Create a custom filter using a query string to detect events in your environment and enable custom models to trigger Workbench alerts.

Custom filters are composed of basic information, event type and ID, and a query string used to detect events in your environment.
You can create a maximum of 50 custom filters.


  1. From XDR Threat InvestigationDetection Model Management, click the Custom Filters tab and then click Add.
  2. Specify the Filter name.
  3. Write a Description. (Optional)
  4. Specify the Risk level associated with the event that this filter detects.
  5. Select the Event type and Event ID.
    The event type and event ID define the type of data queried by the filter. For example, the "ENDPOINT_ACTIVITY" event type queries endpoint data from endpoint-based data sources, such as XDR Endpoint Sensor. By selecting the "TELEMETRY_FILE" event ID, you further refine your query to only apply to file events within the endpoint activity data.
    The "ALL" event ID is not supported for the following event types:
    For more information about event types and data sources, see Search method data sources.
  6. Specify a Query to locate the target events in the activity data.
    Format your query string using the same Kibana-like query language that is used in the Search app.
    To learn more about formatting search queries, see Search syntax.
    Custom filter queries have a few limitations compared to Search app queries.
    • All queries must have a field name and value.
      • endpoint-123: Invalid query
      • endpointHostName:endpoint-123: Valid query
    • Your query string must contain at least one defined value. You can use the asterisk wildcard (*) in compound queries, but only if at least one of the values is defined.
      • endpointHostName:*: Invalid query
      • endpointHostName:endpoint-123 AND FileName:*: Valid query
    To avoid extended execution time with the custom filter, consider the following tips:
    • Put simple search criteria in the front of the query string.
    • Put the fields with a large volume of data such as objectRawDataStr or rawDataStr at the end of the query string.
    • Try to avoid too many wildcards or put the wildcard at the end of the query string.
  7. Click Validate Query to validate your query string. If the query string is valid, you can click Preview Search Results to view a preview of what a search using your query returns.
  8. Specify Custom tags to help you identify events detected by your custom filters in Trend Vision One apps, such as Workbench, Observed Attack Techniques, and Search.
    You can specify up to 10 custom tags. Specified values cannot exceed 64 characters.
  9. Click Save.