Using detection filters in paid Blumira editions

Overview

Blumira monitors the logged event data from your environment to determine whether any activity meets the conditions of Blumira's detection rules. When your environment's activity matches the conditions of our detection rules, we generate findings and then provide you with a workflow to respond to and resolve those findings.

There might be times when the activity that generates a finding includes safe sources you want to allow and stop receiving findings about. For example, if an employee recently relocated or is working internationally, receiving and resolving findings about the activity can be unnecessary and noisy. In these cases, you can create detection filters to exclude specific IP addresses, users, and other values from a detection rule.

Reference: Learn about potential use cases and best practices in Best practices for using detection filters to stop unwanted findings.

After you apply a detection filter to a finding, Blumira ignores future activity that matches those conditions and does not generate findings for it. However, the detection filter does not disable the detection rule itself, so Blumira continues to generate findings for detection rule activity that does not match the filtered condition.

Although Blumira does not generate findings when activity matches a detection filter, Blumira still logs the activity, and you can access it in Report Builder. You cannot retroactively generate a finding using log activity.

Note: Detection filters are also commonly referred to as allowlists or customized detection rules, but these are not the same as the firewall allowlists in Blumira’s dynamic blocklists.

Adding new detection filters

Detection filters can be viewed from both the Findings and Detection Rules sections of the app, but they can only be added and edited from a finding's detail view in the Findings section. See Understanding and managing detection rules for more information about seeing filters in the Detection Rules section.

To add a new detection filter:

1. Navigate to Reporting > Findings.
2. Click a finding row, and then click View Finding Details.
3. Under Detection Filters, click Add Filter.
4. In the Name box, type a name for the filtering condition.
5. From the Field list, select the field of matched evidence that the value is related to.
6. From the Operator list, select how the value relates to the field.
   Important: Be cautious when using the “Not” operators, such as "Not Equal," especially when only one field is being filtered. This could exclude all activity from triggering the detection except for the specific value entered. “Not” operators are rarely used because most filtering needs can be solved by using standard operators such as “Equal.”
7. In the Value box, type the value(s) that you want to be filtered.
   Tip: The operator you select determines if you can add or filter multiple values.
   • Select the IN operator to provide more than one value. Press Enter to add multiple values.
   • Select Contains to provide part of a value that may be more broad, like a set of IP addresses.
8. (Optional) Click + at the end of a condition row to include another condition that will combine with the previous to narrow the impact of the filter.
   Note: All conditions of the filter must be met to not generate a finding. Because the conditions can be very specific, you may notice less findings are filtered than if you used fewer conditions or separate filters (Step 10).
   
9. Click Save.
10. (Optional) Click Add Filter again to create another filter with a separate set of conditions for the detection rule. This creates two different filters for two different values to increase the amount of filtered activity. There is no limit to the number of filters you can add.
    Note: Individual filters are handled with an OR operation, meaning that either one or the other filter can be met. This may prevent a higher number of findings from being generated since more conditions are being filtered out.
    

Managing existing detection filters

To view and manage the existing detection filters for a finding:

1. Navigate to Reporting > Findings.
2. Click a finding row for the relevant detection rule, and then select View Finding Details.
3. Click Detection Filters.
4. Click Edit Filter (pencil icon) to enter edit mode.
5. Change and then save the conditions or delete the filter.
   Note: Editing the operator requires re-entering the value in the Value box. Ensure that you copy the value before confirming that you are sure you want to edit the operator so that you can easily paste it back into the Value box.