Kaspersky Next XDR Expert

Filters

Filters

Filters let you select events based on specified conditions. The collector service uses filters to select events that you want to send to KUMA. Events that satisfy the filter conditions are sent to KUMA for further processing.

You can use filters in the following KUMA services and features:

Collector.
Correlator.
Storage.
Correlation rules.
Enrichment rules.
Aggregation rules.
Destinations.
Response rules.
Segmentation rules.

You can use standalone filters or built-in filters that are stored in the service or resource in which they were created. For resources in input fields except the Description field, you can enable the display of control characters. Available filter settings are listed in the table below.

Setting	Description
Name	Unique name of the resource. The maximum length of the name is 128 Unicode characters. Required setting. Inline filters are created in other resources or services and do not have names.
Tenant	The name of the tenant that owns the resource. Required setting.
Tags	Tags for resource search. Optional setting.
Description	Description of the resource. The maximum length of the description is 4000 Unicode characters.

You can create filter conditions and filter groups, or add existing filters to a filter.

To create filtering criteria, you can use builder mode or source code mode. In builder mode, you can create or edit filter criteria by selecting filter conditions and operators from drop-down lists. In source code mode, you can use text commands to create and edit search queries. The builder mode is used by default.

You can freely switch between modes when creating filtering criteria. To switch to source code mode, select the Code tab. When switching between modes, the created condition filters are preserved. If the filter code is not displayed on the Code tab after linking the created filter to the resource, go to the Builder tab and then go back to the Code tab to display the filter code.

Creating filtering criteria in builder mode

To create filtering criteria in builder mode, you need to select one of the following operators from the drop-down list:

AND: The filter selects events that match all of the specified conditions.
OR: The filter selects events that match one of the specified conditions.
NOT: The filter selects events that match none of the specified conditions.

You can add filtering criteria in one of the following ways:

To add a condition, click the + Add condition button.
To add a group of conditions, click the + Add group button. When adding groups of conditions, you can also select the AND, OR, and NOT operators. In turn, you can add conditions and condition groups to a condition group.

You can add multiple filtering criteria, reorder the filtering criteria, or remove filtering criteria. To reorder filtering criteria, use the reorder DragIcon icons. To remove a filtering criterion, click the delete cross-black icon next to it.

Available condition settings are listed in the table below.

Setting	Description
<Condition type>	Condition type. The default is If. You can click the default value and select If not from the displayed drop-down list. Required setting.
<Left operand> and <Right operand>	Values to be processed by the operator. The available types of values of the right operand depend on the selected operator. Operands of filters In the Event fields section, you can specify the event field that you want to use as a filter operand. In the Active lists section, you can specify an active list or field of an active list that you want to use as an operand of the filter. When selecting an active list, you must specify one or more event fields that are used to create an active list entry and act as the key of the active list entry. To finish specifying event fields, press `Ctrl`/`Command`+`F1`. If you have not specified the inActiveList operator, you need to specify the name of the active list field that you want to use as a filter operand. In the Context tables section, you can specify the value of the context table that you want to use as the filter operand. When selecting a context table, you must specify an event field: context table name (required) is the context table that you want to use. key fields (required) are event fields or local variables that are used to create a context table record and serve as the key for the context table record. field is the name of the context table field from which you want to get the value of the operand. index is the index of the list field of the table from which you want to get the value of the operand. Dictionary is a value from the dictionary resource that you want to assign to the operand. Advanced settings: dictionary (required) is the dictionary that you want to use. key fields (required) are event fields that are used to generate the key of the dictionary value. Constant is a user-defined value that you want to assign to the operand. Advanced settings: value (required) is the constant that you want to assign to the operand. Table specifies user-defined values that you want to assign to the operand. Advanced settings: dictionary (required) is the type of the dictionary. You need to select the Table dictionary type. key fields (required) are event fields that are used to generate the key of the dictionary value. List specifies user-defined values that you want to assign to the operand. Advanced settings: value (required) are the constants that you want to assign to the operand. When you type the value in the field and press `ENTER`, the value is added to the list and you can enter a new value. TI specifies the settings for reading CyberTrace threat intelligence (TI) data from the events. Advanced settings: stream (required) is the CyberTrace threat category. key fields (required) is the event field with CyberTrace threat indicators. field (required) is the field of the CyberTrace feed with threat indicators. Required settings.
<Operator>	Condition operator. When selecting a condition operator in the drop-down list, you can select the do not match case check box if you want the operator to ignore the case of values. This check box is ignored if the inSubnet, inActiveList, inCategory, InActiveDirectoryGroup, hasBit, and inDictionary operators are selected. By default, this check box is cleared. Filter operators =—the left operand equals the right operand. <—the left operand is less than the right operand. <=—the left operand is less than or equal to the right operand. >—the left operand is greater than the right operand. >=—the left operand is greater than or equal to the right operand. inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet). contains—the left operand contains values of the right operand. startsWith—the left operand starts with one of the values of the right operand. endsWith—the left operand ends with one of the values of the right operand. match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used. hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list). The value to be checked is converted to binary and processed right to left. Chars are checked whose index is specified as a constant or a list. If the value being checked is a string, then an attempt is made to convert it to integer and process it in the way described above. If the string cannot be converted to a number, the filter returns `False`. hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand. If you do not specify the ID and severity of the vulnerability, the filter is triggered if the asset in the event being checked has any vulnerability. inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list. inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields. inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand. inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand. TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators. inContextTable—presence of the entry in the specified context table. intersect—presence in the left operand of the list items specified in the right operand. You can change or delete the specified operator. To change the operator, click it and specify a new operator. To delete the operator, click it, then press `Backspace`.

