Skip to content

Alerts Filters Examples

Alerts Filter Examples

The Alert Filter Examples section demonstrates how users can efficiently search and filter alerts using various criteria within the Alerts module. This functionality helps in narrowing down relevant alerts, improving threat analysis, and enhancing response efficiency.

Date and Time Range Selection

  • Users can define a Start Date and End Date to filter alerts within a specific time frame.
  • Quick filters allow selecting predefined periods such as Last 6 hours or Last Day for rapid analysis

Search Query Input

  • Users can enter search strings in the Search Box to apply specific filtering criteria.
  • Queries can be based on various alert attributes, such as Alert Name, Alert ID, Severity, Attack Stage, Impact, and more

Combining Multiple Filters

  • Users can customize their search by combining multiple filtering parameters, resulting in more granular and precise outcomes.
  • Logical operators can be used to create complex search conditions.

1.Alerts with Machine Learning Score higher than 50 example

ML_score:>50

Alt Image

2.Alerts that are not Connections example:

NOT Alert_IDS:"962a05b2-5045-4211-92a4-a5de6262aab6"

Alt Image

3.Alerts that are not Connections example

  • In the previous example, the Alert_IDS field was used for filtering. In this example, the AlertName field is utilized. According to the table in the Alerts Definition section, both fields are interchangeable:
AlertName:"InvalidSSL"
  • this is equivalent to searching Alert_IDS:"75f382c5-463b-430d-84ab-da3bf1aaa779"

Alt Image

4.Alerts that are Connections OR *BruteForce* attack types example

By combining these two Alert IDs with an OR operator, it becomes easier to identify both connection-related anomalies and brute-force attack attempts within the same query. This approach is particularly useful when monitoring for unauthorized access or suspicious connection patterns in the network

Alert_IDS:"962a05b2-5045-4211-92a4-a5de6262aab6" OR Alert_IDS:"a55f31af-9577-48d9-83d9-7c92777042c8"

Alt Image

5.Alerts that are BruteForce attack type and the Machine Learning Score is higher than 50 example

Alert_IDS:"a55f31af-9577-48d9-83d9-7c92777042c8" AND ML_score:>50

Alt Image

6.Composed alerts for Connections OR BruteForce alert type with Machine Learning Score higher than 50 example

(Alert_IDS:"962a05b2-5045-4211-92a4-a5de6262aab6" AND ML_score:>50) OR (Alert_IDS:"a55f31af-9577-48d9-83d9-7c92777042c8" AND ML_score:>50)

Alt Image

7.Filter by alerts severity

This filter retrieves alerts with a Severity level below 4 or above 6, helping to distinguish low-severity events from high-severity ones.

Severity:<4 OR Severity:>6

Alt Image

8.Connections alerts

This filter retrieves alerts categorized under Connections.

AlertName:"Connections"

Alt Image

9.PortScan alerts

This filter retrieves alerts categorized as PortScan, indicating scanning activities aimed at identifying open ports or vulnerabilities within the network. Port scans often precede intrusion attempts, making these alerts a critical indicator of potential malicious behavior.

AlertName:"PortScan"

Alt Image

10.Filter by Multiple Alert Names (OR Condition)

Displays alerts labeled BruteForce or PortScan, useful for investigating brute-force attempts and port scanning activities together.

AlertName:"BruteForce" OR AlertName:"PortScan"

11.Filter by DNS-Related Alerts

Retrieves alerts involving DNS anomalies, failed DNS requests, or domains outside the whitelist.

AlertName:"DNSRequests" OR AlertName:"DNS not in WhiteList"

Alt Image

12.Filter by File Transfer-Related Alerts

Focuses on large file transfers or potentially suspicious file movements.

AlertName:"Large HTTP File Transfer" OR AlertName:"Large File Upload from internal network" OR AlertName:"FileTransfer"

Alt Image

13.Filter by New Device Detection (Internal or External)

Retrieves alerts related to newly discovered devices, highlighting potential security risks

AlertName:"New Internal Device Detected" OR AlertName:"New External Device Detected"

Alt Image

14.Filter by DNS Tunneling Alerts

Focuses on alerts indicating possible DNS tunneling, which may suggest covert data exfiltration.

AlertName:"DNSTunnelingStatistically" OR AlertName:"DNSTunnelingPossible"

Alt Image

15.Filter by High Volume Traffic

Identifies alerts tied to unusually large amounts of network traffic, potentially flagging DDoS attempts or data exfiltration.

AlertName:"Volume alert" OR AlertName:"High volume connections"

Alt Image

16.Filter by Potential APT Activity

Searches for alerts indicating advanced persistent threat behavior.

AlertName:"Possible APTAlert -"

Alt Image

17.Filter by IOC Alerts (IP or Domain)

Displays alerts related to known malicious IPs or domains.

AlertName:"IOCIP" OR AlertName:"IOCDomains" OR AlertName:"Historical IOC IP" OR AlertName:"Historical IOC Domain"

Alt Image

18.Filter by Network Scanning Alerts

Groups various scan alerts, including slow scans, vulnerability scans, and address scans.

AlertName:"AddressScan" OR AlertName:"Network Vulnerability Scan" OR AlertName:"Slow Network Scan"

Alt Image

19.Filter by Tor Communications

Shows alerts for current Tor activity and historical Tor exit node communications.

AlertName:"TOR" OR AlertName:"Historical Tor Exit Node"

Alt Image

20.Filter by Proxy Traffic or Non-Standard Ports

Identifies alerts where traffic is using unusual ports, which may bypass standard security measures.

AlertName:"Communication over non standard port" OR AlertName:"TLS over non standard port"

Alt Image

21.Filter by MITRE ATT&CK Stage

Searches alerts mapped to the CredentialAccess phase, useful for correlating with known attack techniques (e.g., T1110 for BruteForce).

AttackStage:"CredentialAccess"

Alt Image

Note: You can filter on several properties/attributes which you can find in the Alert View panel (sometimes in paranthesis), on the right.