Filter tab
Use the Filter tab of the page to focus the report on the data that is most relevant to you. For example, apply the Action filter and display only incidents with the action Block. Apply as many filters as needed.
For each filter to apply:
- Select the filters in the Filter by pane on the left.
- Select Enable filter in the properties pane.
- Apply properties to the filter in the properties pane.
The filters that are available vary depending on the type of report. Filters and their properties are described below.
- Data Loss Prevention filters
- Discovery filters
Data Loss Prevention filters
| Filter | Description |
|---|---|
| Action |
Filter incidents by the action (including those on endpoints) that was performed on the incident. Select the check box for each action to be displayed. Incidents with the following actions can be displayed:
In addition to the default actions, DLP actions configured in the Forcepoint Security Manager are listed (Forcepoint Email Security and Forcepoint Data Security for Cloud Email only). |
| Analyzed by | Filters by the name of the server component that analyzed the incident. |
| Application Name | Filter incidents by the name of applications found in the incidents. Select the applications to include in the report. |
| Filter | Description |
|---|---|
| Assigned to | Filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display. |
| Business Unit | Enables to filter incidents by the business unit to which they’re assigned. |
| Channel |
Limit which channels’ incidents are displayed in the report. The list of available channels depends on channels configured in the Security Manager. If one or more email filters is selected, specify the email direction to display: inbound, outbound, or internal. Email direction is available only for those with the Forcepoint Email Security module, endpoint agent, or protector. For the endpoint application filter, select the operations to display in the report. For example, choose Paste to display all endpoint incidents where users pasted sensitive data into a document. It is also possible to view incidents from the Discovery channel or DLP Cloud Applications channels. Select DLP Cloud Applications to view incidents detected when users uploaded, downloaded, or shared files with cloud applications such as Office365 or Box. (Enable the Cloud Applications service at Settings > General > Services.) |
| Classifier Matches |
Display specific classifiers whose thresholds have been exceeded. For example, select a dictionary classifier with profanity in it, and set its threshold to 3. The report displays only incidents where more than 3 terms from this dictionary were detected. Click Edit to add or remove content classifiers to the filter, then select a threshold for each. |
| Classifier Type | Select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.). |
| Destination |
Set the incident list to display only incidents that were directed at specific destinations. Select Enable filter to select destinations from your resource list or enter them as free text. Choose which method you want to use from the drop- down list. If your free text includes a comma, enclose the value in quotes. For example: “Doe, John”. If you have a role in which source and destination information is hidden for privacy reasons, this filter is not available. Note that the filter returns values from all columns describing the destination, such as URL category, hostname, IP address, and domain. Complex filters can affect performance. See Selecting items to include or exclude in a policy for more details on using this selector. |
| Details | Filter incidents using the details listed in the Properties tab, such as subject in an SMTP incident, the URL in an http incident, etc. |
| Detected by | Display only incidents intercepted that were detected by specific Forcepoint DLP modules. Select each module to be displayed. The list of available modules depends on which modules were configured on the System Modules page. |
| Filter | Description |
|---|---|
| Endpoint Type | Filter incidents according to the type of endpoint client, e.g., laptop or static device (such as workstations). In the Filter Properties pane, select the endpoint type. |
| Event ID | Filter incidents using ID numbers assigned to the event. |
| Event Time |
Filter incidents by the date and time the policy engine first saw a transaction. An event is any transaction being analyzed. (An incident is an event that breaches policy.) Select a date range, then select a time of day. Date Range
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30. Time of Day By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m. If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around. |
| File Name |
Filter using the name and size of the attachment or file. You can select Any size to choose any file size or select a minimum or maximum file size using the At least and At most options. You can choose to add or remove terms to be used as file names using the Include and Exclude options. You can enter the term (wildcards can be used), and click Add. You can use the Remove option to remove an item from the list. Continue until all required file names have been added. Note: Complex filters can affect performance.
|
| File properties | Filter to include incidents with the following file properties:
|
| Filter | Description |
|---|---|
| History |
Filter incidents by the date, administrator, or details contained on the incident History tab. For example, display all incidents that jdoe closed during March 2017.
