Filter chaining allows for an action to be triggered when two or more events occur within a configurable time period on the same host. All include filters which are part of the package will participate in the filter chaining. When all filters matched, the EventSentry agent will log event 10650 to the event log with relevant details.
Event log filters in a filter chaining package do not have actions associated with them; consequently a separate event log filter (in a different package) will have to be created in order to trigger an action. |
Require Sequence
By default, filters can match events in any sequence in order to complete the filter chain. Enabling the "Require Sequence" option requires that events match the filters in the same order shown in the event log package.
When using a sequence, it's recommended to either not have any exclude filters in the package, or to position any exclude filters BELOW all of the include filters. Otherwise, the behavior of the filter chaining feature is undefined.
Timeout
The time period in which all filters of the event log package need to match an event.
Linking events through insertion strings
To ensure that events from unrelated activity do not complete the same filter chaining object, filters of a filter chaining package can be set to require one or more insertion strings to match. Similar functionality is also available for threshold filters.
Insertion strings are configured through the "Chain Settings" button which is displayed on the filter dialog in place of the "Advanced" button. When two or more filters have at least one insertion string configured, EventSentry will extract the run-time value of the insertion string(s) from the event and store them for the duration of the filter chaining time period.
Values of the extracted insertion strings need to match for all filters which have at least one insertion string configured. Not all filters in the package need to have an insertion string configured, those filters will always be considered a match as long as they satisfy the filter criteria.