1. Blumira Support
  2. Using Blumira
  3. Detection Rules & Filters

Quick Links

Using Detection Filters to customize detections

Overview

You can customize detections for your organization using Detection Filters, which allows you to create specific conditions that exclude events matching those conditions from detection. Detection filters do not disable the detection rule, so Blumira continues to generate findings for other activity that does not match the filter conditions. By receiving only the alerts that need your attention, Detection Filters helps reduce alert fatigue. 

When onboarding with Blumira, you or your customers may already have an allowlist that needs to be added to detections, and you can tune our detection rules with detection filters even before enabling them in the app. Then, when new activity generates a finding that you conclude is safe, and you want to allow it in the future without receiving further findings, you can add a filter directly from the finding. 

Although Blumira does not generate findings when activity matches a detection filter, Blumira still logs the activity, and you can access the data in Report Builder. You cannot retroactively generate a finding using log activity.

Adding and managing detection filters

Tip: Read Best practices for using detection filters to stop unwanted findings for our recommendations on creating the most secure and effective filters, including some popular use cases. 

Reach out via the Support form if you need help ensuring you are building the most effective filter.

Users can manage detection filters as follows:

  • From Detection Rules, users can add filters to any supported rule, even if the rule is disabled when adding the filter. Responders, who cannot edit rule settings, do have access to edit filters from this section of the app.

    Note: Some rules do not support detection filters or specific conditions, depending on the field types available or if a rule has been deprecated.
  • From Findings, users can add filters to a detection rule after a finding has been generated, whether the finding is still open or has been resolved.
  • Users can edit or delete existing detection filters from either the Findings or the Detection Rules page.
Note: Filters are unique to an organization's rule set and, therefore, cannot be managed in bulk across multiple accounts, such as those managed by MSPs. Additionally, Detection Filters apply to individual detection rules and cannot be applied to multiple rules simultaneously or by rule type or category.

Adding a detection filter in Detection Rules

To add a new detection filter in Detection Rules, do the following:

  1. Navigate to Settings > Detection Rules.
  2. Click the detection rule you need to customize, and then click Filters in the options menu that appears.
  3. In the Detection Rule window, click Add Filter.

  4. In the Name box, type a filter name to help identify what is being excluded from detection.

    Note: Naming the filter can help explain the intention of the filter to others in the account who will be able to see the filter after it is added.
  5. From the Field list, select the field type that the value is related to.

  6. From the Operator list, select how the value you will filter relates to your chosen field. The operator you select determines if you can add multiple values. 

    • Select IN to provide more than one value. Press Enter to add multiple values.
    • Select Contains to provide part of a broader value or string, such as part of a name or a set of IP addresses.

    • Select Regex to provide a regular expression using re2 syntax.

      Note: Lookbehind and backreference are not supported.
    • Select Between to provide an IP address range in the form of address_1 - address_2 in either IPv4 or IPv6.
       
    Important: Be cautious when using the “Not” operators, such as "Not Equal" or "Not Contains," especially when filtering one field, because it might result in excluding all activity from detection and lead to no findings. “Not” operators are rarely used because most filtering needs can be solved by using standard operators such as “Equal.”
  7. In the Value box, type the value(s) that you want to filter.
  8. (Optional) Click Add (+) at the end of a condition row to include another condition that will combine with the previous to narrow the impact of the filter.
  9. Click Save.
  10. (Optional) Click Add Filter again to create another filter with a separate set of conditions for the detection rule. This creates two separate filters for two distinct values, thereby increasing the amount of filtered activity. There is no limit to the number of filters you can add.

Individually named filters are handled with an OR operation, meaning their conditions are processed separately, and more conditions are being filtered out. The result is that fewer findings are likely to be generated.

Adding a detection filter from Findings

To add a new detection filter from Findings, do the following:

  1. Navigate to Reporting > Findings.
  2. Click a finding row, and then click View Finding Details.
  3. In the Detection Filters section, click Add Filter.
  4. Follow Steps 4 - 10 in Adding a detection filter in Detection Rules.

Managing existing detection filters

To update existing detection filters, do the following:

  1. On a detection filter, click Edit Filter (pencil icon).
  2. Update the conditions and then click Save (the check icon).
    Tip: Editing the operator will clear the value. Copy the value so you can easily paste it back into the Value box.
  3. (Optional) If you need to delete the filter, click Delete (the trash icon) and then click Yes, delete filter.

Related Articles