Use a query string to create a custom filter that detects events in your environment and enable custom models to trigger Workbench alerts.
Custom filters consist of basic information, event type, event ID or vendor, and a
query string for detecting events in your environment. You can create a maximum of
50 custom filters. The event type and event ID or vendor define the type of data queried
by the filter. For example, ENDPOINT_ACTIVITY queries endpoint data from endpoint-based
data sources such as Endpoint Sensor. Selecting TELEMETRY_FILE, further refines the query to only file events within endpoint
activity data. For more information about event types and data sources, see Search method data sources.
Procedure
- Go to .
- Click Add.
- Specify the Filter name.
- Type a Description of the filter.
- Specify the Severity associated with the event that this filter detects.A severity of Medium, High, or Critical affects the Risk Index on the Executive Dashboard and Operations Dashboard. When testing or tuning a model, select Low to avoid affecting indexes.
- Select the Event type.
- For THIRD_PARTY_LOG, provide the Vendor associated with the event you want to match.
- For all other event types, select Event ID.
- Specify a Query to locate the target events in the
activity data.For more information about formatting filter queries, see Filter query format and Use regex in custom filters.
- Click Validate Query to validate your query string. If the query string is valid, you can click Preview Search Results to view a preview of what a search using your query returns.
- Specify up to 10 Custom tags to help you identify events detected by custom filters in Workbench, Observed Attack
Techniques, and Search.Tag length cannot exceed 64 characters.
- Click Save.