Notification Filters

You can reduce notification fatigue for end-users by configuring which notifications they see using notification filters that you build using regular expressions. Notification filters are configured on the server through the management console to provide a unified approach. Currently, notification filters are available for Windows agents only, with Mac agents having local notification filtering. The configuration of the notification filters is very similar with the one used for centralized log filtering.

To configure notification filters:

  1. In the management console, on the Tools menu, click Notification Filters.
    The Notification Filters dialog appears, showing the current configuration.
  2. To edit or remove a rule, select it in the list, then click Edit or Remove.
    To add a new rule, click Add.
    The Add Rule dialog appears, which enables you to Add, Edit or Remove conditions.
  3. Type a Name for the rule, then click Add.
    The Add Condition dialog appears.
    Edit Condition dialog with 3 fields. A drop-down list labeled Field; Option buttons labelled Aim with the options Matches or Differs; and a text field labeled Regular Expression.
  4. Select the Field and Aim, then enter the Regular Expression and click Save.
    The condition is added to the rule.
  5. Repeat as required.

Examples

Consider the event:

SndAuditEvent: 2022-09-21 07:36:32.1190000 -0700 | READ-DENIED || S-1-5-21-3517963100-1758087512-1975737623-1001 | CD | Msft Virtual CD/ROM ATA Device, CD-ROM Drive, (Standard CD-ROM drives) | CPBA_X64FRE_ENUS_DV9 | 561e35dcb3a5c26b90f5a2b9b4a8722c8409eb50 | D:\text.txt | cmd.exe | IDE\CdRomMsft_Virtual_CD/ROM_____________________1.0_____ | NOPERMISSIONS || ebd0052797a48d5eb383e8ab84055e96abb91c87 | Custom Test Message || 00000000000000000000000000000000||

To filter on the process name (cmd.exe in our example) and the file name (D:\text.txt in our example), set:

Field

Aim

Regular Expression
Process Name Matches cmd.exe
File Name (Full) Differs (D:\\)(.*)

To filter on the Device Class (CD in our example) and the Model Id (ebd0052797a48d5eb383e8ab84055e96abb91c87) in our example), set:

Field

Aim

Regular Expression
Device Class Matches ^CD$|^Removable$
Model Id Matches (edb)(.*)

To filter on the Type (READ-DENIED in our example) and the Device Model (Msft Virtual CD/ROM ATA Device, CD-ROM Drive, (Standard CD-ROM drives)) in our example), set:

Field

Aim

Regular Expression

Type

Matches

(.*)(DENIED)$

Device Model

Matches

(.*)(CD-ROM Drive)(.*)