Configure and apply a filter

You can configure and apply separate filters for events and activity. A Filter Editor is available in each report. When you navigate to any part of the page, the filter is always available at the top of the page.

Depending on the type of events or activity you filter, different data is available to configure the filter.

To learn about other methods that are available to filter data and narrow the list of events, see Filter event data.

To configure and apply a filter:

  1. In the Threat Protection menu of Enterprise Center, go to an events or activity report.

    • For threat or access control events, select Reports > Threat Events or Reports > Access Control.

    • For activity, select Reports, and then select the activity report.

  2. To filter events based on date and time, see Filter data based on date and time.

  3. Click the filter icon and then click Add filter Dimension.

  4. In the menu, select a dimension.

  5. Select Include or Exclude to include or exclude data that's specific to the selected dimension.

  6. In the menu, select the specific data that you want to include or exclude in the filter. For example, if you selected Category, select the specific category that you want to exclude or include.

  7. If you want to add more data to the filter, click the text box. The menu where you can select data appears again. Select the data that you want to include or exclude in the filter.

  8. Click OK. The report with filtered data appears.

Next steps

To add specific event or activity data to your filter, see Add event or activity data to a filter. If you are adding data to a filter in the Identity Provider Activity report, see Add identity provider activity data to a filter.

Add event or activity data to a filter

Before you begin

Configure and apply a filter.

You can add specific data from an event or activity report to a filter. This includes data for threat and access control events, Security Connector events, network traffic activity, DNS activity, and more.

📘

You need to be an ETP administrator or a user with a specific permission to view the DNS Activity or Proxy Activity reports. For more information, see Roles.

To add event or activity data to a filter:

  1. Go to the report where you want to apply a filter.

    • For threat or access control events, in the Threat Protection menu of Enterprise Center, select Reports > Threat Events or Reports > Access Control.

    • For an activity report, in the Threat Protection menu of Enterprise Center, select Reports and then select an activity report.

  2. Select a dimension or criteria to define what data is shown.

  3. To add data from the Top 6 area to the filter, hover over a value, and click the menu icon that appears.

    1. If you want the data to be part of the In filter, select Add to Include Filter. A value cannot be added to the Include Filter if it's already in the Exclude Filter.

    2. If you want the data to be part of the Not In filter, select Add to Exclude Filter. A value cannot be added to the Exclude Filter if it's already in the Include Filter.

  4. To add specific data to the filter:

    1. Click the grouped dimension value or expand a grouped dimension value to view the events or traffic associated with the dimension. Click the data value that you want to add to the filter.

      For example, if you want to add a domain, click the domain. If you want to add a list associated with an event, click the list value.

    2. Select one of the following:

      • If you want the data to be part of the In filter, select Add to Include Filter. A value cannot be added to the Include Filter if it's already in the Exclude Filter.

      • If you want the data to be part of the Not In filter, select Add to Exclude Filter. A value cannot be added to the Exclude Filter if it's already in the Include Filter.

  5. To add data from the details window to the filter:

    1. Click the grouped dimension value or expand a grouped dimension value to view the events or traffic associated with the dimension.

    2. To view event or connection details, click the information icon. Click the Event Details or Connection Details tab.

    3. Click the data on the details widow and select one of the following:

      • If you want the data to be part of the In filter, select Add to Include Filter. A value cannot be added to the Include Filter if it's already in the Exclude Filter.

      • If you want the data to be part of the Not In filter, select Add to Exclude Filter. A value cannot be added to the Exclude Filter if it's already in the Include Filter.

  6. Click Apply to apply the filter.

Clear filters

You can clear filters that you created and applied to filter event or activity data.

The following procedure assumes that you configured and applied a filter to an event or activity report. For more information, see Configure and apply a filter or Filter DNS activity by criteria.

To clear filters:

  1. To remove a filter criterion, click the delete icon that is associated with the data you want to remove from the filter, and click Apply.

  2. To clear all filter criteria, do one of the following:

    • In the filter menu, select Clear All & Apply.

    • Click the filter icon and click Clear All. Click Apply.


Did this page help you?