Views:

Create a custom filter using a query string to detect events in your environment and enable custom models to trigger Workbench alerts.

  • Custom filters are composed of basic information, event type, event ID or vendor, and a query string used to detect events in your environment. You can create a maximum of 50 custom filters.
  • The event type and event ID or vendor define the type of data queried by the filter. For example, ENDPOINT_ACTIVITY queries endpoint data from endpoint-based data sources such as XDR Endpoint Sensor. By selecting TELEMETRY_FILE, you further refine your query to only apply to file events within the endpoint activity data.
  • For more information about event types and data sources, see Search method data sources.

Procedure

  1. Go to XDR Threat InvestigationDetection Model ManagementCustom Filters.
  2. Click Add.
  3. Specify the Filter name.
  4. Provide a Description of the filter.
  5. Specify the Severity associated with the event that this filter detects.
    A severity of Medium, High, or Critical affects the Risk Index on the Executive Dashboard and Operations Dashboard. When testing or tuning a model, select Low to avoid affecting indexes.
  6. Select the Event type.
    • For THIRD_PARTY_LOG, provide the Vendor associated with the event you want to match.
    • For all other event types, select Event ID.
  7. Specify a Query to locate the target events in the activity data.
    For more information about formatting filter queries, see Filter query format and Using regex in custom filters.
  8. Click Validate Query to validate your query string. If the query string is valid, you can click Preview Search Results to view a preview of what a search using your query returns.
  9. Specify up to 10 Custom tags to help you identify events detected by your custom filters in Trend Vision One apps, such as Workbench, Observed Attack Techniques, and Search.
    Tag length cannot exceed 64 characters.
  10. Click Save.