Filter tab
Use the Filter tab of the
page to focus the report on the data that is most relevant to you. For example, apply the Action filter and display only incidents with the action Block. Apply as many filters as needed.For each filter to apply:
- Select the filters in the Filter by pane on the left.
- Select Enable filter in the properties pane.
- Apply properties to the filter in the properties pane.
The filters that are available vary depending on the type of report. Filters and their properties are described below.
- Data Loss Prevention filters
- Mobile Device filters
- Discovery filters
Data Loss Prevention filters
Filter | Description |
---|---|
Action |
Filter incidents by the action (including those on endpoints) that was performed on the incident. Select the check box for each action to be displayed. Incidents with the following actions can be displayed:
In addition to the default actions, DLP actions configured in the Forcepoint Security Manager are listed (Forcepoint Email Security only). |
Application Name | Filter incidents by the name of applications found in the incidents. Select the applications to include in the report. |
Filter | Description |
---|---|
Assigned to | Filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display. |
Business Unit | Filter to filter incidents by the business unit to which they’re assigned. |
Channel |
Limit which channels’ incidents are displayed in the report. The list of available channels depends on channels configured in the Security Manager. If one or more email filters is selected, specify the email direction to display: inbound, outbound, or internal. Email direction is available only for those with the Forcepoint Email Security module, endpoint agent, or protector. For the endpoint application filter, select the operations to display in the report. For example, choose Paste to display all endpoint incidents where users pasted sensitive data into a document. It is also possible to view incidents from the Discovery channel or DLP Cloud Applications channels. Select DLP Cloud Applications to view incidents detected when users uploaded, downloaded, or shared files with cloud applications such as Office365 or Box. (Enable the Cloud Applications service at Settings > General > Services.) |
Classifier Matches |
Display specific classifiers whose thresholds have been exceeded. For example, select a dictionary classifier with profanity in it, and set its threshold to 3. The report displays only incidents where more than 3 terms from this dictionary were detected. Click Edit to add or remove content classifiers to the filter, then select a threshold for each. |
Classifier Type | Select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.). |
Destination |
Set the incident list to display only incidents that were directed at specific destinations. Select Enable filter to select destinations from your resource list or enter them as free text. Choose which method you want to use from the drop- down list. If your free text includes a comma, enclose the value in quotes. For example: “Doe, John”. If you have a role in which source and destination information is hidden for privacy reasons, this filter is not available. Note that the filter returns values from all columns describing the destination, such as URL category, hostname, IP address, and domain. Complex filters can affect performance. See Selecting items to include or exclude in a policyfor more details on using this selector. |
Detected by | Display only incidents intercepted that were detected by specific Forcepoint DLP modules. Select each module to be displayed. The list of available modules depends on which modules were configured on the System Modules page. |
Filter | Description |
---|---|
Endpoint Type | Filter incidents according to the type of endpoint client, e.g., laptop or static device (such as workstations). In the Filter Properties pane, select the endpoint type. |
Event Time |
Filter incidents by the date and time the policy engine first saw a transaction. An event is any transaction being analyzed. (An incident is an event that breaches policy.) Select a date range, then select a time of day. Date Range
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30. Time of Day By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m. If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around. |
File Name |
Filter in or out incidents involving certain files. Enter the file name (wildcards can be used), and click Add. Continue until all required file names have been added. Note that complex filters can affect performance. |
Filter | Description |
---|---|
History |
Filter incidents by the date, administrator, or details contained on the incident History tab. For example, display all incidents that jdoe closed during March 2017.
