Documentation forSecurity Event Manager

About SEM filters

Network activity generates events and alerts, some of which are of interest or use at any particular time. SEM filters capture and display the events and alerts that meet your specific requirements.

You can turn filters on and off, pause filters to sort or investigate events, perform actions to respond to events, and configure filters to notify you when they capture an event. Filters can also be used with dashboard widgets that display charts and graphs to visually represent the event data.

Filter conditions can be broad or specific. For example:

  • The default "All" filter captures all events, regardless of the source or event type
  • The filter "User Account Changes" in the Change Management group of filters, only captures one event: Auditable User Events Occurred
  • The filter "FTP Traffic" in the group of filter, captures any of the following events:
    • Network Audit Alerts.EventInfo is equal to *FTP*
    • Network Audit Alerts.SourcePort is equal to 20
    • Network Audit Alerts.SourcePort is equal to 21
    • Network Audit Alerts.DestinationPort is equal to 20
    • Network Audit Alerts.DestinationPort is equal to 21

Filters and rules

Create filters when you want to group a type of event. For example, you can create filters to collect all events from your domain controllers, or all events for a specific type of user.

Create rules when you want SEM to act in response to one or more events. See Create rules that respond to security events for more information.

Rules can be quickly created from filters as described in Create a rule from a filter.

Use filters to group a type of event or to monitor specific events

You can create filters to collect all events from your firewalls, domain controllers, specific user types, and recurring, expected events.

You can also create custom filters to specific events. The following table lists the filter types you can create in SEM.

Filter type Use
Change management filter Monitors configuration changes users implement in your network
High volume event filter Monitors traffic spikes or unexpected off-peak traffic.
General interest filter

Monitors logs in failures and failed authentications.

A failed authentication is an event triggered by three logon failures by the same account within an extremely short period of time.
Rule scenario event filter Determines if you have the appropriate events to create a rule for a specific scenario.
Daily problem event filter Monitors basic operational problems (such as account lockouts) in real time.

Default filters included with SEM

SEM includes filters that support best practices in the security industry. You can modify these filters to meet your needs, or you can create an unlimited number of custom filters. A single set of filters can monitor data collected across multiple SEM Managers.

Locate and view filters

Click the Live Events tab on the toolbar to locate a filter. Expand a category (such as Overview or IT Operations) to view its filters. The number of events that match the filter's criteria is displayed on-screen. Click a filter to display the filtered events in the log viewer table. Initially, all events are displayed.

SEM filter categories

By default, filters in the Filters pane are grouped into the following categories:

  • Overview
  • Security
  • IT Operations
  • Change Management
  • Authentication
  • Endpoint Monitoring
  • Compliance

Learn about creating filters here.

Default filters included with SEM

The following default filters are included with SEM.

Overview filters

Name Description Default Status
All Events Displays all events from all sources. On

Security filters

Name Description Default Status
Incidents Filters all events categorized as Incidents. On
Security Events

Filters events categorized as attack activity or potentially suspicious.

On
Network Event Threats Filters events with source or destination detected in the threat intelligence feed as potentially bad actors. On
All Firewall Events Filters events from firewall devices that match the targeted name. On
All Threat Events Filters all events with the source or destination detected in the threat intelligence feed as potentially bad actors. On
Denied ACL Traffic Filters events from network devices that indicate denied ACL activity. Off
Unusual Network Traffic Filters unusual network traffic and scans. On
Blocked Web Traffic Filters events from proxy servers or other web servers that blocked an attempt to access a URL. On
Proxy Bypassers Filters web traffic users who are bypassing your proxy server. Off
Web Traffic - Spyware Filters web traffic events to potential spyware sites. Off
Virus Attacks Filters events that indicate potential virus detection. On
IDS Scan / Attack Activity Filters security events detected by IDS tools (such as Snort). On
Security Processes Filters security-related process activities. On
File Audit Failures Filters events that indicate failed attempts to access files. On

IT Operations filters

Name Description Default Status
All Domain Controller Events Displays all traffic from machines in the Domain Controllers tool profile. Off
All Web Traffic

Filters all web traffic-related events from network devices, proxy servers, and web servers.

On
Software Installation/Update Filters events related to software installation and updates. On
Service Events Filters events related to starting and stopping services, as well as service warnings and information. On
System Events Filters events related to system availability and status information. On
Error Events Filters events from all sources that contain "error". On
Warning Events Filters events from all sources that contain "warning". On
Windows Error Events Filters events from Microsoft Windows event logs that contain "error". On
Error Events for Device Filters events from a specific device that contain "error". Off
Web Traffic for Source Machine Filters web traffic emanating from a certain source machine. Off
All Network Traffic Filters all network traffic-related events from all devices and systems. On
FTP Traffic Filters TCP traffic events between one or more FTP ports reported by any device or system. On
SNMP Traffic Filters UDP traffic events between one or more SNMP ports reported by any device or system.

On

SMTP Traffic Filters UDP traffic events between one or more SMTP ports reported by any device or system. On

Change Management filters

Name Description Default Status
General Change Management Filters all events that indicate changes to devices, systems, users, groups, and domains. On
User Account Changes

Filters changes to existing user accounts.

On
Machine Account Changes Filters changes to existing machine accounts. On
Group Changes Filters creation, deletion, and changes to groups. On
Domain & Membership Changes Filters new and deleted domain accounts (including users/groups) and domain changes. On
Device/System Policy Changes Filters events related to policy changes on devices and systems. On
All File Audit Activity Filters events related to all types of audited file access. On
USB File Auditing Filters file-related alerts from Agents running USB Defender On

Authentication filters

Name Description Default Status
User Logons Filters all types of user logons. On
Interactive User Logons

Filters background network logon types.

On
Remote User Logons Filters events that indicate remote Windows system logons. On
Failed Logons Filters events that indicate failed logon attempts to devices and systems. On
Account Lockouts Filters events that indicate an account was locked out. On
Authentication Event Threats Filters authentication events with a source or destination detected in the threat intelligence feed as potentially bad actors. On
Admin Account Authentication Filters authentication events related to specified administrative accounts. Off

Endpoint Monitoring filters

Name Description Default Status
Workstation Logon/Logon Failure Activity Filters non-network workstation logon/logon failure to a domain or local account. On
Local Account Authentication/Changes

Filters any user-related audit events that are not to or from the corporate domain.

On
Software Installed on Workstations Filters software installations on workstation systems. On
USB-Defender Events Filters USB Defender events. On
Workstation Events with Threats Filters all events detected on endpoints with a source or destination detected in the threat intelligence feed as potentially bad actors. On

Compliance filters

Name Description Default Status
Top PCI Events Filters the most common PCI events of interest, which include change management, unexpected file access, incidents, and attacks. Off
Top HIPAA Events

Filters file activity, changes, and incidents related to HIPAA events.

Off
Top Banking Compliance Events Filters common banking compliance events, including change management, users and groups, and potentially suspicious attack activity. Off