Filter tab

Use the Filter tab of the Report Catalog > Edit Report page to focus the report on the data that is most relevant to you. For example, apply the Action filter and display only incidents with the action Block. Apply as many filters as needed.

For each filter to apply:

  1. Select the filters in the Filter by pane on the left.
  2. Select Enable filter in the properties pane.
  3. Apply properties to the filter in the properties pane.

The filters that are available vary depending on the type of report. Filters and their properties are described below.

  • Data Loss Prevention filters
  • Mobile Device filters
  • Discovery filters

Data Loss Prevention filters

Filter Description
Action

Filter incidents by the action (including those on endpoints) that was performed on the incident. Select the check box for each action to be displayed.

Incidents with the following actions can be displayed:

  • Permitted
  • Blocked
  • Attachment(s) dropped
  • Quarantined
  • Encrypted with profile key
  • Encrypted with user password
  • Denied (confirmed)
  • Continued (confirmed)

In addition to the default actions, DLP actions configured in the Forcepoint Security Manager are listed (Forcepoint Email Security only).

Application Name Filter incidents by the name of applications found in the incidents. Select the applications to include in the report.
Filter Description
Assigned to Filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display.
Business Unit Filter to filter incidents by the business unit to which they’re assigned.
Channel

Limit which channels’ incidents are displayed in the report. The list of available channels depends on channels configured in the Security Manager.

If one or more email filters is selected, specify the email direction to display: inbound, outbound, or internal. Email direction is available only for those with the Forcepoint Email Security module, endpoint agent, or protector.

For the endpoint application filter, select the operations to display in the report. For example, choose Paste to display all endpoint incidents where users pasted sensitive data into a document.

It is also possible to view incidents from the Discovery channel or DLP Cloud Applications channels.

Select DLP Cloud Applications to view incidents detected when users uploaded, downloaded, or shared files with cloud applications such as Office365 or Box. (Enable the Cloud Applications service at Settings > General > Services.)

Classifier Matches

Display specific classifiers whose thresholds have been exceeded. For example, select a dictionary classifier with profanity in it, and set its threshold to 3. The report displays only incidents where more than 3 terms from this dictionary were detected.

Click Edit to add or remove content classifiers to the filter, then select a threshold for each.

Classifier Type Select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.).
Destination

Set the incident list to display only incidents that were directed at specific destinations.

Select Enable filter to select destinations from your resource list or enter them as free text. Choose which method you want to use from the drop- down list. If your free text includes a comma, enclose the value in quotes. For example: “Doe, John”.

If you have a role in which source and destination information is hidden for privacy reasons, this filter is not available.

Note that the filter returns values from all columns describing the destination, such as URL category, hostname, IP address, and domain.

Complex filters can affect performance.

See Selecting items to include or exclude in a policyfor more details on using this selector.

Detected by Display only incidents intercepted that were detected by specific Forcepoint DLP modules. Select each module to be displayed. The list of available modules depends on which modules were configured on the System Modules page.
Filter Description
Endpoint Type Filter incidents according to the type of endpoint client, e.g., laptop or static device (such as workstations). In the Filter Properties pane, select the endpoint type.
Event Time

Filter incidents by the date and time the policy engine first saw a transaction. An event is any transaction being analyzed. (An incident is an event that breaches policy.)

Select a date range, then select a time of day.

Date Range

  • Last n days - Select this option to display incidents from the last n days, then select the number of interest. For example, display incidents from the last 30 days.
  • Time period - Select this option to display incidents that transpired in a set period of time, then select the period. Example: last 24 hours, this week, or last month.
  • Exact date and time - Select this option to display incidents that transpired during a time period that you define, then select the From and To dates and times from the drop-down lists.

For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30.

Time of Day

By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.

  • Entire day - Select Entire day to show all incidents during the date range, no matter what time of day they took place.
  • From ... to ... - Select this option to show only incidents from a specific period.

For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m.

If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around.

File Name

Filter in or out incidents involving certain files. Enter the file name (wildcards can be used), and click Add. Continue until all required file names have been added.