Enter the text for which to search. It is possible to search for all or part of the detail text. For example, enter “closed” to search for incidents that were closed during a certain period. As always, this filter depends on the other filters that have been selected, such as Incident Time and Ignored Incident. To filter only by history, define a large range for Incident Time, then define the history filter. Note that complex filters can affect performance. |
Ignored Incident | Filter in or out ignored incidents. By default, ignored incidents are filtered out of all reports. |
Incident Tag |
Filter incidents by a previously-defined tag. (See Tagging incidents). Select the tags by which to filter the report and click Add. Continue until all required tags have been added. These can be used to group incidents for external applications. Note that complex filters can affect performance. |
Filter | Description |
---|---|
Incident Time |
Filter incidents by the date and time they were written to the database. An incident is an event that breaches policy. (An event is any transaction being analyzed.) Select a date range, then select a time of day. Date Range
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30. Time of Day By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m. If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around. |
Policy | Use the check boxes provided to set which policy’s incidents are displayed in the incident list. |
Released Incident | Filter in or out SMTP incidents that have been released by an administrator (a reports remediation option). |
Rule Name | Filter incidents by the rules they triggered. |
Severity | Select the severity of incidents to display. Select High if you want to display incidents of high severity, and so on. Select as many severity levels as desired. |
Filter | Description |
---|---|
Source |
View only incidents that were initiated by specific sources. Select sources from the resource list or enter them as free text. Choose which method to use from the drop-down list. If a free text entry includes a comma, enclose the value in quotes. For example: “Doe, John”. If there is a role in which source and destination information is hidden for privacy reasons, optionally enter one or more source IDs. Note that the filter returns values from all columns describing the source, such as URL category, hostname, IP address, and domain. Complex filters can affect performance. See Selecting items to include or exclude in a policy for more details on using this selector. |
Status | Select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. It is not possible to filter by statuses that have been deleted from the system. |
Top Matches | Filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy, the one that has the most matches would be included. |
Total Size | Select the size of incidents to display. It is possible to display incidents greater than a certain size (in KB), or between 2 sizes. |
Violation Triggers |
Select which incident triggers to display in the incident list. In the field, enter a violation trigger of interest and click Add. Continue until all required triggers have been added. Note that complex filters can affect performance. |
Mobile Device filters
Filter | Description |
---|---|
Action | Filter incidents by the action that was performed on the incident. Select the check box for each action to be displayed. |
Assigned to | Filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Forcepoint Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display. |
Business Unit | Filter incidents by the business unit to which they’re assigned. |
Classifier Matches |
Display specific classifiers whose thresholds have been exceeded. For example, select a dictionary classifier with profanity in it, and set its threshold to 3. The report displays only incidents where more than 3 terms from this dictionary were detected. Click Edit to add or remove content classifiers to the filter, then select a threshold for each. |
Classifier Type | Select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.) |
Filter | Description |
---|---|
Destination |
Set the incident list to display only incidents intercepted that were directed at specific destinations. You can select destinations from your resource list or enter them as free text. Choose which method you want to use from the drop-down list. If your free text includes a comma, enclose the value in quotes. For example: “Doe, John”. If you have a role in which source and destination information is hidden for privacy reasons, this filter is not available. Note that the filter returns values from all columns describing the destination, such as URL category, hostname, IP address, and domain. Complex filters can affect performance. See Selecting items to include or exclude in a policy for more details on using this selector. |
Detected by | Set the incident list to display only incidents intercepted that were detected by specific Forcepoint DLP modules. Select each module to be displayed. The list of available modules depends on which modules were configured on the Security Manager System Modules page. |
Device Details |
Display incidents that match certain device criteria.
|
Device User |
Display only incidents for specific mobile-device users. Select users from the resource list or enter identifying information manually. When using the resource list:
For free text, type a name, email address, or other information in the text box. Note that complex filters can affect performance. |
Filter | Description |
---|---|
Event Time |
Filter incidents by the date and time the policy engine first saw a transaction. An event is any transaction being analyzed. (An incident is an event that breaches policy.) Select a date range, then select a time of day. Date Range
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30. Time of Day By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m. If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around. |
File Name |
Filter in or out incidents involving certain files. Enter the file name (wildcards can be used), and click Add. Continue until you’ve added all you need. Note that complex filters can affect performance. |
Filter | Description |
---|---|
History |
Filter incidents by the date, administrator, or details contained on the incident History tab. For example, display all incidents that jdoe closed during March 2017.
