How to filter a consolidate job?

Hi,

Such filtering is not supported. Consolidation is just copying entire repository files. I'll pass your request to product manager.

Thank you Igor.

With this option not available, I'd like to create a search filter in Repository Viewer instead. I want to create a filter to show several events in Windows Security log and Windows System log.

Eg, Security log 4624, 4625, System log 20001, 20002.

Can you tell me how to create a filter like this? The samples in https://support.quest.com/zh-cn/technical-documents/intrust/11.3/searching-for-events-in-repository-viewer/3#Advanced is not very comprehensive. Thank you.

Hi Sean,

If you have the latest InTrust version 11.4.1, you can find a set of new searches under Predefined Search Folders| Threat Hunting | Windows | Native OS Logs Telemetry. These searches can be used as a sample for the request like yours because some of them have custom query similar to yours. For example, the search named Authentication has the custom search filter like (striequ(Log, "Application") and (EventID = 1511)) or (striequ(Log, "Security") and in_range(EventID, "4624,4625,4648,4776,4634,4672")). You can Copy this search and change the query to (striequ(Log, "System") and in_range(EventID, "20001, 20002")) or (striequ(Log, "Security") and in_range(EventID, "4624,4625")), and that's it.

If your version is lower than 11.4.1, then please do the following:

1. Under Custom Search Folders (or your favorite folder inside Custom Search Folders) create a new search.
2. At the bottom of the right pane click Add or Remove Parameters.
3. Choose Primary instead of Normalized Strings.
4. Check Custom
5. Close the Select Filter Parameters dialog
6. In Search Filter scroll down so that Custom is visible.
7. Change true to (striequ(Log, "System") and in_range(EventID, "20001, 20002")) or (striequ(Log, "Security") and in_range(EventID, "4624,4625"))
8. Make some changes in the grid layout (add/remove columns, add sorting or grouping, etc.), and that's it.

Hi Sean,

If you have the latest InTrust version 11.4.1, you can find a set of new searches under Predefined Search Folders| Threat Hunting | Windows | Native OS Logs Telemetry. These searches can be used as a sample for the request like yours because some of them have custom query similar to yours. For example, the search named Authentication has the custom search filter like (striequ(Log, "Application") and (EventID = 1511)) or (striequ(Log, "Security") and in_range(EventID, "4624,4625,4648,4776,4634,4672")). You can Copy this search and change the query to (striequ(Log, "System") and in_range(EventID, "20001, 20002")) or (striequ(Log, "Security") and in_range(EventID, "4624,4625")), and that's it.

If your version is lower than 11.4.1, then please do the following:

1. Under Custom Search Folders (or your favorite folder inside Custom Search Folders) create a new search.
2. At the bottom of the right pane click Add or Remove Parameters.
3. Choose Primary instead of Normalized Strings.
4. Check Custom
5. Close the Select Filter Parameters dialog
6. In Search Filter scroll down so that Custom is visible.
7. Change true to (striequ(Log, "System") and in_range(EventID, "20001, 20002")) or (striequ(Log, "Security") and in_range(EventID, "4624,4625"))
8. Make some changes in the grid layout (add/remove columns, add sorting or grouping, etc.), and that's it.

Thank you Igor!

Is there document regarding the grammar used in filters? 

It is called Customization Kit, https://support.quest.com/zh-cn/technical-documents/intrust/11.4.1/customization-kit/7

I will ask tech writer to review Searching For Events document to add a link.