Blumira monitors the logged event data from your environment to determine whether any activity meets the conditions of Blumira's detection rules. When your environment's activity matches the conditions of our detection rules, we generate findings and then provide you with a workflow to respond to and resolve those findings.
There might be times when activity that generates a finding includes safe sources that you want to allow and stop receiving findings about. For example, if an employee recently relocated, an employee is working internationally, or a penetration tester is temporarily accessing your systems, receiving and resolving findings about certain activity can be unnecessary and noisy. In these cases, if you have Blumira’s Advanced edition, you can create detection filters to exclude specific IP addresses, users, and other values from a detection rule.
Reference: Learn about potential use cases and best practices in Best practices for using detection filters to stop unwanted findings.
After you apply a detection filter to a finding, Blumira ignores future activity that matches those conditions and does not generate findings for it. However, the detection filter does not disable the detection rule itself, so Blumira continues to generate findings for detection rule activity that does not match the filtered condition.
Although Blumira does not generate findings when activity matches a detection filter, Blumira still logs the activity, and you can access it in Report Builder. You cannot retroactively generate a finding using log activity.
Note: Detection filters are also commonly referred to as allowlisted values or custom detection rules, but these are not the same as allowlists in Blumira’s dynamic blocklists.
Adding new detection filters
Detection filters can be viewed from both the Findings and Detection Rules sections of the app, but they can only be added and edited from a finding's detail view in the Findings section. See Understanding and managing detection rules for more information about seeing filters in the Detection Rules section.
To add a new detection filter:
- Navigate to Reporting > Findings.
- Click a finding row, and then click View Finding Details.
- Under Detection Filters, click Add Filter.
- In the Name box, type a name for the filtering condition.
- From the Field list, select the field of matched evidence that the value is related to.
- From the Operator list, select how the value relates to the field.
- In the Value box, type the value or values that you want filtered.
Tip: The operator you select determines if you can add or filter multiple values. Select the IN operator to provide more than one value. Select Contains to provide part of a value that may be more broad, like a set of IP addresses.
- (Optional) Click + at the end of a condition row to include another condition that will combine with the previous to narrow the impact of the filter.
Note: All conditions of the filter must be met to not generate a finding. Because the conditions can be very specific, you may notice less findings are filtered than if you used fewer conditions or separate filters (Step 10).
- Click Save.
- (Optional) Click Add Filter again to create another filter with a separate set of conditions for the detection rule. This creates two different filters for two different values to increase the amount of filtered activity. There is no limit to the number of filters you can add.
Note: Individual filters are handled with an OR operation, meaning that either one or the other filter can be met. This may prevent a higher number of findings from being generated, since more conditions are being filtered out.
Managing existing detection filters
To view and manage the existing detection filters for a finding:
- Navigate to Reporting > Findings.
- Click a finding row for the relevant detection rule, and then select View Finding Details.
- Click Detection Filters.
- Click Edit Filter (pencil icon) to enter edit mode.
- Change and then save the conditions or delete the filter.