Enter the text for which to search. It is possible to search for all or part of the detail text. For example, enter “closed” to search for incidents that were closed during a certain period. As always, this filter depends on the other filters that have been selected, such as Incident Time and Ignored Incident. To filter only by history, define a large range for Incident Time, then define the history filter. Note that complex filters can affect performance. |
Ignored Incident | Filter in or out ignored incidents. By default, ignored incidents are filtered out of all reports. |
Incident Tag |
Filter incidents by a previously-defined tag (see Tagging incidents). Select the tags by which to filter the report and click Add. Continue until all required tags have been added. Use these tags to group incidents for external applications. Note that complex filters can affect performance. |
Filter | Description |
---|---|
Incident Time |
Filter incidents by the date and time they were written to the database. An incident is an event that breaches policy. (An event is any transaction being analyzed.) Select a date range, then select a time of day. Date Range
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30. Time of Day By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m. If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around. |
Policy | Use the check boxes provided to set which policy’s incidents are displayed in the incident list. |
Released Incident | Filter in or out SMTP incidents that have been released by an administrator (a reports remediation option). |
Rule Name | Filter incidents by the rules they triggered. |
Severity | Select the severity of incidents to display. Select High to display incidents of high severity, and so on. Select as many severity levels as desired. |
Filter | Description |
---|---|
Source |
View only incidents that were directed at specific sources. Select sources from the resource list or enter them as free text. Choose which method to use from the drop-down list. If the free text includes a comma, enclose the value in quotes. For example: “Doe, John”. If there is a role in which source and destination information is hidden for privacy reasons, optionally enter one or more source IDs. Note that the filter returns values from all columns describing the source, such as URL category, hostname, IP address, and domain. Complex filters can affect performance. See Selecting items to include or exclude in a policy. |
Status | Select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. It is not possible to filter by statuses that have been deleted from the system. |
Synced by |
Display incidents on messages that were synchronized by a certain number of mobile-device users. For example, you want to know when the same violating message was synchronized by more than 10 users. |
Top Matches | Filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy, the one that has the most matches would be included. |
Total Size | Select the size of incidents to display. You can display incidents greater than a certain size (in KB), or between 2 sizes. |
Transaction Type | Display only incidents of a certain type, then select the types: email, calendar event, or tasks. |
Violation Triggers |
Select which incident triggers to display in the incident list. In the field, enter a violation trigger of interest and click Add. Continue until you’ve added all you need. Note that complex filters can affect performance. |
Discovery filters
Filter | Description |
---|---|
Action | View only incidents with no action or specific actions (for example, Applied a file label). |
Assigned to | Filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Forcepoint Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display. |
Channel |
Limit which channels’ incidents are displayed in the report. The list of available channels depends on channels configured in the Security Manager. Email Direction is available only for those with the Forcepoint Email Security module, endpoint agent, or protector. |
Filter | Description |
---|---|
Content Classifier Name | Select which specific content classifiers should be displayed in the incident list. |
Content Classifier Type | Select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.). |
Current Labels | Select incidents to display in the report according to the current labels on their files. |
Date Accessed |
To see when data in violation of policy was accessed, use this filter, then select dates and times. Display incidents for data accessed within the last x days, within a date range, or on exact dates. It is also possible to specify time periods. |
Date Created |
To see when a file in violation of policy was created, use this filter, then select dates and times. Display incidents for data created within the last x days, within a date range, or on exact dates. It is also possible to specify time periods. |
Date Modified |
To see when a file in violation of policy was modified, use this filter, then select dates and times. Display incidents for data modified within the last x days, within a date range, or on exact dates. It is also possible to specify time periods. |
