Documentation forSecurity Event Manager

Capture traffic from a specific device

Use the ToolAlias field in SEM rules and filters to capture traffic from a specific device.

The ToolAlias field allows you to create filters, rules, and searches that target traffic from a specific device. Every device that sends events to SEM includes an Alias property you can customize with a device-specific name. Use the ToolAlias field to examine the Alias property and find events that match your filter criteria.

You can also use the DetectionIP event to monitor events from a device that has a specific IP address, for example AnyAlert.DetectionIP=

Create a filter to capture events from a specific device

  1. On the SEM Console, click the Live Events tab.
  2. To create a filter at the group level in the Filter Values pane, move the mouse pointer over a group heading to expose the vertical ellipsis, and then select Add New Filter.


    To create a filter at the root level, click the add icon, and then select Add New Filter.

  3. Enter a descriptive name for your new filter.
  4. In the first column on the left, expand Event Groups and select one of the following:
    • To view all traffic from your device, select Any Alert.
    • To view all network events from your device, select Network Audit Alerts.
    • To view web traffic from your device, select WebTrafficAudit from the Event groups.
  5. From the second column list, drag ToolAlias into the filter builder.

    When you drag a value into the filter builder, the correct drop location is illuminated with a blue line.

  6. Click the or add it hyperlink.

  1. Enter a filter value to match the alias property of the device that you want to track. Use asterisks (*) as wildcard characters if required.

    For example, consider the default Firewall filter. Its condition is Any Alert.ToolAlias = *firewall*. This assumes that the firewall connector was configured with a Tool Alias that includes "firewall" in the name.

  2. Click Save.

Verify that the correct Alias value is associated with the connector

The following procedure applies to devices configured to send logs to SEM. To verify agent connectors, use this same procedure, but apply it to the agent associated with the connector instead.

  1. Log in to the SEM Console.
  2. On the toolbar, click Configure > Manager connectors.
  3. Under Configured connectors, select the connector instance you want to verify.

  4. On the connector toolbar, click Edit.
  5. Verify the connector name (alias) is correct (change the name, if not), and click Save.
  6. On the connector toolbar, click Start.