11.5 Filters

Filters allow you to process data based on specific criteria for events in real-time and for users of the system. Filters enable you to manage data seen in the Sentinel Control Center. The Filter Engine drives the Real Time Event windows by maintaining the data structure for each security filter. Filters prevent users from viewing unauthorized events and drop events that users don’t want to see. Filters are created in the Admin tab of the Sentinel Control Center.

NOTE:The following are invalid filter name characters: $ # . * & : < >.

There are three types of filters:

11.5.1 Public Filters

Public filters are system-owned. Public filters can be used as security filters or display filters. Security filters are based on user permissions. Display filters determine which events are depicted in the real time event tables, charts and graphs.

Figure 11-3 Filter Manager window

11.5.2 Private Filters

Private filters are user-owned. Private filters are display filters and are shareable if you have the View Private Filters permission.

11.5.3 Global Filters

Global filters are classified as Public filters. Global filters are sequentially processed at the Collector Manager for each event. Once the global filter criteria are met, the evaluation stops for that event and the associated global filter action is taken for the event.

The order of evaluation of global filters is top to bottom, as shown in the console. They can be enabled or disabled as required. Global Filters enable routing actions and JavaScript actions on events. Routing actions include dropping events or routing events to database, database and GUI (SCC), or only to GUI (SCC).

This section includes the following topics:

Figure 11-4 Global Filter Configuration

Creating a Global Filter

To create a Global Filter:

  1. Click the Admin tab.

  2. Click Admin > Global Filter Configuration or select Global Filter Configuration in the navigation tree.

  3. In the Global Configuration window, click Add.

  4. In the new blank row, click Filter Name column.

  5. In the Filter Selection Window, highlight a relevant filter and click Select, or click Add if you need to create a filter.

    The Expression column displays the selected filter in the RuleLg language.

  6. In the Active column, select the checkbox to associate the filter with options specified in the Route and Action columns.

    NOTE:If the Active checkbox is not selected, the options sepecified in the Default Route and Default Action will be associated to the filter. If the Default Action is set to None, then no action will be associated to the filter.

  7. In the Route column, select the routing action that the global filter will have on events that pass this global filter. If an event does not meet any of the active global filters, then the Default > Routing determines how the event is handled.

    The following are the options available in the Route drop-down list:

    • drop: Events are dropped and are not sent to Sentinel Control Center or the Sentinel Server database.

    • database: Events are sent directly to the Sentinel Server database, bypassing the Sentinel Control Center.

    • database and gui: Events are sent to the Sentinel Control Center and Sentinel Server database.

    • gui only: Events are sent to the Sentinel Control Center.

  8. In the Action column, select the action that needs to be performed once the filter criteria are met.

    NOTE:To create new actions for the filter, click Action Manager or select Tools > Action > Manager from the menu bar. For more information on creating actions, see Actions. You can associate single or multiple actions to a filter. By default, the Action and Default Action are set to None. Global Filters execute only JavaScript actions. Actions that are associated with global filters cannot be deleted from the Action Manager.

    NOTE:The Action column and the Action Manager button are available only on systems that have Sentinel 6.1 SP1 Hotfix 2 or later installed.

  9. Continue adding filters until you have completed adding all the required filters.

  10. Click Save.

Rearranging Global Filters

To Rearrange Global Filters:

  1. In the Global Configuration window, select a filter and click Up or Down to move it to a different location on the list.

  2. Click Save.

Deleting a Global Filter

NOTE:When deleting a Global Filter, the confirmation message will not display.

To delete a global filter:

  1. In the Global Configuration window, select a filter from the list and click Delete.

  2. Click Save.

11.5.4 Configuring Public and Private Filters

Configuring Public and Private filters allow you to:

Add a Filter

View the Details of a Filter

Clone a Filter

Delete a Filter

Modify a Filter

Figure 11-5 Filter Manager window

Adding a Filter

To add a public and private filter:

  1. Click Admin > Filter Manager or select File Manager under the Filter Configuration folder in the Navigator; click Add.

  2. Select an Owner ID (public or private [user owned]).

  3. Specify a Filter Name.

  4. The table editor is the default selection for editing the contents.

    NOTE:Optionally, you can click Use free form editor to display a free form editor. The free form editor allows you to create complex expressions not possible with the table editor. However, after the expression is modified with the free form editor, the table editor cannot be used with the expression.