Detected by | Set the incident list to display only incidents that were detected by specific Forcepoint DLP modules. Select each module of interest. The list of available modules depends on which modules configured on the System Modules page. |
Discovery Task | Select the discovery tasks to display in the report. |
Discovery Type | Select the type of discovery to display in the report: File System, Endpoint, SharePoint, SharePoint Online, Database, Exchange, Exchange Online, Outlook PST, and/or Domino. |
Endpoint Type | Filter incidents according to the type of endpoint client, e.g., laptop or static device. |
Event Time |
Select incidents by the date and time the policy engine first saw the transaction. For filter properties, select one of the following:
|
File Labeling Status | View incidents with specific labeling status(es), e.g., Labeling succeeded or Partially labeled. |
File Name |
Filter in or out incidents involving certain files. Enter the file name (wildcards can be used), and click Add. Continue until all required files have been added. Note that complex filters can affect performance. |
File Owner | Filter incidents by file owner. Type a valid owner name into the field box, then click Add. |
Filter | Description |
---|---|
File Permissions |
Filter incidents by file permissions. Type a standard Access Control List (ACL) permission into the field box (such as USER name, password, services, or roles), then click Add. The values apply to all file-system scanning and Windows shares. Split multiple rows by commas and single rows by colons. For example: Unix user\ramon:rwx,Unix Group\developers:r- x,\Everyone:r-- |
File Properties | Select file properties to include in the report (for example, Protected by Microsoft Information Protection and Marked by Microsoft Information Protection). |
File Size | Filter incidents by file size, then choose the size of the file to include in the report. |
Folder | View incidents from a certain folder or folders. Type a valid folder name into the field box, then click Add. |
Folder Owner | Filter incidents by folder owner. Type a valid owner name into the field box, then click Add. |
History |
Filter incidents by the date, administrator, or details contained on the incident History tab. For example, display all incidents that jdoe closed during March 2017.
Enter the text for which to search. It is possible to search for all or part of the detail text. For example, enter “closed” to search for incidents that were closed during a certain period. As always, this filter depends on the other filters that have been selected, such as Incident Time and Ignored Incident. To filter only by history, define a large range for Incident Time, then define the history filter. Note that complex filters can affect performance. |
Host Name | Filter incidents by the host on which they were detected. Type a valid hostname into the field box, then click Add. |
Ignored Incident | Filter in or out ignored incidents. By default, ignored incidents are filtered out of all reports. |
Incident Tag |
Filter incidents by a previously defined tag (see Tagging incidents). Select the tags by which to filter the report and click Add. Continue until all required tags have been added. Use these tags to group incidents for external applications. Note that complex filters can affect performance. |
Filter | Description |
---|---|
Incident Time | Filter incidents by the date and time they were written to the database. Select the time for the incidents to display. |
IP Address | Filter incidents by the host on which they were detected. Type a valid IP address into the field box, then click Add. |
Labeled by DLP | Select incidents to display in the report according to the labels that were added to their files by DLP. |
Locked |
Use this filter to show incidents that are locked or unlocked. There are two options:
Locking an incident prevents it from being overwritten with new data in subsequent scans. (To lock an incident, choose Workflow > Lock in the Discovery incident report.) |
Mailbox Type |
This filter applies only to Exchange discovery.
|
Policy | Use the check boxes provided to set which policy’s incidents are displayed in the incident list. |
Previous Labels | Select incidents to display in the report according to the labels that were on their files before the DLP action. |
Rule Name | Filter incidents by the rules they triggered. |
Severity | Select the severity of incidents to display. Select High to display incidents of high severity, and so on. Select as many severity levels as desired. |
Status | Select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. It is not possible to filter by statuses that have been deleted from the system. |
Top Matches | Filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy, the one that has the most matches would be included. |
Total Size | Select the size of incidents to display. Display incidents greater than a certain number of KB, or between x KB and y KB. |
Violation Triggers |
Select which incident triggers to display in the incident list. In the field, enter the list of violation triggers to be displayed, separated by commas. Note that complex filters can affect performance. |