Filters
Filters are used to select events based on user-defined conditions.
This is not true only when filters are used in the collector service, in which the filters select all events that DO NOT satisfy filter conditions.
Filters can be used in the following KUMA services and features:
- Collector.
- Correlator.
- Storage.
- KUMA agents.
- Correlation rules.
- Enrichment rules.
- Aggregation rules.
- Destinations.
- Response rules.
- Segmentation rules.
You can use standalone filters or built-in filters that are stored in the service or resource where they were created.
For these resources, you can enable the display of control characters in all input fields except the Description field.
Available settings for filters:
- Name (required)—a unique name for this type of resource. Must contain 1 to 128 Unicode characters. Inline filters are created in other resources or services and do not have names.
- Tenant (required)—name of the tenant that owns the resource.
- The Conditions group of settings lets you formulate filtering criteria by creating filter conditions and groups of filters, or by adding existing filters.
You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT. You can add groups, conditions, and existing filters to groups of filters. Conditions placed in the NOT subgroup are combined with the AND operator.
You can use the Add filter button to add an existing filter, which you can select in the Select filter drop-down list.
You can use the Add condition button to add a string containing fields for identifying the condition (see below).
Conditions, groups, and filters can be deleted by using the button.
Settings of conditions:
- When (required)—in this drop-down list, you can specify whether or not to use the inverted function of the operator.
- Left operand and Right operand (required)—used to specify the values that the operator will process. The available types depend on the selected operator.
- Operator (required)—used to select the condition operator.
In this drop-down list, you can select the do not match case check box if the operator should ignore the case of values. This check box is ignored if the inSubnet, inActiveList, inCategory, InActiveDirectoryGroup, hasBit, inDictionary operators are selected. This check box is cleared by default.
The available operand kinds depends on whether the operand is left (L) or right (R).
Available operand kinds for left (L) and right (R) operands
Operator | Event field type | Active list type | Dictionary type | Table type | TI type | Constant type | List type |
= | L,R | L,R | L,R | L,R | L,R | R | R |
> | L,R | L,R | L,R | L,R | L | R |
|
>= | L,R | L,R | L,R | L,R | L | R |
|
< | L,R | L,R | L,R | L,R | L | R |
|
<= | L,R | L,R | L,R | L,R | L | R |
|
inSubnet | L,R | L,R | L,R | L,R | L,R | R | R |
contains | L,R | L,R | L,R | L,R | L,R | R | R |
startsWith | L,R | L,R | L,R | L,R | L,R | R | R |
endsWith | L,R | L,R | L,R | L,R | L,R | R | R |
match | L | L | L | L | L | R | R |
hasVulnerability | L | L | L | L |
|
|
|
hasBit | L | L | L | L |
| R | R |
inActiveList |
|
|
|
|
|
|
|
inDictionary |
|
|
|
|
|
|
|
inCategory | L | L | L | L |
| R | R |
inActiveDirectoryGroup | L | L | L | L |
| R | R |
TIDetect |
|
|
|
|
|
|
|
The filters listed in the table below are included in the KUMA kit.
Predefined filters
Filter name | Description |
[OOTB][AD] A member was added to a security-enabled global group (4728) | Selects events of adding a user to an Active Directory security-enabled global group. |
[OOTB][AD] A member was added to a security-enabled universal group (4756) | Selects events of adding a user to an Active Directory security-enabled universal group. |
[OOTB][AD] A member was removed from a security-enabled global group (4729) | Selects events of removing a user from an Active Directory security-enabled global group. |
[OOTB][AD] A member was removed from a security-enabled universal group (4757) | Selects events of removing a user from an Active Directory security-enabled universal group. |
[OOTB][AD] Account Created | Selects Windows user account creation events. |
[OOTB][AD] Account Deleted | Selects Windows user account deletion events. |
[OOTB][AD] An account failed to log on (4625) | Selects Windows logon failure events. |
[OOTB][AD] Successful Kerberos authentication (4624, 4768, 4769, 4770) | Selects successful Windows logon events and events with IDs 4769, 4770 that are logged on domain controllers. |
[OOTB][AD][Technical] 4768. TGT Requested | Selects Microsoft Windows events with ID 4768. |
[OOTB][Net] Possible port scan | Selects events that may indicate a port scan. |
[OOTB][SSH] Accepted Password | Selects events of successful SSH connections with a password. |
[OOTB][SSH] Failed Password | Selects attempts to connect over SSH with a password. |