Issue
- You want to filter using multiple criteria and search for a specific detection
Solution
Click Add filter and select a filter from the drop-down menu or type a string. The available filter list is detailed below.
Dashboard
- Time—Filter by the time of occurrence.
Computers
- ESET Inspect Connector version—Filter by the version of ESET Inspect Connector deployed on the specific computer
- Alert count—Filter by the number of ESET PROTECT On-Prem related alerts
- AVG Received events/24H—Filter by the average number of received events during 24 hours.
- AVG Stored events/24H—Filter by the average number of stored events during 24 hours; the number depends on the Settings, Data Retention and Data collection settings
- Description—Filter by the description of the computer, taken from ESET PROTECT On-Prem
- Endpoint version—Filter by the version of Endpoint installed on that computer
- FQDN—Filter by the fully qualified domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS)
- Group—Filter by the name of the group of computers a specific computer belongs to
- Information—Filter by the total count of unresolved informational detections on the computer
- Information (Unique)—Filter by count of unique unresolved informational detections on computer
- Isolated from network—Filter by the computer isolated from the network (only connections between ESET Security products are available)
- Last Change Date—Filter by the date when the object was last changed
- Last Change Type—Filter by the last change of the object (for example, marked as resolved, change of the priority)
- Last Changed By—Filter by the user, which was the last one to change the object
- Last Connected—Filter by the permanent connection created to listen for notifications about blocked hashes, requests to download a file or kill a process; the refresh interval is 90 seconds.
- Last event—Filter by the timestamp of the last event sent to the server; the time when this event occurred on the computer, not when it was sent to the ESET Inspect Server
- Name—Filter by the computer, executable, exclusion, task, blocked hash or report name
- OS Name—Filter by the name of the operation system: Windows, macOS or Linux
- OS Platform—Filter by the operating system that is running on the specific computer: 32-bit or 64-bit
- OS Version—Filter by the version of EEA or EES deployed on the specific computer
- Received events from today—Filter by the number of events that occurred on the specific computer since midnight
- Resolved—Filter by the total count of resolved detections on a computer without regard for the severity
- Severity Score—Filter by the more precise definition of severity: 1–39 > Info, 40–69 > Warning, 70–100 > Threat
- Stored events from today—Filter by the number of computer events since midnight
- Threats—Filter by the total count of unresolved threat detections on the computer
- Threats (Unique)—Filter by the count of unique unresolved threat detections on computer
- Unresolved—Filter by the total count of unresolved detections on the computer
- Unresolved (Unique)—Filter by the count of unique unresolved detections on the computer
- Warnings—Filter by the total count of unresolved warning detections on the computer
- Warnings (Unique)—Filter by the count of unique unresolved warning detections on computer
Alerts
- Details—Filter by the text in the details column field
- Occurred—Filter by the time of occurrence of the alert; Select earlier than or later than, and the desired time range
- Problem—Filter by the text of the problem of the alert
- Product—Filter by the text of the product of the alert
- Status—Filter by the name of the ESET PROTECT On-Prem alert status
- Subproduct—Filter by the text of the Subproduct
Detections
- Actions taken—Filter by the actions taken
- Blocked URL—Filter by the URL of the blocked detection if applicable
- Category—Filter by the category name that you can find among category tags in the Edit Rule section
- Command Line—Filter by the detections by the command line filename
- Compromised—Filter by the compromised computers
- Computer—Filter by the computer name: equal, unequal to include or exclude specific names; in the Scripts tab, Filter by the computer name where the detection triggered
- Detection Info—Filter by the detection of specific information: rule name in a rule detection, malware info in Antivirus detections, etc.