Note that complex filters can affect performance.

Filter Description
History

Filter incidents by the date, administrator, or details contained on the incident History tab. For example, display all incidents that jdoe closed during March 2017.

  • Select Filter by date to specify the date and time of the actions that were taken. Only actions during this period are included in the report. Select a date range and time of day.
  • Select Filter by administrator to specify the administrator who performed the listed workflow action. Enter the administrator name or names. Separate multiple names by commas. For example: Type “jdoe, bsmith” to view incidents that jdoe and bsmith acted on.
  • Select Filter by details to specify details shown on the incident’s History tab. Details are automatically added when a workflow action is taken, such as “incident assigned to jdoe.” If administrators add comments to the incident (Workflow > Add Comments), those are appended to the workflow details.

Enter the text for which to search. It is possible to search for all or part of the detail text. For example, enter “closed” to search for incidents that were closed during a certain period.

As always, this filter depends on the other filters that have been selected, such as Incident Time and Ignored Incident. To filter only by history, define a large range for Incident Time, then define the history filter.

Note that complex filters can affect performance.

Ignored Incident Filter in or out ignored incidents. By default, ignored incidents are filtered out of all reports.
Incident Tag

Filter incidents by a previously-defined tag. (See Tagging incidents). Select the tags by which to filter the report and click Add. Continue until all required tags have been added.

These can be used to group incidents for external applications. Note that complex filters can affect performance.

Filter Description
Incident Time

Filter incidents by the date and time they were written to the database. An incident is an event that breaches policy. (An event is any transaction being analyzed.)

Select a date range, then select a time of day.

Date Range

  • Last n days - Select this option to display incidents from the last n days, then select the number of interest. For example, display incidents from the last 30 days.
  • Time period - Select this option to display incidents that transpired in a set period of time, then select the period. Example: last 24 hours, this week, or last month.
  • Exact date and time - Select this option to display incidents that transpired during a time period that you define, then select the From and To dates and times from the drop-down lists.

For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30.

Time of Day

By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.

  • Entire day - Select Entire day to show all incidents during the date range, no matter what time of day they took place.
  • From ... to ... - Select this option to show only incidents from a specific period.

For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m.

If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around.

Policy Use the check boxes provided to set which policy’s incidents are displayed in the incident list.
Released Incident Filter in or out SMTP incidents that have been released by an administrator (a reports remediation option).
Rule Name Filter incidents by the rules they triggered.
Severity Select the severity of incidents to display. Select High if you want to display incidents of high severity, and so on. Select as many severity levels as desired.
Filter Description
Source

View only incidents that were initiated by specific sources. Select sources from the resource list or enter them as free text. Choose which method to use from the drop-down list. If a free text entry includes a comma, enclose the value in quotes. For example: “Doe, John”.

If there is a role in which source and destination information is hidden for privacy reasons, optionally enter one or more source IDs.

Note that the filter returns values from all columns describing the source, such as URL category, hostname, IP address, and domain.

Complex filters can affect performance.

See Selecting items to include or exclude in a policy for more details on using this selector.

Status Select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. It is not possible to filter by statuses that have been deleted from the system.
Top Matches Filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy, the one that has the most matches would be included.
Total Size Select the size of incidents to display. It is possible to display incidents greater than a certain size (in KB), or between 2 sizes.
Violation Triggers

Select which incident triggers to display in the incident list. In the field, enter a violation trigger of interest and click Add. Continue until all required triggers have been added.

Note that complex filters can affect performance.

Mobile Device filters

Filter Description
Action Filter incidents by the action that was performed on the incident. Select the check box for each action to be displayed.
Assigned to Filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Forcepoint Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display.
Business Unit Filter incidents by the business unit to which they’re assigned.
Classifier Matches

Display specific classifiers whose thresholds have been exceeded. For example, select a dictionary classifier with profanity in it, and set its threshold to 3. The report displays only incidents where more than 3 terms from this dictionary were detected.

Click Edit to add or remove content classifiers to the filter, then select a threshold for each.