Enter the text for which to search. It is possible to search for all or part of the detail text. For example, enter “closed” to search for incidents that were closed during a certain period. As always, this filter depends on the other filters that have been selected, such as Incident Time and Ignored Incident. To filter only by history, define a large range for Incident Time, then define the history filter. Note that complex filters can affect performance. |
| ID | Filter by unique number assigned to an incident. To set an ID, use one of the following, and then enter the ID.
|
| Ignored Incident | Filter in or out incidents marked as ignored. By default, ignored incidents are filtered out of all reports. |
| Incident Tag |
Filter incidents by a previously-defined tag. (See Tagging incidents). Select the tags by which to filter the report and click Add. Continue until all required tags have been added. These can be used to group incidents for external applications. Note that complex filters can affect performance. |
| Filter | Description |
|---|---|
| Incident Time |
Filter incidents by the date and time they were written to the database. An incident is an event that breaches policy. (An event is any transaction being analyzed.) Select a date range, then select a time of day. Date Range
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30. Time of Day By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m. If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around. |
| Policy | Filters incidents based on the policies that were violated by the content. Use the All policies check box or the individual check boxes for different policies to set the policy’s incidents to be displayed in the incident list. |
| Released Incident | Filter in or out SMTP incidents that have been released by an administrator (a reports remediation option). |
| Risk Level | If you are using Risk-Adaptive Protection, this column reflects the
source's risk level, which is determined on a scale from 1 to 5. The
following risk levels are available:
|
| Rule Name | Filter incidents by the rules they triggered. |
| Severity | Select the severity of incidents to display. Select High if you want to display incidents of high severity, and so on. Select as many severity levels as desired. |
| Filter | Description |
|---|---|
| Source |
View only incidents that were initiated by specific sources. Select sources from the resource list or enter them as free text. Choose which method to use from the drop-down list. If a free text entry includes a comma, enclose the value in quotes. For example: “Doe, John”. If there is a role in which source and destination information is hidden for privacy reasons, optionally enter one or more source IDs. Note that the filter returns values from all columns describing the source, such as URL category, hostname, IP address, and domain. Complex filters can affect performance. See Selecting items to include or exclude in a policy for more details on using this selector. |
| Status | Select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. It is not possible to filter by statuses that have been deleted from the system. |
| Top Matches | Filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy, the one that has the most matches would be included. |
| Transaction Size | Select the size of incidents to display. It is possible to display incidents greater than a certain size (in KB), or between 2 sizes. |
| Violation Triggers |
Select which incident triggers to display in the incident list. In the field, enter a violation trigger of interest and click Add. Continue until all required triggers have been added. Note that complex filters can affect performance. |
Discovery filters
| Filter | Description |
|---|---|
| Action | View only incidents with no action or specific actions (for example, Applied a file label). |
| Analyzed by | Filters by the name of the server component that analyzed the incident. |
| Assigned to | Filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Forcepoint Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display. |
| Channel |
Limit which channels’ incidents are displayed in the report. The list of available channels depends on channels configured in the Security Manager. Email Direction is available only for those with the Forcepoint Email Security module, endpoint agent, or protector. |
| Filter | Description |
|---|---|
| Classifier Matches | Select which specific content classifiers should be displayed in the incident list. |
| Classifier Type | Select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.). |
| Current labels | Select incidents to display in the report according to the current labels on their files. |
| Date Accessed |
To see when data in violation of policy was accessed, use this filter, then select dates and times. Display incidents for data accessed within the last x days, within a date range, or on exact dates. It is also possible to specify time periods. |
| Date Created |
To see when a file in violation of policy was created, use this filter, then select dates and times. Display incidents for data created within the last x days, within a date range, or on exact dates. It is also possible to specify time periods. |
| Date Modified |
To see when a file in violation of policy was modified, use this filter, then select dates and times. Display incidents for data modified within the last x days, within a date range, or on exact dates. It is also possible to specify time periods. |
| Details | Filter incidents using the details listed in the Properties tab, such as subject in an SMTP incident, the URL in an http incident, etc.. |
| Detected by | Set the incident list to display only incidents that were detected by specific Forcepoint DLP modules. Select each module of interest. The list of available modules depends on which modules configured on the System Modules page. |
| Discovery Task | Select the discovery tasks to display in the report. |
| Discovery Type | Select the type of discovery to display in the report: File System, Endpoint, SharePoint, SharePoint Online, Database, Exchange, Exchange Online, Outlook PST, and/or Domino. |
| Endpoint Type | Filter incidents according to the type of endpoint client, e.g., laptop or static device. |
| Event ID | Filter incidents using ID numbers assigned to the event. |
| Event Time |
Select incidents by the date and time the policy engine first saw the transaction. For filter properties, select one of the following:
|
| File labeling status | View incidents with specific labeling status(es), e.g., Labeling succeeded or Partially labeled. |
| File Name |
Filter using the name of the detected file. You can choose to add or remove terms to be used as file names using the Include and Exclude options. You can enter the term (wildcards can be used), and click Add. You can use the Remove option to remove an item from the list. Continue until all required file names have been added. Note: Complex filters can affect performance.