  5. Select the criteria for the following columns:

    • Property

    • Operator

    • Value columns

      NOTE:In order to include special characters in the Value column, you should provide the hexadecimal value (character code) of the special character. For example, if the Value is “10.1.1.1”, then you should enter \x2210.1.1.1\x22 to embed the double quote in a string value.

    The Expression string box displays the filters that you created in RuleLg language.

  6. In the Match if box, click either:

    • All conditions are met (and)

    • One or more conditions are met (or)

  7. To create another filter expression, click Create a New Filter Expression (+) to add another row to the filter expression table.

  8. To remove a filter expression, select a filter expression from the table and click Remove the Selected Expression (-).

    Click Save.

To Clone a Public and Private filter

Cloning is a convenient way to duplicate a filter to assure consistency of criteria among a group of filters or users.

To clone a public and private filter:

  1. Open the Filter Manager window.

  2. Click Clone.

    Provide a new filter name.

    Change any the original filter’s criteria.

    Click Save.

Modifying a Public and Private Filter

To modify a Public and Private filter:

  1. Open the Filter Manager window.

  2. Select a filter and click Details.

    Change any of the criteria as desired. You will not be able to change the Owner ID and the Filter Name.

    Click Save.

Viewing the Details of a Public and Private Filter

To view a public or private filter:

  1. Open the Filter Manager window.

  2. Select a filter and click Details.

Deleting a Public and Private Filter

To delete a Public and Private filter:

  1. Open the Filter Manager window.

  2. Select a filter and click Delete.

    A confirmation window displays. Click Yes in delete confirmation dialog.

11.5.5 Color Filter Configuration

The Color Filter Configuration allows you to assign background and text colors to events in the Sentinel Control Center based on filter criteria. The background and text colors assigned to a filter apply to all Sentinel tables, including active views, event tables associated with Incidents, offline queries and historical event queries.

On applying a color filter, all the event tables are updated.

Figure 11-6 Color Filter Configuration

The Color Filter Configuration GUI displays a listing of all the color filters that are defined in the order in which they should be applied. If an event meets the criteria for more than one of the color filters, the topmost color filter configuration will be applied. For example, the following filter configurations are created and attached to color filter configuration:

  • Color filter configuration 1: sev=2 (with background color red and text color yellow)

  • Color filter configuration 2: sev>1 (with background color white and text color black)

Any event with severity=2 will meet the criteria for both color filters, but since the sev=2 color filter configuration is at the top, all the events with sev=2 will be coded as per color filter configuration 1. All the other events with sev>1 (For example, sev=3, 4, 5 and so on) will follow color filter configuration 2.

Adding Color Filter

To add a color filter:

  1. Click Color Filter Configuration in the navigation pane or click the Color Filter Configuration button.

  2. Click Add. A new Color Filter Configuration row is created as shown below.

  3. Click Filter Name drop down list. The Filter Selection window displays.

  4. From the list, select a filter to which you want to apply the color filter configuration and click Select or click Add to create a new filter. For more information on configuring filters, seeSection 11.5.4, Configuring Public and Private Filters.

  5. In the Color Filter Configuration window click Text Color. The Pick a Color window displays. Select a color from the Swatches tab. Alternatively, click HSB or RGB tab and specify the HSB or RGB color value in the respective tab. Click OK.

  6. In the Color Filter Configuration window, click Background Color. The Pick a Color window displays. Select a color from the Swatches tab. Alternatively, click HSB or RGB tab and specify HSB or RGB color value in the respective tab. Click OK.

  7. Click Save.

NOTE:The order of the color filter configuration row in the Color Filter Configuration window matters. In the case where more than one color filter definition applies to an event, the formatting for the topmost color filter takes precedence.

Deleting Color Filter

To delete a color filter:

  1. Click Color Filter Configuration in the navigation pane.

  2. Select a Color Filter Configuration row and click Delete.

Setting Color Filter Priorities

To set priority for a color filter:

  1. Click Color Filter Configuration in the navigation pane or click the Color Filter Configuration button.

  2. Select a Color Filter Configuration row.

  3. Click Up or Down button to set the priority.

NOTE:The Up and Down button will be active only when there is more than one color filter configuration row available in the Color Filter Configuration window.