Having reviewed the search results, you can proceed with your investigation by excluding or including data. Excluding a filter value is helpful if you want to skip it in your search results (e.g., a service account or trusted user account). On the other hand, including a filter value ensures that only the entries containing it will be shown (e.g., a suspicious user or potentially violated folder).
To include or exclude data
- Review your search results and locate an entry with data you want to exclude or include.
- Select this entry and review details.
- Click Exclude from search or Include to search and specify a filter value from the list.
- Click Search to update the search results.
Your exclusions and inclusions will automatically be added to the search filters, limiting the amount of data shown in the results pane.