|
| File Owner | Filter incidents by file owner. Type a valid owner name into the field box, then click Add. |
| Filter | Description |
|---|---|
| File Permissions |
Filter incidents by file permissions. Type a standard Access Control List (ACL) permission into the field box (such as USER name, password, services, or roles), then click Add. The values apply to all file-system scanning and Windows shares. Split multiple rows by commas and single rows by colons. For example: Unix user\ramon:rwx,Unix Group\developers:r- x,\Everyone:r-- |
| File properties | Select file properties to include in the report (for example, Protected by Microsoft Information Protection and Marked by Microsoft Information Protection). |
| File Size | Filter incidents by file size, then choose the size of the file to include in the report. |
| Folder | View incidents from a certain folder or folders. Type a valid folder name into the field box, then click Add. |
| Folder Owner | Filter incidents by folder owner. Type a valid owner name into the field box, then click Add. |
| History |
Filter incidents by the date, administrator, or details contained on the incident History tab. For example, display all incidents that jdoe closed during March 2017.
Enter the text for which to search. It is possible to search for all or part of the detail text. For example, enter “closed” to search for incidents that were closed during a certain period. As always, this filter depends on the other filters that have been selected, such as Incident Time and Ignored Incident. To filter only by history, define a large range for Incident Time, then define the history filter. Note that complex filters can affect performance. |
| Hostname | Filter incidents by the host on which they were detected. Type a valid hostname into the field box, then click Add. |
| ID | Filter by unique number assigned to an incident. To set an ID, use one of the following, and then enter the ID.
|
| Ignored Incident | Filter in or out incidents marked as ignored. By default, ignored incidents are filtered out of all reports. |
| Incident Tag |
Filter incidents by a previously defined tag (see Tagging incidents). Select the tags by which to filter the report and click Add. Continue until all required tags have been added. Use these tags to group incidents for external applications. Note that complex filters can affect performance. |
| Filter | Description |
|---|---|
| Incident Time | Filter incidents by the date and time they were written to the database. Select the time for the incidents to display. |
| IP Address | Filter incidents by the host on which they were detected. Type a valid IP address into the field box, then click Add. |
| Labeled by DLP | Select incidents to display in the report according to the labels that were added to their files by DLP. |
| Locked |
Use this filter to show incidents that are locked or unlocked. There are two options:
Locking an incident prevents it from being overwritten with new data in subsequent scans. (To lock an incident, choose Workflow > Lock in the Discovery incident report.) |
| Mailbox Type |
This filter applies only to Exchange discovery.
|
| More Details1 and More Details2 | Filters based on more information about the incident. |
| Policy | Filters incidents based on the policies that were violated by the content. Use the All policies check box or the individual check boxes for different policies to set the policy’s incidents to be displayed in the incident list. |
| Previous labels | Select incidents to display in the report according to the labels that were on their files before the DLP action. |
| Rule Name | Filter incidents by the rules they triggered. |
| Severity | Select the severity of incidents to display. Select High to display incidents of high severity, and so on. Select as many severity levels as desired. |
| Status | Select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. It is not possible to filter by statuses that have been deleted from the system. |
| Top Matches | Filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy, the one that has the most matches would be included. |
| Transaction Size | Select the size of incidents to display. Display incidents greater than a certain number of KB, or between x KB and y KB. |
| Violation Triggers |
Select which incident triggers to display in the incident list. In the field, enter the list of violation triggers to be displayed, separated by commas. Note that complex filters can affect performance. |