3.2 Introducing the Filters Interface

3.2.1 Filters Panel

To access the Filters panel, click Filters in the navigation panel on the left of the Sentinel Web interface. The Filters panel lists the default filters, filters you create, and the filters that other users have shared with you.

The Filters panel includes the following:

  • Find Filters: Allows you to search the specified filter. Specify the filter name, description of the filter, or keywords to search for a filter.

  • Create: Launches the filter similar to search that allows you to specify the filter criteria.

  • My Filters: Lists the default filters and the filters you created.

  • Shared Filters: Lists the filters that other users have shared with you.

To view events based on filters, select the desired filter. The associated events are displayed in the search results panel.

3.2.2 Filter Criteria

You can specify the filter criteria by using either the Add Criteria or Edit Criteria dialog.

Add Criteria

Creating a filter is similar to performing a search. For more information, see Section 2.1, Running an Event Search.

The Add Criteria provides the predefined criteria list from which you can select the required criteria. You can filter the criteria based on recent criteria, tags, or filters.

  • Show only recent criteria: Select a search criterion from the recent search history. The search history displays a maximum of 15 search expressions. Select the criteria, click Show only recent criteria, and then click Add.

  • Show only tags: You can search events that have a particular tag. Click Show only tags to list the tags in the system. Select the tags, and then click Add.

  • Show only filters: You can reuse existing filters to perform a new search. Click Show only filters to list the existing filters. Select the filter on which you want to perform the search, and then click Add.

You can combine multiple criteria, tags, or filters by using the And or Or condition. After adding the criteria, you can test the filter by clicking Test Filter.

Edit Criteria

The Edit Criteria provides a list of parameters required to build search criteria ranging from simple to complex. You can either select the parameters, or you can manually specify the search criteria.

For information on building search queries, see Section A.0, Search Query Syntax.

The Edit Criteria dialog box includes the following elements:

Table 3-1 Edit Criteria Dialog Box Elements

Element

Description

Criteria

If you select Structured, this field displays the criteria formed by the parameters you select. You cannot modify or specify the filter criteria.

If you select Free-form, you can manually specify the filter criteria.

Structured

Allows you to select the various parameters to build the filter criteria.

Free-form

Allows you to manually specify the filter criteria rather than selecting from the available parameters.

The search criteria is based on the standard Lucene syntax with some Sentinel extensions. For information on creating a filter criteria (search query), see Section A.0, Search Query Syntax.

If this option is selected, the following elements are not displayed:

  • Event fields

  • Criteria fields

  • Field details

Exclude system events

Select this option to exclude Sentinel internal events such as audit events and performance events from the search results.

Event fields

Displays a categorized list of possible event fields you can add to the filter criteria. You can expand each category to display the set of fields in that category. If you know the name of the field you want, specify the name in the Search field. The event category list will adjust to present only matching fields.

For more information on event fields, click Tips located at the top right of the Sentinel Web interface.

Criteria fields

Lists a set of overlay criteria that you can use on top of per-field searches. The following fields are displayed by default:

  • All data: Performs a search across all event fields.

    For more information, see Section A.1.4, The Default Search Field in Section A.0, Search Query Syntax.

  • Tags: Events can be tagged in various ways to help identify relationships between events. Queries that include a “Tags” search will look at the event tags (rv145) for matches.

  • Taxonomy: Events are also classified using a number of taxonomic categories for the action, outcome, and so on. Queries that include a “Taxonomy” search will search for specific classes of events.

    For more information on taxonomy, see Sentinel Taxonomy.

Field details

The fields in this section vary depending on the event or criteria fields you select. For example:

  • For tokenized fields, you can specify the words that you want to include or exclude in the filter criteria. For information on the tokenized and non-tokenized fields, click Tips located at the top right of the Sentinel Web interface.

  • For non-tokenized fields, you can specify a value or a range of values.

  • For taxonomy fields, specific taxonomy options are displayed.

  • For date attributes, a date-time calendar is displayed as you type the date. You can select a date.

  • For fields that contain internal Sentinel UUIDs, such as the CollectorID field, the corresponding Sentinel object names are displayed and can be selected.

Condition: AND OR

Allows you to specify the AND or OR condition between the criteria fields. These options are available when you add additional event criteria to the criteria fields.

Cancel

Allows you to cancel the filter creation process.

Search

Runs a search to test the filter before saving it.