Tell me about filters

You'd like to know what filters are, how do you set them and what do they mean.

Ordinarily, devices will send thousands of events in a short amount of time. It can be almost impossible for a human to keep up with the number of events.

All of the events are important in their own context and when correlated with other things, but some are more important. For instance: You may get an event stating that someone has logged into the system, which on its own seems innocuous; however, if that event is preceded by 100 failed login attempts, it may mean that someone has successfully compromised your account or guessed your password.

In larger enterprises, there can be millions of these types of events, so finding an attack among them can be like finding a needle in a haystack.

Filters are like introducing a strong magnet to said haystack.

In the search bar on your dashboards you can free-type. For example, you can search for "NL" to find events from The Netherlands, or you can type more specific queries such as "is_alert=true", that query will only show you alerts and ignore anything that's not seen by the system as malicious.

Ordinarily, though, the best way to filter in CyberEasy is to click (or touch if you have a touch screen or tablet) the part of the dashboard that interests you most. If you select a section of a pie chart, for instance, it will only show you events related to what you clicked.

You can remove the filter from the search bar if you wish to start again from a broad search.