Filter data in Xprotect
Data filtering is the process of choosing a smaller part of the data set for viewing or analysis. In Xprotect, you may need to run queries (set filters) to hunt for threats from the alerts generated when policies are violated, see the policy push schedules' status, or filter the alerts by a category or hosts by an OS family.
Use the following list of operators, operands to construct queries. Queries can be pinned to every page on the UI or bookmarked for future use. See Filter queries feature capabilities for more details.
Query operators
Construct queries using the following operators.
| Logical |
|
| Mathematical The Startswith or Endswith operators can query the data set faster, especially when the data set is huge. |
|
| Parenthesis You can use parenthesis to construct nested queries for up to two levels. You can also construct queries by using multiple nested queries, with each up to Two levels. |
|
Query operands
The operands available for constructing a query differ by the page you are on in Xprotect.
| Page |
Operands |
| Alerts > Summary Alerts |
Process, Process Path, Parent, Parent Path, MD5, Alert Category, Severity, Host Policy, Alert Reason, Trust, Time Period, CMD Line, Action Taken, and User Policy |
| Alerts > Detailed Alerts |
Hostname, Time Period, Host Group, Host Policy, Severity, Trust, Action Taken, Process, Process Path, Alert Category, Alert Reason, IP Address, Parent, Parent Path, MD5, User, CMD Line, Parent CMD Line, and User Policy |
| Hosts > Hosts |
Agent Version, Host Group, Hostname, OS, OS Family, Host Policy, Queued Host Policy, Host Policy, Publish Status, Status, Tags, Has Latest Version, Installed On, IP Address, User, Policy Setting, Temporary Settings, Agent Mode, CPU Usage Overload, Active User, User Policy, Queued User Policy and User Policy Publish Status |
| Hosts > Host Groups |
Host Policy and Host Group |
| Hosts > Tags |
Tags |
| Hosts > User Groups |
User Policy and User Group |
| Policies > Host Policies |
Host Policy, OS Family, and Search Rules |
| Policies > User Policies |
User Policy, OS Family, and Search Rules |
| Commands |
Hostname |
| Users > Users |
Username, User Group, AD Group, AD Department, and Login Email |
| Users > AD-Groups |
AD Group |
| Users > AD-Departments |
AD Department |
| Files > Fetched Files |
Hostname |
| Files > File Isolation |
Hostname, Filename, Status, and Operation |
| Reports |
Report Name, Report Type, and Report Schedule |
| Audit Logs |
Category, Name, Audit Action, Audit Status, Time Period, and Action By |
Operand value types
The values of the operands differ by the operand you use to construct the query.
| Value types |
Some operand examples |
| Array |
Trust, Alert Category and Policy Publish Status You can select multiple values from the array. |
| Alphanumeric string |
Hostname, Policy, and OS |
| Date and time picker |
Installed On and Updated In |
| Dotted decimal |
Agent Version and Latest Version |
| IP address |
IP address |
| Like (Yes or No) |
Has Latest Version |
Filter queries feature capabilities
You can leverage the following capabilities of the 'Filter queries' feature in Xprotect. These capabilities work on all applicable pages (except the Dashboard and Settings pages) on the UI.
Query syntax correctness
Xprotect assesses the correctness of the syntax of the queries that you construct.
| Incorrect syntax Queries with incorrect syntax display a Red exclamation. Also, the part of the query that uses the parenthesis is underlined in Red until you use the parenthesis operator correctly. You cannot run incorrect queries unless you use the correct syntax. |
|
| Correct syntax Queries that are constructed with the correct syntax display a Green tick mark. Such queries can be executed or bookmarked.
|
|
Execute queries
To execute a query, click the Search icon located at the right of the query field/bar.
Pin queries
Pinning a query displays the query on all relevant pages on the UI. The pinned query may not always be meaningful on all the applicable pages. However, it helps you see the applicable pages in the filtered view as long the query is pinned.
For example, filter both the Alerts and Hosts page by an OS family. This may not be meaningful on the Policies and Files pages.
Bookmark queries
You can bookmark queries like you bookmark Websites and URLs on a Web browser. This can help you save the combinations of operands and operators you use often and complex queries for future use.
Bookmarks can be Private (restricted to the user who created the query) or Public (anyone on the tenant can use the query). See Bookmark filter queries for more details.
Running complex queries is resource-intensive. The time taken to fetch the results depends on the complexity of the query you are running.