Classifier Type Select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.)
Filter Description
Destination

Set the incident list to display only incidents intercepted that were directed at specific destinations. You can select destinations from your resource list or enter them as free text. Choose which method you want to use from the drop-down list. If your free text includes a comma, enclose the value in quotes. For example: “Doe, John”.

If you have a role in which source and destination information is hidden for privacy reasons, this filter is not available.

Note that the filter returns values from all columns describing the destination, such as URL category, hostname, IP address, and domain.

Complex filters can affect performance.

See Selecting items to include or exclude in a policy for more details on using this selector.

Detected by Set the incident list to display only incidents intercepted that were detected by specific Forcepoint DLP modules. Select each module to be displayed. The list of available modules depends on which modules were configured on the Security Manager System Modules page.
Device Details

Display incidents that match certain device criteria.

  1. In the Field menu, indicate whether to filter by device name, ID, user agent, model, operating system, or type.
  2. Indicate whether the field should contain a certain value or be empty.
  3. Enter a value in the blank text box.
  4. Click Add.
Device User

Display only incidents for specific mobile-device users. Select users from the resource list or enter identifying information manually.

When using the resource list:

  • Use the Display field to indicate whether to pick from directory entries, business units, or custom users.
  • Enter a search term in the Filter by field.
  • Click the filter button.
  • Select items from the available list. See Selecting items to include or exclude in a policy.

For free text, type a name, email address, or other information in the text box. Note that complex filters can affect performance.

Filter Description
Event Time

Filter incidents by the date and time the policy engine first saw a transaction. An event is any transaction being analyzed. (An incident is an event that breaches policy.)

Select a date range, then select a time of day.

Date Range

  • Last n days - Select this option to display incidents from the last n days, then select the number of interest. For example, display incidents from the last 30 days.
  • Time period - Select this option to display incidents that transpired in a set period of time, then select the period. Example: last 24 hours, this week, or last month.
  • Exact date and time - Select this option to display incidents that transpired during a time period that you define, then select the From and To dates and times from the drop-down lists.

For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30.

Time of Day

By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.

  • Entire day - Select Entire day to show all incidents during the date range, no matter what time of day they took place.
  • From ... to ... - Select this option to show only incidents from a specific period.

For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m.

If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around.

File Name

Filter in or out incidents involving certain files. Enter the file name (wildcards can be used), and click Add. Continue until you’ve added all you need.

Note that complex filters can affect performance.

Filter Description
History

Filter incidents by the date, administrator, or details contained on the incident History tab. For example, display all incidents that jdoe closed during March 2017.

  • Select Filter by date to specify the date and time of the actions that were taken. Only actions during this period are included in the report. Select a date range and time of day.
  • Select Filter by administrator to specify the administrator who performed the listed workflow action. Enter the administrator name or names. Separate multiple names by commas. For example: Type “jdoe, bsmith” to view incidents that jdoe and bsmith acted on.
  • Select Filter by details to specify details shown on the incident’s History tab. Details are automatically added when a workflow action is taken, such as “incident assigned to jdoe.” If administrators add comments to the incident (Workflow > Add Comments), those are appended to the workflow details.

Enter the text for which to search. It is possible to search for all or part of the detail text. For example, enter “closed” to search for incidents that were closed during a certain period.

As always, this filter depends on the other filters that have been selected, such as Incident Time and Ignored Incident. To filter only by history, define a large range for Incident Time, then define the history filter.

Note that complex filters can affect performance.

Ignored Incident Filter in or out ignored incidents. By default, ignored incidents are filtered out of all reports.
Incident Tag

Filter incidents by a previously-defined tag (see Tagging incidents). Select the tags by which to filter the report and click Add. Continue until all required tags have been added.

Use these tags to group incidents for external applications. Note that complex filters can affect performance.

Filter Description
Incident Time

Filter incidents by the date and time they were written to the database. An incident is an event that breaches policy. (An event is any transaction being analyzed.)

Select a date range, then select a time of day.

