EDR: Ingress Filtering Fields
Article ID: 287757
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- What are the available fields present for ingress filtering?
Environment
- EDR Server: 6.x - 7.x
Resolution
| Name | Type | Requirement | Default | Description |
|---|---|---|---|---|
| id | string | Required (read only after POST) | Unique filter identifier, in order to allow future updates. Can be any string, but should contain only alphanumeric digits and dashes (e.g. uuid). This is read-only field and accepted only during initial POST. { Example: "id": "testfilter" } | |
| description | string | Optional | Blank | Description of filter. { Example: "description": "This is a test" } |
| enabled | boolean | Optional | True | The filter is enabled { Example: "enabled": true } |
| priority | integer | Optional | 0 |
Priority of the filter. Higher priority filters are guaranteed to be used first. Negative priorities are an option. { Example: "priority": 1 } |
| global | boolean | Optional | True | Apply to all sensor groups. { Example: "global": true } |
| group_ids | array of long integers | Optional | Blank (All groups) | List of sensor group Ids where this filter applies to if global is set to false. { Example: "group_ids": ["1"] } |
| sensor_ids | array of long integers | Optional | Blank (All groups) | Array of sensor ids where filter applies (applies to all sensors in selected groups if empty). { Example: "sensor_ids": ["2"] } |
| os_mask | integer | Optional | 7 (All OS's) | Which OS should this filter apply to. 1:windows, 2:osx, 4:linux. Add digits to combine multiple os's. { Example: "os_mask": 3 } |
|
path_filters | array of strings | Optional | Blank | Array of process path filters to use. Supports globbing patterns. Use escape character \ for windows paths See Ingress Filter Details - Carbon Black Developer Network for more information. Linux systems should not require an escape character for paths. { Example: "path_filters": ["C:\\Windows\\"] } |
| md5_filters | array of strings | Optional | Blank | Array of md5s to use { Example: "md5_filters": [ "<md5>", "<md5>" ] } |
| descendant_filtering_level | integer | Optional | 0 (matched process only) |
0 = filter only matched process,1 = matched process and immediate children, etc. -1 = matches all descendants. { Example: "descendant_filtering_level": 3 } |
| filter_all_events | boolean | Optional | True | If true, all events will be excluded for a given process (respecting descendant levels). If false, filters (below) will be applied to each event type. { Example: "filter_all_events": true } |
| hit_rate | decimal | Read Only | Measured 15-min hit rate for a given filter as a rate (e.g. 0.01 equals to 1% hit rate). Calculation is Matched / Total Events processed by this filter (Earlier filters may have already dropped events). Intended to indicate the filter is working, not necessarily accuracy. | |
| crate_timestamp | string | Read Only | Date of creation of this filter | |
| modify_timestamp | string | Read Only | Date of last modification of this filter | |
| create_user_id | integer | Read Only | Id of user that created this filter | |
| modify_user_id | integer | Read Only | Id of user that had last modified this filter |
Additional Information
- Entries in the same field are interpreted as OR. Entries in different fields are interpreted as AND.
- Note some values require quotes and others do not. Some values expect to be enclosed in brackets. Examples working in EDR 7.7
Feedback
Yes
No
Powered by
