Filter management
In addition to regular file filtering on egress integrations, you can set up an advanced filter. Advanced filters have more options and therefore allow more granularity.
Advanced filters are currently available only for the AWS S3 egress integration (Central Configuration > Egress Integrations > AWS S3 > File Storage > Enable Advanced Filter).
Types of filters
Filters can be either inclusive or exclusive. If a filter is inclusive, that means that all files that match you criteria will be saved to an S3 bucket. If it's exclusive, you will save everything except the files that match your criteria.
When creating a filter, you can also specify that it should only apply to top-level parent files: Filter Applies Only to Container. In this case, extracted files will not be saved.
Conditions
Conditions allow you to specify rules based on various attributes such as file type, file size, classification, and more.
Conditions are grouped into categories:
- File: filters related to one of the recognized file types and file size
- Classification: filters related to how we classify files
- Identification: filters for file format identification
- Behavior: filters for network calls made by a file (see the report schema)
- Document: if a file is identified as a document, these filters allow you to narrow down what you save based on the document attributes, such as number of pages or word count
- Unpacking: similar to how the "Identification" category of conditions relates to file format identification, this category contains filters based on file unpacking
- File statistics: filters operating on statistics produced by an analysis (for example, the
countof files of a particular type found in an analyzed file) - Capabilities: different capabilities detected in the analyzed file
- YARA matches: see description of the filters in the report schema
- Indicators: see report schema
- Mitre: one of the Mitre techniques
- Tags: the full list is available in the report schema appendix