Filters are the key components for alert processing. Although there are some filters as IP blacklist or DNS resolver that can change input alerts by increasing priority or filling DNS names of involved hosts, most of the filters take part in the process of joining similar alerts also referred to as the correlation process.

Every filter is equipped with an inherent set of rules and algorithms to work on input alerts and is notified upon the arrival of a new alert that can be processed.