12.3 Filtering Events

The Filters feature in Change Guardian allows you to customize the event search and prevent data overload. You can save a search query as a filter and reuse it as required, so that you can perform a search by selecting the filter rather than specifying the query manually every time.

Following sections provide information about configuring filters.

You can reuse filters while using or configuring Change Guardian features, such as:

Configuring Data Synchronization
Configuring a Data Retention policy.
Configuring the data visibility settings for a role.
Creating dashboards.
Configuring event routing rules.
Viewing real-time events in Event Views.

Change Guardian provides a list of filters by default. You can also create your own filters. To view the Filters available in Change Guardian, click Filters on the left navigation panel.

My Filters: Lists the default filters and the filters you created.
Shared Filters: Lists the filters that other users have shared with you.

12.3.1 Creating Filters

Filter criteria are simple math expressions and simple evaluations. Filters work on selection sets by matching events against the specified criteria. If the match is TRUE, the event is displayed in real-time views or search results, or passed to other functions. If the match is FALSE, the event is blocked. The filter criteria is your search query.

For example, consider a search query that is written as follows:

(sip:"10.0.0.1")

Events whose source IP address is 10.0.0.1 are included in the filter.

You must use the event field ID to represent an event name. Click the Tips for a list of event field names and their IDs.

Following sections provide information about creating filters.

Building a New Criteria

The Build criteria interface provides a list of parameters required to build filter criteria ranging from simple to complex. You can either select the parameters, or you can manually specify the filter criteria.

The Build Criteria dialog box includes the following elements:

Table 12-1 Build Criteria Dialog Box Elements

Element	Description
Criteria	If you select Structured, this field displays the criteria formed by the parameters you select. You cannot modify or specify the filter criteria. If you select Free-form, you can manually specify the filter criteria.
Structured	Allows you to select the various parameters to build the filter criteria.
Free-form	Allows you to manually specify the filter criteria rather than selecting from the available parameters. The search criteria is based on the standard Lucene syntax with some Change Guardian extensions. If this option is selected, the following elements are not displayed: Event fields Criteria fields Field details
Exclude system events	Select this option to exclude Change Guardian internal events such as audit events and performance events from the search results.
Event fields	Displays a categorized list of possible event fields you can add to the filter criteria. You can expand each category to display the set of fields in that category. If you know the name of the field you want, specify the name in the Search field. The event category list will adjust to present only matching fields. For more information on event fields, click Tips..
Criteria fields	Lists a set of overlay criteria that you can use on top of per-field searches. The following fields are displayed by default: All data: Performs a search across all event fields. Tags: Events can be tagged in various ways to help identify relationships between events. Queries that include a “Tags” search will look at the event tags (rv145) for matches. Taxonomy: Events are also classified using a number of taxonomic categories for the action, outcome, and so on. Queries that include a “Taxonomy” search will search for specific classes of events.
Field details	The fields in this section vary depending on the event or criteria fields you select. For example: For tokenized fields, you can specify the words that you want to include or exclude in the filter criteria. For information on the tokenized and non-tokenized fields, click Tips. For non-tokenized fields, you can specify a value or a range of values. For taxonomy fields, specific taxonomy options are displayed. For date attributes, a date-time calendar is displayed as you type the date. You can select a date. For fields that contain internal Change Guardian UUIDs, such as the CollectorID field, the corresponding Change Guardian object names are displayed and can be selected.
Condition: AND OR	Allows you to specify the AND or OR condition between the criteria fields. These options are available when you add additional event criteria to the criteria fields.

Selecting an Existing Criteria

You can create a filter by using existing criteria from the predefined criteria list. The filter can be based on recent criteria, tags, or existing filters.

Show only recent criteria: Select a search criterion from the recent search history. The search history displays a maximum of 15 search expressions. Select the criteria, click Show only recent criteria, and then click Add.
Show only tags: You can search events that have a particular tag. Click Show only tags to list the tags in the system. Select the tags, and then click Add.
Show only filters: You can reuse existing filters to perform a new search. Click Show only filters to list the existing filters. Select the filter on which you want to perform the search, and then click Add.

You can combine multiple criteria, tags, or filters by using the And or Or condition. After adding the criteria, you can test the filter by clicking Test Filter.

Creating a Filter

You can create filters either by building a new filter criteria or by saving a search query as a filter.

While creating a filter, you can specify whether you want to share a filter with other users. You must have the Share Search Filters permission to share filters with everyone or with users in the same role as yours. If you are a user in the administrator role, you can share filters with users in a different role.

Creating a Filter by Using the Build Criteria Dialog

In the navigation panel, click Filters > Create a filter.
Select one of the following methods to create a filter criteria:
- To build the filter criteria by selecting parameters, make sure that Structured is selected, select the parameters, then continue with Step 3.
  