Date Range

  • Last n days - Select this option to display incidents from the last n days, then select the number of interest. For example, display incidents from the last 30 days.
  • Time period - Select this option to display incidents that transpired in a set period of time, then select the period. Example: last 24 hours, this week, or last month.
  • Exact date and time - Select this option to display incidents that transpired during a time period that you define, then select the From and To dates and times from the drop-down lists.

For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30.

Time of Day

By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.

  • Entire day - Select Entire day to show all incidents during the date range, no matter what time of day they took place.
  • From ... to ... - Select this option to show only incidents from a specific period.

For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m.

If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around.

Policy Use the check boxes provided to set which policy’s incidents are displayed in the incident list.
Released Incident Filter in or out SMTP incidents that have been released by an administrator (a reports remediation option).
Rule Name Filter incidents by the rules they triggered.
Severity Select the severity of incidents to display. Select High to display incidents of high severity, and so on. Select as many severity levels as desired.
Filter Description
Source

View only incidents that were directed at specific sources. Select sources from the resource list or enter them as free text. Choose which method to use from the drop-down list. If the free text includes a comma, enclose the value in quotes. For example: “Doe, John”.

If there is a role in which source and destination information is hidden for privacy reasons, optionally enter one or more source IDs.

Note that the filter returns values from all columns describing the source, such as URL category, hostname, IP address, and domain.

Complex filters can affect performance.

See Selecting items to include or exclude in a policy.

Status Select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. It is not possible to filter by statuses that have been deleted from the system.
Synced by

Display incidents on messages that were synchronized by a certain number of mobile-device users.

For example, you want to know when the same violating message was synchronized by more than 10 users.

Top Matches Filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy, the one that has the most matches would be included.
Total Size Select the size of incidents to display. You can display incidents greater than a certain size (in KB), or between 2 sizes.
Transaction Type Display only incidents of a certain type, then select the types: email, calendar event, or tasks.
Violation Triggers

Select which incident triggers to display in the incident list. In the field, enter a violation trigger of interest and click Add. Continue until you’ve added all you need.

Note that complex filters can affect performance.

Discovery filters

Filter Description
Action View only incidents with no action or specific actions (for example, Applied a file label).
Assigned to Filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Forcepoint Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display.
Channel

Limit which channels’ incidents are displayed in the report.

The list of available channels depends on channels configured in the Security Manager.

Email Direction is available only for those with the Forcepoint Email Security module, endpoint agent, or protector.

Filter Description
Content Classifier Name Select which specific content classifiers should be displayed in the incident list.
Content Classifier Type Select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.).
Current Labels Select incidents to display in the report according to the current labels on their files.
Date Accessed

To see when data in violation of policy was accessed, use this filter, then select dates and times.

Display incidents for data accessed within the last x days, within a date range, or on exact dates. It is also possible to specify time periods.

Date Created

To see when a file in violation of policy was created, use this filter, then select dates and times.

Display incidents for data created within the last x days, within a date range, or on exact dates. It is also possible to specify time periods.

Date Modified

To see when a file in violation of policy was modified, use this filter, then select dates and times.

Display incidents for data modified within the last x days, within a date range, or on exact dates. It is also possible to specify time periods.

Detected by Set the incident list to display only incidents that were detected by specific Forcepoint DLP modules. Select each module of interest. The list of available modules depends on which modules configured on the System Modules page.
Discovery Task Select the discovery tasks to display in the report.
Discovery Type Select the type of discovery to display in the report: File System, Endpoint, SharePoint, SharePoint Online, Database, Exchange, Exchange Online, Outlook PST, and/or Domino.
Endpoint Type Filter incidents according to the type of endpoint client, e.g., laptop or static device.
Event Time

Select incidents by the date and time the policy engine first saw the transaction.

For filter properties, select one of the following:

  • Last nn days - Select the number of days from the spinner.
  • Time period - Select the range from the drop-down list. Example: last 24 hours or this week.
  • Exact dates - Select the From and To dates from the drop-down lists.
File Labeling Status View incidents with specific labeling status(es), e.g., Labeling succeeded or Partially labeled.
File Name

Filter in or out incidents involving certain files. Enter the file name (wildcards can be used), and click Add. Continue until all required files have been added.

