This topic describes how to view and configure ingress filters.

  • To access the Ingress Filters page, click Username > Settings and then click Ingress Filters.

The ingress filtering page

The Ingress Filters page shows the following fields:

  • Filter Name – A unique name for this ingress filter.

  • Filters – The ingress filter type and definition.

  • Sensor Scope – Defines whether the ingress filter applies to specific sensor groups, individual sensors, or to all sensors.

  • OS Scope – Defines the operating systems to which the ingress filter applies.

  • Descendant Level – When a process is filtered, you can also filter its children, their children, etc., up to the set number of levels. For example, you can filter by:

    • -1: All descendants

    • 0: Matched process only

    • 1: Matched process and children

    • 2: Matched process, children, and next layer of descendants

      ... and so on

  • Added by – The user who added the ingress filter

  • Actions – Provides a dropdown menu that lets you modify and delete ingress filters.

Regex Filters

A filter can match a portion of a field. This is useful when you filter programs that are frequently executed with different command lines, such as powershell.exe or bash. To specify a regex pattern, prefix the path, command line, or MD5 value with rx| (or rxi| to specify a case-insensitive match). Regex patterns must be compatible with the Java 8 Pattern class. See https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html.

For example, the following ingress filter blocks processes where the command line contains "powershell.exe Noisy-Cmd". Other invocations of powershell.exe are not blocked.

Command lines:

rxi|powershell.exe Noisy-Cmd