Adding custom filters to a detector query
You can customize a detector authored by FortiGuard Labs by adding an additional layer of logic to a query. Filters extend the detection logic to account for differences specific to your network that muting and excluding do not account for.
To add a custom filter to a query:
- Go to Detections > Triage detections and open the detector.
- Click the query tab.
- Click Add a Customer Filter.
- In the Custom Filter pane, enter a valid IQL string.
The query string needs to be true in addition to FortiGuard Labs's logic for a detection to be created. Similar to excluding, no detection will be created if an event is filtered by your custom logic.
The example below excludes traffic using a custom, internally defined
UserAgent
string. - Click Test Filter.
- Click Save Filter to apply your logic to the detector.
To modify a custom query, click Update Custom Filter or click the delete icon above the Custom Filter pane. |
Search for a device hostname in detections
A detector query does not allow for the inclusion of a device hostname in the detector logic. However, you can use a custom filter to search for a device by its hostname. For example, if there is a particular device hostname of interest in can be incorporated into a detector by creating a custom filter as shown below.
http:uri.path matches ". *W/[wN][iT][nN][nN][tT]V[ss][y~][ss][t T][eE](mM]32W/.(1,6}\. [eE][XX][eE].** and uri.path matches ". {0,4 0}?[\/]([ss][cC][rR][it][pP][tT][sS]|[cc][gG][iTI\-(bIiI1ГпN]| [mM][s5] [aA] [dD][cC]|_[W][tT][iI]_[bB][it][nN]|\.(2})[\V/]L.[2.*
Only the |
The current Entity Tracking System only analyzes DHCP records. A custom filter leveraging a device hostname will only be as accurate as the available DHCP information. |