Elastic - Event Filtering

Charles_Nkuna · July 24, 2024, 10:32am

Hi,

Please assist i have tried to apply event filtering on multiple of process name and applied globally but i'm still seeing the events triggering and i cant apply process names on Trusted Applications due to there's no feature for that.

How does the Event Filtering work or am i doing something wrong?

Harmony

Sergi_Massaneda_Dona · July 24, 2024, 11:49am

Hello @Charles_Nkuna,

Here's the Event Filters documentation:

If you are unable to resolve the issue, would you be able to share the process.name filter settings so we can ensure it is set correctly?

Charles_Nkuna · July 24, 2024, 1:34pm

Hi Sergi,

Based on your document shared i have followed the correct steps.

Please see attached

ferullo · July 24, 2024, 4:50pm

Hi @Charles_Nkuna

Event filters will cause matching events to not be written to Elasticsearch. but they won't prevent alerts from being generated for any suspicious activity that matches the filter. Event filters are processed on the host not in Elasticsearch so they don't affect prior event documents.

Some things to look at to see why this isn't working for you:

Is the event filter being applied to the Endpoint? You've said the filter is global, so just make sure after saving the filter that Agent/Endpoint remains HEALTHY.
It can take a few minutes for the filter to apply to the Agent/Endpoint. So don't expect matching activity to be filtered immediately.
Is there a casing comparison difference between the filter and the actual event?
Are all event filters not working for you or just the IS ONE OF filter you shared? Maybe try different filter operators and fields to see if anything does work.

Hopefully those things will help you narrow down what's causing trouble. If not, I can try to replicate your set up. So I can do that, can you let me know what versions of Kibana and Agent you are running and then also DM me a full event that you think should have been filtered (make sure the event was generated after the filter was applied) and also a non-masked screenshot of the event filter that should have suppressed it? (Feel free to a new filter and/or redact the event document you share but just clearly mark which fields you've redacted so I know).

lesio · July 24, 2024, 6:25pm

We have a way to verify this on the target machine. When you generate Agent diagnostics, there's a file components\endpoint-[ guid ]\metrics.json

Example of the relevant section of the json:

            "documents_volume": {
                "file_events": {
                    "sent_bytes": 215270403,
                    "sent_count": 124413,
                    "suppressed_bytes": 0,
                    "suppressed_count": 0
                },
                "network_events": {
                    "sent_bytes": 86352717,
                    "sent_count": 48202,
                    "suppressed_bytes": 0,
                    "suppressed_count": 0
                },
                "overall": {
                    "sent_bytes": 3482753908,
                    "sent_count": 1366588,
                    "suppressed_bytes": 0,
                    "suppressed_count": 0
                },
                "process_events": {
                    "sent_bytes": 3181130788,
                    "sent_count": 1193973,
                    "suppressed_bytes": 0,
                    "suppressed_count": 0
                }
            },
            "event_filter": {
                "active_global_count": 0,
                "active_user_count": 0
            },

All the event filters you've added should be counted by active_user_count, if it's 0 then no event filter has been applied on the Endpoint yet. All documents not sent to the stack due to event filter increase relevant suppressed_count.

Charles_Nkuna · July 25, 2024, 5:27am

Hi Ferullo

Sent details via DM

system · August 22, 2024, 5:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.