Fortinet white logo
Fortinet white logo

User Guide

Adding custom filters to a detector query

Adding custom filters to a detector query

You can customize a detector authored by FortiGuard Labs by adding an additional layer of logic to a query. Filters extend the detection logic to account for differences specific to your network that muting and excluding do not account for.

To add a custom filter to a query:
  1. Go to Detections > Triage detections and open the detector.
  2. Click the query tab.
  3. Click Add a Customer Filter.
  4. In the Custom Filter pane, enter a valid IQL string.
    Note

    The query string needs to be true in addition to FortiGuard Labs's logic for a detection to be created. Similar to excluding, no detection will be created if an event is filtered by your custom logic.

    The example below excludes traffic using a custom, internally defined UserAgent string.

  5. Click Test Filter.
  6. Click Save Filter to apply your logic to the detector.
Tooltip

To modify a custom query, click Update Custom Filter or click the delete icon above the Custom Filter pane.

Search for a device hostname in detections

A detector query does not allow for the inclusion of a device hostname in the detector logic. However, you can use a custom filter to search for a device by its hostname. For example, if there is a particular device hostname of interest in can be incorporated into a detector by creating a custom filter as shown below.

http:uri.path matches ". *W/[wN][iT][nN][nN][tT]V[ss][y~][ss][t T][eE](mM]32W/.(1,6}\. [eE][XX][eE].** and uri.path matches ". {0,4 0}?[\/]([ss][cC][rR][it][pP][tT][sS]|[cc][gG][iTI\-(bIiI1ГпN]| [mM][s5] [aA] [dD][cC]|_[W][tT][iI]_[bB][it][nN]|\.(2})[\V/]L.[2.*

Note

Only the "=", "!=", and "IN" filter conditions are supported for device hostname filters. Filter conditions such as "LIKE" and "MATCH" are unsupported.

Note

The current Entity Tracking System only analyzes DHCP records. A custom filter leveraging a device hostname will only be as accurate as the available DHCP information.

Adding custom filters to a detector query

Adding custom filters to a detector query

You can customize a detector authored by FortiGuard Labs by adding an additional layer of logic to a query. Filters extend the detection logic to account for differences specific to your network that muting and excluding do not account for.

To add a custom filter to a query:
  1. Go to Detections > Triage detections and open the detector.
  2. Click the query tab.
  3. Click Add a Customer Filter.
  4. In the Custom Filter pane, enter a valid IQL string.
    Note

    The query string needs to be true in addition to FortiGuard Labs's logic for a detection to be created. Similar to excluding, no detection will be created if an event is filtered by your custom logic.

    The example below excludes traffic using a custom, internally defined UserAgent string.

  5. Click Test Filter.
  6. Click Save Filter to apply your logic to the detector.
Tooltip

To modify a custom query, click Update Custom Filter or click the delete icon above the Custom Filter pane.

Search for a device hostname in detections

A detector query does not allow for the inclusion of a device hostname in the detector logic. However, you can use a custom filter to search for a device by its hostname. For example, if there is a particular device hostname of interest in can be incorporated into a detector by creating a custom filter as shown below.

http:uri.path matches ". *W/[wN][iT][nN][nN][tT]V[ss][y~][ss][t T][eE](mM]32W/.(1,6}\. [eE][XX][eE].** and uri.path matches ". {0,4 0}?[\/]([ss][cC][rR][it][pP][tT][sS]|[cc][gG][iTI\-(bIiI1ГпN]| [mM][s5] [aA] [dD][cC]|_[W][tT][iI]_[bB][it][nN]|\.(2})[\V/]L.[2.*

Note

Only the "=", "!=", and "IN" filter conditions are supported for device hostname filters. Filter conditions such as "LIKE" and "MATCH" are unsupported.

Note

The current Entity Tracking System only analyzes DHCP records. A custom filter leveraging a device hostname will only be as accurate as the available DHCP information.