Creating Alert Exclusion Filters
Alert filters ignore events that you're not interested in. The filtered alerts do not appear in the Alert index. You can create them from the System | Machine Learning| Exclusions menu or from the Event details.
Creating an Alert Filter from the System Menu
To create an Alert Filter from the System menu:
- Click System | Machine Learning | Exclusions. The Alert Filters table appears.
-
Click the Create button. The Add an Alert Filter screen appears.
- Enter a Name. The name cannot be changed after you submit.
- Select a Tenant.
- Define your condition. Click Add Condition. You can add as many conditions as you like. If an event meets any condition it is ignored. In our example we are ignoring all events generated by the destination IP address 192.168.229.153.
- (Optional) Add a Note.
- Click Submit. The filter is immediately added.
Creating an Alert Filter from the Event Display
To create an Alert Filter from the event display:
- Click More Info for an event.
- Click the Actions tab.
-
Click the Add an Alert Filter button. The Add an Alert Filter screen appears with fields pre-populated based on the selected event.
- Enter a Name. The name cannot be changed after you submit.
- Select a Tenant.
- Define your condition. Click Add Condition. You can add as many conditions as you like. If an event meets any condition it is ignored. In our example we are ignoring all bad_process alerts from 192.168.100.92. These fields were pre-populated from the event display's data.
- (Optional) Add a Note.
- Click Submit. The filter is immediately added.
Adding a Boolean Filter
You can add a condition that contains a Boolean field.
-
Click Add Condition.
-
For Field, enter or select a Boolean field name.
-
For Field Type, choose boolean.
-
Choose an Operator.
-
For Value, choose either true or false.
-
Click Submit.
