3.3 Creating a Filter

Filter expressions are simple math expressions and simple evaluations. Filters work on selection sets by matching events against the specified criteria. If the match is TRUE, the event is displayed in Active Views or search results, or passed to other functions. If the match is FALSE, the event is blocked.

For example, consider a search query that is written as follows:

(sip:"10.0.0.1")

Events whose source IP address is 10.0.0.1 are included in the filter.

You must use the event field ID to represent an event name. Click the Tips link on the top right of the Sentinel Web interface for a list of event field names and their IDs.

For more information building search queries, see Section A.0, Search Query Syntax.

While creating a filter, you can specify whether you want to share a filter with other users. You must have the Share Search Filters permission to share filters with everyone or with users in the same role as yours. If you are a user in the administrator role, you can share filters with users in a different role.

You can create filters either by using the Filter Builder or by using the Save icon in the Search panel.

3.3.1 Creating a Filter by Using the Filter Builder

  1. Log in to the Sentinel Web interface.

    https://<IP_Address/DNS_Sentinel_server:8443>

    IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.

  2. In the navigation panel, click Filters > Create.

  3. Select one of the following methods to create a search query:

    • To build the search query by selecting parameters, make sure that Structured is selected, select the parameters, then continue with Step 4.

      For information on these parameters, see Table 3-1, Filter Builder Elements.

    • To manually specify the search query rather than selecting the listed parameters, select Free-form. In the Query field, specify the search query, then continue with Step 4.

      For information on creating a search query, see Section A.0, Search Query Syntax.

  4. (Conditional) If you do not want to include Sentinel internal events in the search, select Exclude system events.

  5. Click Search to search events according to the specified filter criteria.

    By default, the search is performed on events that were generated within the last 1 hour.

  6. Review the search results to verify that the filter is retrieving the expected events.

  7. (Optional) You can modify the search query by selecting one or more event field values from the search results, or you can click Edit search filter, then make necessary changes.

  8. When you are satisfied with the search results, click , then click Save as new filter.

  9. Specify a name for the filter and an optional description.

  10. In the drop-down list, select one of the following options to specify the access for this filter:

    • Private filter: Allows you to make this filter private. Other users cannot view or access this filter.

    • Share with everyone: Allows you to share this filter with all users. You must have the Share Search Filters permission.

    • Share with other users in my role: Allows you to share this filter with users who have the same role as yours. You must have the Share Search Filters permission.

    • Share with roles: Allows you to share this filter with users of specific roles. When you select this option, a blank field is displayed where you can specify the roles. As you type the role name, a list of roles is displayed.

      Select one or more roles. This option to share with roles is available only for users in the administrator role.

  11. Click Save.

3.3.2 Creating a Filter by Using a Search Query

You can save a search query as a filter and use this filter to perform searches when required rather than specifying the search query again. For more information on creating a filter by using a search query, see Section 2.4.1, Saving a Search Query as a Filter.