Go Up
You are here: IntelligenceInteractive SearchAdvanced ModeApply Additional Filters

Apply Additional Filters

Expand the Filter list to find additional filters or filter values. The most commonly used filters are described in Apply Filters. Review the following for additional information:

Filter Description Example

Action

Limits your search to the selected actions only.

Specify an action from the Value list or type it yourself. The Action filter in the Advanced mode contains actions besides those available in basic mode (added, modified, removed, and read). Reported actions vary depending on the data source and object type. See Monitored Object Types, Actions, and Attributes for more information.

  • Added
  • Add (Failed Attempt)
  • Removed
  • Remove (Failed Attempt)
  • Modified
  • Modify (Failed Attempt)
  • Read
  • Read (Failed Attempt)
  • Moved
  • Move (Failed Attempt)
  • Renamed
  • Rename (Failed Attempt)
  • Checked in
  • Checked out
  • Discard check out
  • Successful Logon
  • Failed Logon
  • Logoff
  • Copied
  • Sent
  • Session start
  • Session end
  • Activated
 

You are investigating suspicious user activity. You have already identified the intruder and now you want to see if any files were deleted or moved, and emails sent.

Since you are interested in specific actions only, set the Action filter to Removed, Moved, and Sent.

Object type

Limits your search to objects of a specific type only.

Specify an object type from the Value list or type it yourself. This filter modifies the What filter.

The value list is prepopulated with the most frequent object types.

You noticed that some domain policies were changed and you want to investigate this issue.

Your What filter is set to Policy, and so you keep receiving search results such as HiSecPolicy, \\FS\Share\NewPolicy.docx, http://corp/sites/col1/Lists/Policy. These entries correspond to different object types and data sources.

Since you are looking for GPOs only, select GroupPolicy from the Value list.

Data source

Limits your search to the selected data source only.

Specify a data source from the Value list or type it yourself.

You are investigating suspicious user activity. A user specified in the Who filter made a lot of changes across your IT infrastructure, so the search results became difficult to review.

Since you are only interested in the way this user's activity could affect your Active Directory domain and Exchange organization, set the Data source filter to Active Directory and Exchange to limit the search results.

Monitoring plan

Limits your search to the selected plan only.

Specify the name from the Value list or type it yourself.

You are investigating suspicious user activity. A user specified in the Who filter made a lot of changes across your IT infrastructure, so the search results became difficult to review.

Since you are only interested in the way this user's activity could affect file shares audited within a single plan, set the Monitoring plan filter to "My servers" to limit the search results.

Item

Limits your search to the selected item only.

This filter can be helpful if have several items of the same type in your monitoring plan (e.g., two Active Directory domains).

Specify the name from the Value list or type it yourself.

Your monitoring plan is configured to track domains and includes your secured corporate domain and a domain for temporary employees. You are investigating who logged in your secured corporate domain outside business hours.

You can set the Item filter to this domain name to limit the search results and exclude logons to computers from a less important domain.

Details

Limits your search results to entries that contain the specified information in the Details column.

The Details column normally contains data specific to your target, e.g., assigned permissions, before and after values, start and end dates.

This filter can be helpful when you are looking for a unique entry.

You discovered that a registry key was updated to "242464". Now you want to investigate who made the change and what the value was before.

You can set the Details filter to 242464 to find this change faster.

Before

Limits your search results to entries that contain the specified before value in the Details column.

You are investigating an incident in which the SAM-account-name attribute was changed for an account in your Active Directory domain.

You can set the Before filter to the previous name (e.g., John2000) to find the new name faster.

After

Limits your search results to entries that contain the specified after value in the Details column.

You are investigating a security incident and want to know who enabled a local Administrator account on your Windows Server.

You can set the After filter to this account's current state (e.g., Enabled) to find this change faster.

Everywhere

Limits your search results to entries that contain the specified value in any column.

You are investigating a security incident. You have already identified the intruder (e.g., BadActor) and now you want to see all actions made by intruder's account or with it.

Since the intruder can be the actor (Who), the object (What), or can even show up in details, set the Everywhere filter to intruder's name.

Go Up