Classifiers are used to manipulate, or preprocess, events before they get to the UI. For example, you can raise or lower the severity of an event, choose to ignore specific events from ThreatMatch, PatternScout, asset detection, or even drop an event before it reaches the GRID. To be safe and not miss critical data, we recommend sending all data to the GRID.
Classifiers allow you to modify events or change how they're treated by the GRID.
- Exclude: No alerts. Data is still saved and searchable.
- Change attributes: Alter how data is displayed, to make data more useful.
- Drop Events: Discarded before they get to the GRID. Be careful, it is not searchable or logged. WARNING: Dropping events means that the event is not logged within the GRID. It is not searchable and does not trigger alerts.
Patterns and Rules
When creating a Key / Value pair the field to apply an attribute to an event, the values in those fields are considered text. However, there are exceptions which are governed by the rules in the table below:
|Match Type||Event Field||Event Type||Notes|
|geo_*||don't use this (reserved for custom geo-ip objects)|
|Exact Match||praesidio_skip_ad||boolean||Use this to skip anomaly detection|
Creating a classifier
Classifiers have a large impact on the functionality and efficiency of the GRID. Follow the instructions below to ensure your classifiers are syntactically correct and function properly.
- Events > enter search query. All events matching the query display.
- Select the Classifier icon to create a classifier of your query.
- Fill in Classifier fields.
- Tag Name: Classifiers should have meaningful, easily identifiable names.
- Query String: [Auto-populated from the event search] Conditions the classifier is set to search on.
- Drop Event: Warning: If drop event is checked, it does not log the event. Events that match this classifier are not searchable and do not trigger alerts. (Be careful using this!)
- Exclude from ThreatMatch, PatternScout, or Asset Detection: Stop the system from using the event for threat intelligence, anomaly detection, or asset detection, respectively.
- Attributes to Apply: Select the key (data) you'd like to update, and then add the value you want the key to have. For multiple changes, click the plus sign.
For example, a group of events have a category of ‘None’ and the organization wants to categorize these events based on information contained within the event. Key = Category and the Value = Research
- Select Save to complete and enable your classifier.
- After setting up the classifier, you can search for _exists_:tag_queries to display events that have matched one or more classifiers.
Specifications for Classifiers
- You must select to either drop, exclude, or apply an attribute to create a classifier.
- If you create a classifier for ‘WDAP’, it matches all events that contain ‘WDAP’. If you create a classifier NOT ‘WDAP’, it matches events that do not contain ‘WDAP’. This is the opposite of writing NOT or - within command line text.
Pausing or deleting a classifier
Once the classifier is created, you have the option to pause, edit, or delete it.
To edit a classifier
- Go to Events > Classifiers
- Select the classifier you want to edit
- Make desired changes
- Click Save.
To pause a classifier
- Click the power icon and it will toggle from blue to gray.
- Blue - active
- Grey - paused
- Note: Pausing classifiers may take a short time to take effect.
To delete a classifier
- Go to Events > Classifiers
- Select the classifier you want to delete
- Click Delete. Note: Deleting classifiers may take a short time to take effect.