What is a Filter and Why Are They Needed?
There are two types of data that is collected by Faddom - nodes (i.e. Servers) and connections. By default, Faddom will show all connections related to a specific server - this ensures that you don't miss anything. The Filters are a set of rules to enable the filtering out of anything that you do not want to see in the context of a specific application map to make it easier to read and fathom.
There are two main types of filters - connection filters and node/server filters.
Additionally, no filter is permanent and can easily be modified or Deleted
Basic Filters
These are the filters that can be accessed quickly and effortlessly from the Maps themselves. These are accessed by right-clicking on the connection/server you wish to filter by and selecting one of the options.
For a server, you have Filter out which will remove the server itself from the particular map, and Filter outgoing which will remove all outgoing connections from the server while leaving the server in the map. When you create a filter that filters outgoing traffic for a server, that server will not be "expanded" when you add another layer to the map.
For a connection, you can either click on Filter connection to remove the connection itself, or filter out the port will remove ALL connections on that port from the map.
You can filter multiple servers and/or connections at once by holding down the Ctrl button or by using the Area selection tool. Then right click and use the Filter out or Filter outgoing buttons in the menu.
Once done you can save the results as the new baseline for the map so that all changes to that map from now on will be against the updated map. If you are filtering out from the edit mode (by clicking the edit map icon on the upper right hand side), the baseline will automatically be updated for you when you click on Save Map.
Advanced Filters
Advanced Filters provide more functionality and more customizability than the Basic Filters. They allow defining filters using wildcards or even creating filters that will apply to all application maps.
To access these filters
Click on Map > Application Maps
If you wish to edit an existing map, you can right-click on the name and select Edit Map
On the left hand side you select Applied Filters to expand it where you will see Global Filters and Local Filters
To view/edit the existing filters you can either click on Global Filters or Local Filters or alternatively select the pencil
You will then be presented with the Edit Filters screen. Here you can use the drop-down to change between Global, & Local, Global, or Local filters to see a list of the filters that are affecting the current map. From here, you can also delete a filter or create a new one.
If you wish to create a new filter you can either click on the plus symbol or select the Add New Filter button from the Edit Filters screen
You will then be presented with the Create Discovery Filter window where you can choose what you wish to filter
By Connection
From - this is the source of the connection and can be a server IP or hostname, IP Group, or partial hostname. This can also be left empty to filter out any source.
To - this is the target of the connection and can be a server IP or hostname, IP Group, or partial hostname. This can also be left empty to filter out any target.
On Port(s) - here you can specify the port number of the connection you wish to filter out. You can specify a specific port number or a port range (i.e. 135-139). This can also be left blank to filter out any port.
Set As - you can choose here whether the filter applies to all maps (Global Filter) or specifically to the map you chose to edit (Local Filter)
Description - this is free text that you can use to describe the filter to help you identify it later
By Server
Server - this allows you to choose an object to filter out - Server, Application Map, IP Group, Server by Pattern (partial hostname), or Service Dependency. Filtering out a server will remove the server from the map along with any connections to or from it.
Set As - you can choose here whether the filter applies to all maps (Global Filter) or specifically to the map you chose to edit (Local Filter)
Description - this is free text that you can use to describe the filter itself to help you identify it later
Application Map will filter out an application map dependency from the map entirely
Service Dependency will instead of showing a dependency on an application map, continue building out the map including servers that may be part of other application maps instead of just showing the dependency.
Clear All Filters - this will remove all filters, including Global Filters, from the map
Suggested Filters - Faddom will recommend to you some filters based on traffic patterns that you may not have considered previously
Global Filters
Global Filters is a feature found in the Settings menu that applies to all or multiple Application Maps depending on the need.
To set the filters
Click on the gear icon in the right-hand side
Select Discovery Filters
You will be presented with a list of system created rules
To add a custom rule click New
You will be presented with the Create Discovery Filter screen as seen above, but without the option to choose Local Filter
How To Delete A Filter
Global Filters
Follow steps 1 to 3 in Global Filters
To delete a single filter click the Delete button on the right
To delete multiple filters you can check the box on left-hand side and then press Delete at the top
Grouping By ASN
Faddom has the ability to identify groups of external servers by the ASN that has been assigned to them. This allows Faddom to group sets of servers together regardless of IP address if you are using an external service, such as Azure AD where every time there is a connection it is a different IP address. If this has been done, you will see the icon below on the map.
You can toggle this on and off on a per map basis through the Edit Map screen by going to Applied Filters > General and selecting/deselecting the Group Servers By ASN option.