Note that complex filters can affect performance.

File Owner Filter incidents by file owner. Type a valid owner name into the field box, then click Add.
Filter Description
File Permissions

Filter incidents by file permissions. Type a standard Access Control List (ACL) permission into the field box (such as USER name, password, services, or roles), then click Add. The values apply to all file-system scanning and Windows shares.

Split multiple rows by commas and single rows by colons. For example:

Unix user\ramon:rwx,Unix Group\developers:r- x,\Everyone:r--

File Properties Select file properties to include in the report (for example, Protected by Microsoft Information Protection and Marked by Microsoft Information Protection).
File Size Filter incidents by file size, then choose the size of the file to include in the report.
Folder View incidents from a certain folder or folders. Type a valid folder name into the field box, then click Add.
Folder Owner Filter incidents by folder owner. Type a valid owner name into the field box, then click Add.
History

Filter incidents by the date, administrator, or details contained on the incident History tab. For example, display all incidents that jdoe closed during March 2017.

  • Select Filter by date to specify the date and time of the actions that were taken. Only actions during this period are included in the report. Select a date range and time of day.
  • Select Filter by administrator to specify the administrator who performed the listed workflow action. Enter the administrator name or names. Separate multiple names by commas. For example: Type “jdoe, bsmith” to view incidents that jdoe and bsmith acted on.
  • Select Filter by details to specify details shown on the incident’s History tab. Details are automatically added when a workflow action is taken, such as “incident assigned to jdoe.” If administrators add comments to the incident (Workflow > Add Comments), those are appended to the workflow details.

Enter the text for which to search. It is possible to search for all or part of the detail text. For example, enter “closed” to search for incidents that were closed during a certain period.

As always, this filter depends on the other filters that have been selected, such as Incident Time and Ignored Incident. To filter only by history, define a large range for Incident Time, then define the history filter.

Note that complex filters can affect performance.

Host Name Filter incidents by the host on which they were detected. Type a valid hostname into the field box, then click Add.
Ignored Incident Filter in or out ignored incidents. By default, ignored incidents are filtered out of all reports.
Incident Tag

Filter incidents by a previously defined tag (see Tagging incidents). Select the tags by which to filter the report and click Add. Continue until all required tags have been added.

Use these tags to group incidents for external applications. Note that complex filters can affect performance.

Filter Description
Incident Time Filter incidents by the date and time they were written to the database. Select the time for the incidents to display.
IP Address Filter incidents by the host on which they were detected. Type a valid IP address into the field box, then click Add.
Labeled by DLP Select incidents to display in the report according to the labels that were added to their files by DLP.
Locked

Use this filter to show incidents that are locked or unlocked. There are two options:

  • Show only locked incidents (and not unlocked incidents)
  • Exclude locked incidents (and show only unlocked incidents) Disable the filter to display both locked and unlocked incidents.

Locking an incident prevents it from being overwritten with new data in subsequent scans. (To lock an incident, choose Workflow > Lock in the Discovery incident report.)

Mailbox Type

This filter applies only to Exchange discovery.

  • Select Private mailbox to display incidents from private mailboxes.
  • Select Public mailbox to display incidents from public mailboxes. Both can be selected at the same time.
Policy Use the check boxes provided to set which policy’s incidents are displayed in the incident list.
Previous Labels Select incidents to display in the report according to the labels that were on their files before the DLP action.
Rule Name Filter incidents by the rules they triggered.
Severity Select the severity of incidents to display. Select High to display incidents of high severity, and so on. Select as many severity levels as desired.
Status Select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. It is not possible to filter by statuses that have been deleted from the system.
Top Matches Filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy, the one that has the most matches would be included.
Total Size Select the size of incidents to display. Display incidents greater than a certain number of KB, or between x KB and y KB.
Violation Triggers

Select which incident triggers to display in the incident list. In the field, enter the list of violation triggers to be displayed, separated by commas.

Note that complex filters can affect performance.