Event filters
editEvent filters
editEvent filters allow admins to filter endpoint events that you do not need or want stored in Elasticsearch — for example, those with high volumes. By creating event filters, you can optimize your storage in Elasticsearch. All endpoint events have the endpoint.events.network
field.
Since an event filter blocks an event from streaming to Elasticsearch, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters.
Create event filters from the Hosts page or the Event filters page.
-
To create an event filter from the Hosts page:
- Go to Explore → Hosts.
- Select the Events tab to view the Events table.
-
Find the event to create a filter, click the More actions button (…), then click Add Endpoint event filter.
Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by the Elastic Endpoint.
In the KQL search bar, enter the following query:event.dataset : endpoint.events.network
. - Proceed to step 3.
-
To create an event filter via the Event filters page:
- Go to Manage → Event filters.
-
Click Add Event Filter. The Add event filter flyout opens.
- Enter a name for the event filter.
-
Depending on which page you add the filter, either modify the pre-populated conditions or add new conditions that define when Elastic Security filters events. You can define multiple conditions with
AND
relationships. You can also add nested conditions. In the image above, the event filter excludes events whoseevent.category
field isnetwork
, and whoseprocess.executable
field is the same as the specified path. - Add a new comment that describes or identifies the filter (optional).
- Click Add event filter. The new filter is added to the Event filters list.
View and manage event filters
editThe Event filters list allows you to view and manage all endpoint event filters that have been added. To view the Event filters list, go to Manage → Event filters. Event filters appear in reverse chronological order, with the most recently created filter at the top. Each filter has its own entry, which displays details such as the filter name, operating system, date created, and the filter conditions.
To refine the Event filters list, enter a query in the search bar. You can search the by name, comments, or the value of a field.
Edit an event filter
editTo edit an event filter:
- Click the actions button (…) for the event filter you want to edit, then select Edit event filter.
- Modify details or conditions as needed.
- Click Update event filter.
Delete an event filter
editTo delete an event filter:
- Click the actions button (…) for the event filter you want to delete, then select Delete event filter.
- On the dialog that opens, verify that you are removing the correct event filter, then click Remove event filter. A confirmation message is displayed.