view the filter expression.
- In the SEM console, click the Live Events tab.
- In the Filters pane, scroll down to locate your filter, move the pointer over the filter to expose the vertical ellipsis, click it, and then select Edit.
Conditions are the various rules that state when the filter is to display an event message.
To define conditions, drag event variables from the events, event groups, and fields lists into the filter builder. Use the conditions connectors to configure how these variables compare to other items, such as time of day sets, connector profiles, user-defined groups, constants, and other event fields.
You can also compare groups with AND/OR conditions. The AND conditions state which events must occur together before the filter shows an event. The OR conditions state that if any one of several conditions occur, the filter shows the event. The combined conditions dictate when the event filter displays an event. The filter ignores (and does not display) any events that do not meet these conditions.
The conditions connectors enable you to configure relationships between events and establish conditions when the event filter displays the event message.
The following table describes each condition.
|1||Group||Configures groups based on the fields you drag from the Filters pane.|
|2||Nested group||Deletes a condition or group, as well as any nested groups.|
|3||Delete||Deletes a condition or group, as well as any nested groups.|
|4||Event variable||Stores event variables (such as events, event groups, and fields) dragged from the Filters pane. As event messages stream into the console, the filter analyzes the values associated with each event variable to determine if the event message meets the filter conditions.|
|5||Operator||Describes how the filter compares the event variable to another item to determine if the event meets the filter conditions. Click the operator icon to cycle through and select an operator.|
Refines your conditions by comparing one group of conditions to another. You can drag event variables and other items from the list pane into the nested group boxes to create the logic for highly-complex and exact conditions. This example above shows one nested group.
|8||Boolean AND operator||Combines or excludes keywords or fields in a search using the Boolean AND operator.|
|9||Boolean OR operator||Combines or excludes keywords or fields in a search using the Boolean OR operator.|