Event filters

edit

Event filters allow admins to filter endpoint events that you do not need or want stored in Elasticsearch — for example, those with high volumes. By creating event filters, you can optimize your storage in Elasticsearch. All endpoint events have the endpoint.events.network field.

You must have the built-in superuser role to access this feature. For more information, refer to Built-in users.

Since an event filter blocks an event from streaming to Elasticsearch, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters.

By default, an event filter is recognized globally across all hosts running Endpoint Security. If you have a Platinum or Enterprise subscription, you can also assign an event filter to a specific Endpoint Security integration policy, which would filter endpoint events from the hosts assigned to that policy.

Create event filters from the Hosts page or the Event filters page.

  1. To create an event filter from the Hosts page:

    1. Go to ExploreHosts.
    2. Select the Events tab to view the Events table.
    3. Find the event to create a filter, click the More actions button (…​), then click Add Endpoint event filter.

      Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by the Elastic Endpoint.
      In the KQL search bar, enter the following query: event.dataset : endpoint.events.network.

    4. Proceed to step 3.
  2. To create an event filter via the Event filters page:

    1. Go to ManageEvent filters.
    2. Click Add Event Filter. The Add event filter flyout opens.

      event filter
  3. Enter a name for the event filter.
  4. Enter a filter description (optional).
  5. Depending which page you are using to create the filter, either modify the pre-populated conditions or add new conditions to define when Elastic Security filters events. You can define multiple conditions with AND relationships. You can also add nested conditions. For example, the event filter pictured above excludes events whose event.category field is network, and whose process.executable field is as specified.
  6. Select an option in the Assignment section to assign the event filter to a specific integration policy:

    • Global: Assign the event filter to all integration policies for Endpoint Security.
    • Per Policy (Platinum or Enterprise subscription only): Assign the event filter to one or more specific Endpoint Security integration policies. Select each policy in which you want the events to be filtered.

      You can also select the Per Policy option without immediately assigning a policy to the event filter. For example, you could do this to create and review your event filter configurations before putting them into action with a policy.

  7. Add a comment if you want to provide more information about the event filter (optional).
  8. Click Add event filter. The new filter is added to the Event filters list.

View and manage event filters

edit

The Event filters list allows you to view and manage your endpoint event filters. To view the Event filters list, go to ManageEvent filters. Event filters appear in reverse chronological order, with the most recently created at the top. Each filter has its own entry, which displays details such as the filter’s name, operating system, date created, and conditions.

To refine the Event filters list, use the search bar to search by filter names, comments, and field values.

event filters list

Edit an event filter

edit

You can individually configure each event filter. With a Platinum or Enterprise subscription, you can also change the policies applied to each filter.

To edit an event filter:

  1. Click the actions button (…​) for the event filter you want to edit, then select Edit event filter.
  2. Modify details or conditions as needed.
  3. Click Update event filter.

Delete an event filter

edit

You can delete an event filter, which removes it entirely from all Endpoint Security policies.

To delete an event filter:

  1. Click the actions button (…​) for the event filter you want to delete, then select Delete event filter.
  2. On the dialog that opens, verify that you are removing the correct event filter, then click Remove event filter. A confirmation message is displayed.