Skip to main content

Behavior Filters

Page Layout

This page displays a table listing currently configured behavior filters on the interface. Behavior filters allow you to set parameters to filter out results from behavior timeline events. This allows you to lower the risk score of a particular timeline hit if certain criteria are met, or to filter out certain hits completely. To the left is a toggle that allows you to disable or enable the behavior filter. To the right are two action buttons. The left button allows you to edit the filter. The right button deletes the filter. The superlink under "Behavior" navigates to the EventWatch Rules page.

Adding a Behavior Filter

Behavior filters can be added by clicking the "+ WILDCARD FILTER" in the upper right corner.

To help understand the information required in the pop-up window above, we introduce the other way to add a behavior filter: from the Behavior Timeline page.

To do so, navigate to Behavior Timeline page and expand any event on the timeline. This will display all the attributes associated with the event. To the right of each row is a "..." symbol. Clicking this will open up a menu with three options: "Search", "Suppress Alert", and "Add to Entity List". To create a behavior filter, select "Suppress Alert."

This opens a window to create a behavior filter for this behavior model. The name is autofilled with the attribute and value that was selected, but this can be changed. Optionally, a description can also be added.

There are two options for actions. The first is "Mask Risks Only." This allows you to select specific risks to suppress when the search criteria is matched, lowering the risk score when the conditions are met. The second action is "Discard Matching Event." This will discard the hit from the timeline entirely so that it does not display when the search criteria is matched.

The next step is to select the Search Criteria. This will be autofilled with the key of the behavior event and the field and value of the selected attribute. These criteria can be edited and deleted, and new ones can be added as well.

The last step applies to "Match Risks Only" filter types. If this action was selected, this field is used to select which risks should be suppressed by this filter. Once the filter is done, click "Save" to add it to the behavior filters list. It should now appear on the Behavior Filters table.

Page last updated: 2023 Aug 01 17:23:14 EDT