Setting

Description

Condition type. The default is If. You can click the default value and select If not from the displayed drop-down list.

Required setting.

Values to be processed by the operator. The available types of values of the right operand depend on the selected operator.

Operands of filters

In the Event fields section, you can specify the event field that you want to use as a filter operand.
In the Active lists section, you can specify an active list or field of an active list that you want to use as an operand of the filter. When selecting an active list, you must specify one or more event fields that are used to create an active list entry and act as the key of the active list entry. To finish specifying event fields, press Ctrl/Command+F1.
If you have not specified the inActiveList operator, you need to specify the name of the active list field that you want to use as a filter operand.
In the Context tables section, you can specify the value of the context table that you want to use as the filter operand. When selecting a context table, you must specify an event field:
- context table name (required) is the context table that you want to use.
- key fields (required) are event fields or local variables that are used to create a context table record and serve as the key for the context table record.
- field is the name of the context table field from which you want to get the value of the operand.
- index is the index of the list field of the table from which you want to get the value of the operand.
Dictionary is a value from the dictionary resource that you want to assign to the operand. Advanced settings:
- dictionary (required) is the dictionary that you want to use.
- key fields (required) are event fields that are used to generate the key of the dictionary value.
Constant is a user-defined value that you want to assign to the operand. Advanced settings:
- value (required) is the constant that you want to assign to the operand.
Table specifies user-defined values that you want to assign to the operand. Advanced settings:
- dictionary (required) is the type of the dictionary. You need to select the Table dictionary type.
- key fields (required) are event fields that are used to generate the key of the dictionary value.
List specifies user-defined values that you want to assign to the operand. Advanced settings:
- value (required) are the constants that you want to assign to the operand. When you type the value in the field and press ENTER, the value is added to the list and you can enter a new value.
TI specifies the settings for reading CyberTrace threat intelligence (TI) data from the events. Advanced settings:
- stream (required) is the CyberTrace threat category.
- key fields (required) is the event field with CyberTrace threat indicators.
- field (required) is the field of the CyberTrace feed with threat indicators.

Required settings.

Condition operator. When selecting a condition operator in the drop-down list, you can select the do not match case check box if you want the operator to ignore the case of values. This check box is ignored if the inSubnet, inActiveList, inCategory, InActiveDirectoryGroup, hasBit, and inDictionary operators are selected. By default, this check box is cleared.

Filter operators

=—the left operand equals the right operand.
<—the left operand is less than the right operand.
<=—the left operand is less than or equal to the right operand.
>—the left operand is greater than the right operand.
>=—the left operand is greater than or equal to the right operand.
inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
contains—the left operand contains values of the right operand.
startsWith—the left operand starts with one of the values of the right operand.
endsWith—the left operand ends with one of the values of the right operand.
match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.
hasBit—checks whether the left operand (string or number) contains bits whose positions are listed in the right operand (in a constant or in a list).
The value to be checked is converted to binary and processed right to left. Chars are checked whose index is specified as a constant or a list.

If the value being checked is a string, then an attempt is made to convert it to integer and process it in the way described above. If the string cannot be converted to a number, the filter returns False.
hasVulnerability—checks whether the left operand contains an asset with the vulnerability and vulnerability severity specified in the right operand.
If you do not specify the ID and severity of the vulnerability, the filter is triggered if the asset in the event being checked has any vulnerability.
inActiveList—this operator has only one operand. Its values are selected in the Key fields field and are compared with the entries in the active list selected from the Active List drop-down list.
inDictionary—checks whether the specified dictionary contains an entry defined by the key composed with the concatenated values of the selected event fields.
inCategory—the asset in the left operand is assigned at least one of the asset categories of the right operand.
inActiveDirectoryGroup—the Active Directory account in the left operand belongs to one of the Active Directory groups in the right operand.
TIDetect—this operator is used to find events using CyberTrace Threat Intelligence (TI) data. This operator can be used only on events that have completed enrichment with data from CyberTrace Threat Intelligence. In other words, it can only be used in collectors at the destination selection stage and in correlators.
inContextTable—presence of the entry in the specified context table.
intersect—presence in the left operand of the list items specified in the right operand.