  For information on these parameters, see Table 12-1, Build Criteria Dialog Box Elements.
- To manually specify the filter criteria rather than selecting the listed parameters, select Free-form. In the Criteria field, specify the filter criteria, then continue with Step 3.
  
  For information about the syntax for the criteria, see Building a New Criteria.
(Conditional) If you do not want to include Change Guardian internal events in the search, select Exclude system events.
Click Search to search events according to the specified filter criteria.

By default, the search is performed on events that were generated within the last 1 hour.
Review the search results to verify that the filter is retrieving the expected events.
(Optional) You can modify the search query by selecting one or more event field values from the search results, or you can click Edit search filter, then make necessary changes.
When you are satisfied with the search results, click , then click Save as Filter.
Specify a name for the filter and an optional description.
In the Sharing drop-down list, select one of the following options to specify the access for this filter:
- Private: Allows you to make this filter private. Other users cannot view or access this filter.
- Public: Allows you to share this filter with all users.
- Users in same role: Allows you to share this filter with users who have the same role as yours.
- Users in selected roles: Allows you to share this filter with users in specific roles. If you select this option, a blank field is displayed where you can specify the roles. As you type the role name, a list of roles is displayed.
  
  Select one or more roles.
  
  NOTE:This option is available only for users in the administrator role or users with the Share search filters permission.
Click Save.

Creating a Filter by Using a Search Query

You can save a search query as a filter and use this filter to perform searches when required rather than specifying the search query again. For more information about creating a filter by using a search query, see Saving a Search Query as a Filter.

12.3.2 Sample Filters

This section lists a few examples on how you can create filters.

View Events of Severity 3 to 5 from a System in China

Click Build Criteria > Event fields, select SourceHostCountry.
The name should match any string that contains the name “China.” For example, “ChinaBeijing.” Specify china* in the Value field.
The severity of the events must be 3 to 5:
- In Event fields, select Severity.
- In the Values that range from field, specify 3 TO 5.

NOTE:If you are familiar with the search query syntax, you can directly specify the query in the Criteria field as follows:

(rv29:china*) AND (sev:[3 TO 5])

Click Search to view events that match the specified criteria.

Determine if User “Bob Smith” Tried to Log In after His Account was Disabled

Click Build Criteria > Event fields, select the following:
- InitiatorUserName
- TargetUserName
- EffectiveUserName
Select the OR condition.
Specify "Bob Smith" in the Value field.
To determine if the user has logged in, or tried to log in, select Taxonomy in Criteria fields.

NOTE:You can also select the appropriate event fields if you are familiar with the values to be specified for the event fields. Taxonomy is a classification of events where events of similar type are grouped together. It helps you search events based on the taxonomy classification rather than you specifying the specific event names and their values.
In the Field details, select the following:
- From the Class drop-down list, select User Session Events.
- From the Identifier drop-down list, select Create.
- For Outcome, select Success, then select Failure.

NOTE:If you are familiar with the search query syntax, you can directly specify the query in the Criteria field as follows:

(xdasclass:2 AND xdasid:0 AND (xdasoutcome:0 OR xdasoutcome:1)) AND (iufname:"Bob Smith")

Click Search to view the events that match the specified criteria.

View Events from Two Subnets and Share the Filter with Network Administrators

Select subnets:
- Click Build Criteria > Event fields, select SourceIP.
- In Field details > Value, specify the subnet, for example, 172.17.0.0/16.
- Repeat the above two steps to specify another subnet.
The events must be from either of the subnets. Therefore, select OR as the condition.
Click Search to view events that match the specified criteria.
The filter must be shared with network administrators:
- In the search results panel, click , then click Save as new filter.
- Specify an intuitive name and an optional description.
- From the drop-down list, select Share with roles, then select Network Administrator.
Click Save.

Find all Events that Include the Words “database” and “service,” and exclude “test”

Click Build Criteria > Criteria fields, select All data.
You want to find events that include words “database” and “service,” and exclude “test.” Therefore, in Field details, specify the following:
- In the All of these words field, specify database service.
- In the Exclude these words field, specify test.

NOTE:If you are familiar with the search query syntax, you can directly specify the query in the Criteria field as follows:

_data:(database AND service) NOT _data:test

The _data field allows you to search for words that might appear in any event field.

Click Search to view the events that match the specified criteria.

12.3.3 Viewing Events by Using Filters

You can use filters to view events either by selecting the desired filter in the Filters panel or by using the Filter icon in the search results panel. For more information, see Searching Events.

12.3.4 Managing Filters

You can edit and delete only the filters that you created. The default filters and the filters that other users have shared with you cannot be edited or deleted.