You can specify data filters on Endpoint event data forwarders to control precisely what data is forwarded.

Important: Data Filtering is only available for endpoint event Data Forwarders.

There are two types of data filters:

  • Basic Filters
    Basic filters do not require lucene scripting knowledge. Instead:
    • They use drop-down lists to specify how to filter the data, the data requirements, and the data values.
    • They are additive only.
    • If you create a Basic filter and then decide to add or use Custom Query filters, the Basic filter is converted to a lucene syntax query.
      Note: You can return to Basic filters as long as you do not edit the converted query and you do not create any custom queries. Otherwise, the Basic query button is unavailable.

      In the example that follows, all Netconns from the EDR data stream are forwarded.

      The filter data page
  • Custom Query Filters
    Custom Query filters use lucene syntax queries.
    • You can organize and label queries into separate Include and Exclude statements or write as one statement.
    • Any Basic filters created before selecting Custom Query are converted to Custom Query filters using lucene syntax.
    • Custom Query filters cannot be converted to a Basic filter. If you decide to use a Basic query after creating a custom query:
      • You must delete any custom queries to enable the Basic filter option.
      • If a Basic filter was converted to a Custom Query filter, the Basic filter option is available as long as the query remains unaltered. If you altered the translated query, The Basic filter option is not available until you undo the change.
    • See the Data Forwarder Data Guide on the Carbon Black Developer Network for details regarding data types and fields
    • For more information regarding Lucene syntax, see: https://lucene.apache.org/core/2_9_4/queryparsersyntax.html
      Note: Although custom queries use Lucene syntax, we do not support all Lucene features.

      In the example that follows, all procstart events as well all netconn events to port 443 are forwarded, except when the process path is path\to\noisy\process.exe.

      The filter label fields
    Note: For additional details regarding custom filters, see the Tech Zone article: Getting Started: Custom Filters for the Data Forwarder.