Use this procedure to create a custom query for a data forwarder filter.

Prerequisites

This procedure assumes:
  • you have already created and configured your AWS S3 bucket.
  • you have already created your data forwarder.
  • you have a basic understanding of how to construct lucene syntax queries.

Procedure

  1. Make sure you are in the Data Forwarder you intend to add a Basic filter. If necessary:
    1. Click Settings > Data Forwarders on the left navigation pane.
    2. Select the Data Forwarder you want to add the filter to, select Right carat, and then select Edit to edit the Data Forwarder.
  2. Under Filter Data, select Custom Query.
  3. Under Include:
    1. Add a Filter label.
    2. Add a lucene syntax query.
  4. Under Exclude (AND NOT):
    1. Add a Filter label.
    2. Add a lucene syntax query.
  5. Save your changes.

Example: Custom Query Filters

Forward all procstart events as well all netconn events to port 443 are forwarded, except when the process path is path\to\noisy\process.exe.

The custom query filter fields