User-Defined Filters
Overview
User-defined filters let you save frequently used search conditions as a single filter object. Under Policies > User-Defined Filters, security analysts can organize commonly used IP, port, and string condition expressions and reuse the same conditions across multiple detection scenarios and queries without rewriting them each time.
Registered user-defined filters can be used with stream rules, batch rules, and the matchfilter() function. All users, including administrators, can view user-defined filters, but only administrators can add, edit, or delete them.
View/search user-defined filters
You can view or search the user-defined filter list under Policies > User-Defined Filters.
- Name: Name of the user-defined filter.
- Description: Description of the user-defined filter.
- Created At: Date the user-defined filter was created.
- Modified At: Date the user-defined filter was last modified.
To find a specific entry in the list, use the search tool in the toolbar. If you enter multiple words, the search tool finds user-defined filters where every word appears in either Name or Description.
Download list
To save the user-defined filter list to your local PC, click 
in the toolbar.
Refresh list
To reload the user-defined filter list with the latest data, click 
in the toolbar.
Add a user-defined filter
To create a new user-defined filter for reuse in detection scenarios and queries, follow these steps.
-
Under Policies > User-Defined Filters, click Add in the toolbar.
-
On the Add User-Defined Filter screen, enter the general settings.
- Name: Name of the user-defined filter (required, up to 50 characters).
- Description: Description of the user-defined filter (up to 2,000 characters).
-
Under Type, select how to build the filter (default: Tree; options: Tree, Expression).
-
Enter the Filter Expression according to the selected type.
- Tree:
- At the top of the condition group, select AND or OR to set the group operator.
- Use the Add menu to add a single filter or a sub-group.
- Sub-groups can be nested up to three levels deep.
- Each filter row accepts an Expression and a Description.
- At least one filter must be added before you can save.
- Expression:
- Enter a Logpresso boolean expression for use in
searchsyntax directly in the text box. - The entered expression is validated before saving.
- Enter a Logpresso boolean expression for use in
- Tree:
-
Review the information and click Save.
Edit a user-defined filter
To change the information or condition expression of an existing user-defined filter, follow these steps.
- Click the row of the user-defined filter you want to edit in the list.
- On the Edit User-Defined Filter screen, update the information and click Save.
Use user-defined filters
Registered user-defined filters can be used in the following ways.
Stream rules and batch rules
If there are common repeated conditions when writing queries in stream rules or batch rules, separate them into user-defined filters for centralized management. For example, creating filters for specific network ranges, reputation conditions, or frequently used exception conditions eliminates the need to re-enter the same expressions across multiple scenarios.
Queries
In queries, you can call a user-defined filter using the matchfilter() function. You can use the GUID or the unique name of the user-defined filter.
| search matchfilter("user-defined filter GUID")
| search matchfilter("user-defined filter name")
To use the GUID, check the value in your browser's address bar.
Delete a user-defined filter
To clean up user-defined filters that are no longer in use, follow these steps.
- Select the checkbox on the row of the user-defined filter to delete in the list.
- Click Delete in the toolbar.
- In the Delete User-Defined Filter dialog, confirm the targets to delete and click Delete.