Feature
Customizable Threat Alert Filters
Fine-tune threat alerts with advanced filtering options for more precise and actionable notifications.
January 4, 2025
New Year; New Feature. Enjoy our Customizable Threat Alert Filters ('CTAF')!
What’s New?
The Customizable Threat Alert Filters feature allows users to create highly specific alert criteria, reducing noise and ensuring you only receive the most relevant notifications. Here’s what’s included:
- Advanced Filter Parameters:
- Filter alerts by additional metadata fields, such as:
- Threat Origin IP Range (
source_ip_start,source_ip_end) - Payload Type (e.g.,
malware,phishing,ransomware). - Threat Severity (
severity_level, ranging fromLowtoCritical). - Time to Detection (TTD) thresholds.
- Threat Origin IP Range (
- Define compound conditions using Boolean logic (
AND,OR,NOT).
- Filter alerts by additional metadata fields, such as:
- Dynamic Risk Scores Integration:
- Combine filters with dynamic risk scoring from
security/risk_engine_v3.py. - Automatically suppress alerts below a user-defined risk threshold (e.g., risk score < 40).
- Combine filters with dynamic risk scoring from
- Alert Grouping Options:
- Consolidate similar alerts using hash-based clustering (
alerts/cluster_engine.dll). - Group by shared characteristics such as threat vector, impacted endpoints, or detection timestamp.
- Consolidate similar alerts using hash-based clustering (
- Geo-Specific Filters:
- Filter alerts by geographical data (
geo_filter_processor.js), including:- Country of origin.
- Region-specific threats (e.g., APAC-focused phishing campaigns).
- Filter alerts by geographical data (
- Custom Tagging System:
- Automatically tag filtered alerts with custom labels (
custom_tag_handler.py). - Example: Tag all alerts from a specific subnet (
192.168.1.0/24) as Internal Traffic Risks.
- Automatically tag filtered alerts with custom labels (
How to Use It
- Configuring Filters:
- Navigate to Settings > Alert Preferences in the Velocty dashboard.
- Select Create New Filter and define your criteria:
- Example:
source_ip_start=10.0.0.1 AND severity_level=Critical.
- Example:
- Enabling Suppression Rules:
- Go to Alert Suppression under Advanced Settings.
- Set a suppression rule, such as suppressing all alerts with
risk_score < 30.
- Setting Up Geo-Filters:
- Use the Geo Filter Wizard in Threat Management.
- Example: Only receive alerts originating from outside the United States.
Impact
This feature empowers users to:
- Reduce Alert Fatigue: Focus on high-priority threats by filtering out low-risk or irrelevant alerts.
- Enhance Response Efficiency: Receive alerts tailored to your specific operational context.
- Improve Incident Management: Automatically categorize and prioritize alerts for faster triage.
Use Cases
- High-Security Environments:
- Suppress all low-severity alerts except those with
payload_type=malware.
- Suppress all low-severity alerts except those with
- Regional Threat Monitoring:
- Filter alerts to only notify about attacks originating from certain regions.
- Targeted Campaign Detection:
- Tag all alerts with
risk_score > 70 AND payload_type=phishingas Critical Campaign Risks.
- Tag all alerts with
Next Steps
- Add predictive analytics to suggest optimal filter configurations based on past alert patterns.
- Expand filtering capabilities to include machine learning-driven anomaly detection.
With Customizable Threat Alert Filters, you gain unparalleled control over your notifications, ensuring your attention is always focused on what matters most. For assistance setting up filters, contact Swyft Support.