You can change or delete the specified operator. To change the operator, click it and specify a new operator. To delete the operator, click it, then press Backspace.

The available operand kinds depends on whether the operand is left (L) or right (R).

Available operand kinds for left (L) and right (R) operands

Operator	Event field type	Active list type	Dictionary type	Context table type	Table type	TI type	Constant type	List type
=	L,R	L,R	L,R	L,R	L,R	L,R	R	R
>	L,R	L,R	L,R	L,R (only when looking up a table value by index)	L,R	L	R
>=	L,R	L,R	L,R	L,R (only when looking up a table value by index)	L,R	L	R
<	L,R	L,R	L,R	L,R (only when looking up a table value by index)	L,R	L	R
<=	L,R	L,R	L,R	L,R (only when looking up a table value by index)	L,R	L	R
inSubnet	L,R	L,R	L,R	L,R	L,R	L,R	R	R
contains	L,R	L,R	L,R	L,R	L,R	L,R	R	R
startsWith	L,R	L,R	L,R	L,R	L,R	L,R	R	R
endsWith	L,R	L,R	L,R	L,R	L,R	L,R	R	R
match	L	L	L	L	L	L	R	R
hasVulnerability	L	L	L	L	L
hasBit	L	L	L	L	L		R	R
inActiveList
inDictionary
inCategory	L	L	L	L	L		R	R
inContextTable
inActiveDirectoryGroup	L	L	L	L	L		R	R
TIDetect

You can use hotkeys when managing filters. Hotkeys are described in the table below.

Hotkeys and their functions

Key	Function
`e`	Invokes a filter by the event field
`d`	Invokes a filter by the dictionary field
`a`	Invokes a filter by the active list field
`c`	Invokes a filter by the context table field
`t`	Invokes a filter by the table field
`f`	Invokes a filter
`t+i`	Invokes a filter using TI
`Ctrl+Enter`	Finish editing a condition

The usage of extended event schema fields of the "String", "Number", or "Float" types is the same as the usage of fields of the KUMA event schema.

When using filters with extended event schema fields of the "Array of strings", "Array of numbers", and "Array of floats" types, you can use the following operations:

The contains operation returns True if the specified substring is present in the array, otherwise it returns False.
The match operation matches the string against a regular expression.
The intersec operation.

Creating filtering criteria in source code mode

The source code mode allows you to quickly edit conditions, select and copy blocks of code. In the right part of the builder, you can find the navigator, which lets you to navigate the filter code. Line wrapping is performed automatically at AND, OR, NOT logical operators, or at commas that separate the items in the list of values.

Names of resources used in the filter are automatically specified. Fields containing the names of linked resources cannot be edited. The names of shared resource categories are not displayed in the filter if you do not have the "Access to shared resources" role. To view the list of resources for the selected operand inside the expression, press Ctrl+Space. This displays a list of resources.

The filters listed in the table below are included in the KUMA kit.

Predefined filters

Filter name	Description
[OOTB][AD] A member was added to a security-enabled global group (4728)	Selects events of adding a user to an Active Directory security-enabled global group.
[OOTB][AD] A member was added to a security-enabled universal group (4756)	Selects events of adding a user to an Active Directory security-enabled universal group.
[OOTB][AD] A member was removed from a security-enabled global group (4729)	Selects events of removing a user from an Active Directory security-enabled global group.
[OOTB][AD] A member was removed from a security-enabled universal group (4757)	Selects events of removing a user from an Active Directory security-enabled universal group.
[OOTB][AD] Account Created	Selects Windows user account creation events.
[OOTB][AD] Account Deleted	Selects Windows user account deletion events.
[OOTB][AD] An account failed to log on (4625)	Selects Windows logon failure events.
[OOTB][AD] Successful Kerberos authentication (4624, 4768, 4769, 4770)	Selects successful Windows logon events and events with IDs 4769, 4770 that are logged on domain controllers.
[OOTB][AD][Technical] 4768. TGT Requested	Selects Microsoft Windows events with ID 4768.
[OOTB][Net] Possible port scan	Selects events that may indicate a port scan.
[OOTB][SSH] Accepted Password	Selects events of successful SSH connections with a password.
[OOTB][SSH] Failed Password	Selects attempts to connect over SSH with a password.

Page top

Contents

Filters