EDR: Ingress Filtering Fields
search cancel

EDR: Ingress Filtering Fields

book

Article ID: 287757

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • What are the available fields present for ingress filtering?

Environment

  • EDR Server: 6.x - 7.x

Resolution

NameTypeRequirementDefaultDescription
idstringRequired (read only after POST) Unique filter identifier, in order to allow future updates. Can be any string, but should contain only alphanumeric digits and dashes (e.g. uuid). This is read-only field and accepted only during initial POST.  { Example: "id": "testfilter" }
descriptionstringOptionalBlankDescription of filter.  { Example: "description": "This is a test" }
enabledbooleanOptionalTrueThe filter is enabled    { Example: "enabled": true }
priorityintegerOptional0

 

 

Priority of the filter. Higher priority filters are guaranteed to be used first. Negative priorities are an option.    { Example: "priority": 1 }

globalbooleanOptionalTrueApply to all sensor groups.   { Example: "global": true }
group_idsarray of long integersOptionalBlank (All groups)List of sensor group Ids where this filter applies to if global is set to false.
 { Example: "group_ids": ["1"]  }
sensor_idsarray of long integersOptionalBlank (All groups)Array of sensor ids where filter applies (applies to all sensors in selected groups if empty).   
 { Example: "sensor_ids": ["2"]  }
os_maskintegerOptional7 (All OS's)Which OS should this filter apply to. 1:windows, 2:osx, 4:linux. Add digits to combine multiple os's.  { Example: "os_mask": 3 }

path_filters

array of stringsOptionalBlankArray of process path filters to use. Supports globbing patterns. Use escape character \ for windows paths See Ingress Filter Details - Carbon Black Developer Network for more information. Linux systems should not require an escape character for paths.
 { Example: "path_filters": ["C:\\Windows\\"]  }
md5_filtersarray of stringsOptionalBlankArray of md5s to use   { Example: "md5_filters": [ "<md5>", "<md5>" ]  }
descendant_filtering_levelintegerOptional0 (matched process only)

0 = filter only matched process,1 = matched process and immediate children, etc.

-1 = matches all descendants.  { Example: "descendant_filtering_level": 3 }

filter_all_events booleanOptionalTrueIf true, all events will be excluded for a given process (respecting descendant levels). If false, filters (below) will be applied to each event type.   { Example: "filter_all_events": true }
hit_ratedecimalRead Only Measured 15-min hit rate for a given filter as a rate (e.g. 0.01 equals to 1% hit rate).
Calculation is Matched / Total Events processed by this filter (Earlier filters may have already dropped events).  Intended to indicate the filter is working, not necessarily accuracy.
crate_timestampstringRead Only Date of creation of this filter
modify_timestampstringRead Only Date of last modification of this filter
create_user_idintegerRead Only Id of user that created this filter
modify_user_idintegerRead Only Id of user that had last modified this filter

Additional Information

  • Entries in the same field are interpreted as OR. Entries in different fields are interpreted as AND.
  • Note some values require quotes and others do not.  Some values expect to be enclosed in brackets.  Examples working in EDR 7.7