- Detection Type—Filter by the type of detection (Firewall, HIPS, Filtered Websites, Antivirus, Rule, Blocked )
- Executable—Filter by the name of the executable found in the detection details or in the Executable column: equal, unequal to include or exclude specific name
- First Seen (LiveGrid®)—Filter when an executable was first seen on any computer connected to LiveGrid®
- Full name—Filter by the user's full name, if available from Active Directory
- Integrity Level—Filter by the level of integrity
- Job Position—Filter by the user's job position, if available from the Active Directory
- Last Change Date—Filter by the date when the object was last changed
- Last Change Type—Filter by the last change of the object
- Last Changed By—Filter by the last user to change the object
- MITRE ATT&CK™ TECHNIQUES—Filter by the ID of the MITRE ATT&CK™ TECHNIQUE
- Note—Filter by the Note
- Time Occurred—Filter by the time of occurrence: earlier than or later than and the desired time range
- Parent Process ID—Filter by the ID of the parent process that created this child process
- Parent Process Name—Filter by the name of the parent process that created this child process
- Parent Process SHA-1—Filter by the hash of the parent process
- Parent Process Signature Type—Filter by the parent process's file signature type: Trusted, Valid, None, Invalid or Unknown
- Parent Process Signer Name—Filter by the parent process's file signer name
- Popularity (LiveGrid®)—Filter by how many computers reported an executable to LiveGrid®
- Process ID—Filter by the Process ID found in detection details or in the Process Name (ID) column; You can choose whether it is bigger and equal or smaller and equal to the one you are looking for: Known—if the ID is known, Unknown—if the ID is unknown
- Process Name—Filter by the Process Name that you can find in the Detection details or the column Process Name (ID); you can choose whether it is equal or unequal to the one you are looking for
- Reputation (LiveGrid®)—Filter by the number from 1 to 9, indicating how safe the file is: 1–2 Red = malicious, 3–7 Yellow = suspicious and 8–9 Green = safe
- Resolved—Filter by the total count of resolved detections on a computer with no regard for the severity; in the detections view, it filters by the detection status, whether it was resolved or not
- Rule Actions—Filter by the rule actions
- Rule Name—Filter by the name of the rule (Default or Customized)
- Scanner—Filter by the type of Endpoint scanner that prevented the potential threat
- Severity Score—Filter by the more precise definition of severity: 1–39 > Info, 40–69 > Warning, 70–100 > Threat
- SHA-1—Filter by the executable's hash
- Signature Type—Filter by the signature type: Trusted, Valid, None, Invalid or Unknown
- Signer Name —Filter by the signer of the file
- Task Name—Filter by the task name from the Tasks tab
- Threat Name—Filter by the threat name, which can be found in this list: http://www.virusradar.com/en/threat_encyclopaedia
- Time Triggered—Filter by the time of triggering: earlier than, later than or equal and the desired time
- URI—Filter by the URI that caused this detection to trigger
- User Department—Filter by the user's department, if available from the Active Directory
- User Description—Filter by the user's description, if available from the Active Directory
- Username—Filter by the user account that was logged on the computer at the time of detection trigger
Search
- Author—Name of the currently logged user at the creation or edition
- Progress—Filter by the progress of the task
- Results—Filter by the results is based on the object type
Incidents
- Assignee—Filter by the name of the Assignee
- Author—Name of the currently logged user at the creation or edition
- Computers—Filter by the number of computers that the reporter created the report for
- Creation Time—Filter by the time of creation of the report
- Description—Filter by the description of the computer, taken from ESET PROTECT On-Prem; in Incidents, Filter by the description provided by the reporter
- Detections—Filter by the number of detections triggered by this task; in Incidents, Filter by the number of detections the report contains
- Executables—Filter by the number of executables that the report contains
- Last Update—Filter by the time of the last update of the report
- Name—Filter by the name of the computer, executable, exclusion, task, blocked hash or report
- Processes—Filter by the number of processes that the report contains
Executables
- Blocked—Filter by whether the executable's hash was blocked or not
- Company Name—Filter by the company that produced the executable (for example, "Microsoft Corporation" or "Standard Micro-systems Corporation, Inc.)
- DNS events—Filter by the total number of DNS events that the specific executable triggered
- Events/24h—Filter by the total amount of events within 24 hours
- Executable Drops—Filter by the number of dropped executables made by this executable
- Executed on Computers—Filter by the number of computers on which the file was executed
- Executions—Filter by how many times this .exe file was executed on all computers
- File Description—Filter by the full description of the file, for example, "Keyboard Driver for AT-Style Keyboards"
- File Modifications—Filter by how many files were modified (written to, deleted, renamed)
- File Version—Filter by the file's version number
- First Executed—Filter when was executable first executed on this computer
- First Seen—Filter when an executable was first seen on any computer
- First Seen (LiveGrid®)—Filter when an executable was first seen on any computer connected to LiveGrid®
- HTTP Events—Filter by the total number of HTTP events that the specific executable triggered
- Information—Filter by the total count of unresolved informational detections on the computer
- Information (Unique)—Filter by count of unique unresolved informational detections on computer
- Internal Name—Filter by the internal name of the file, if one exists
- Last Change Date—Filter by the date when the object was changed the last time
- Last Change Type—Filter by the last change of the object
- Last Changed By—Filter by the last user to change the object
- Last Executed—Filter by when an executable was last executed on any computer
- Last Processed on (ESET LiveGuard)—Filter by when an executable was last processed in ESET LiveGuard
- Name—Filter by the name of the computer, executable, exclusion, task, blocked hash or report name
- Nearmiss Report—Filter if the detection is triggered due to suspected malware
- Network Connections—Filter by the number of network connections this file makes
- Note—Filter by the Note
- Original File Name—Filter by the original file name, not including the path, which enables an app to determine whether a user has renamed a file
- Packer Name—Filter by the name of packer, if an executable is packed
- Popularity (LiveGrid®)—Filter by how many computers reported an executable to LiveGrid®
- Product Name—Filter by the name of the product with which the file is distributed
- Product Version—Filter by the version of the product with which the file is distributed
- Registry Modifications—Filter by how many registry entries were modified
- Reputation (LiveGrid®)—Filter by the number from 1 to 9, indicating how safe the file is: 1–2 Red = malicious, 3–7 Yellow = suspicious and 8–9 Green = safe
- Resolved—Filter whether the detection is marked as Resolved
- Safe—Filter on executables marked as safe
- Seen on Computers—Filter by the number of computers where the file was discovered
- Sent Bytes—Filter by the total number of bytes sent by this file from all computers and all processes
- SFX Name—Filter by the self-extracting archive type if an executable is packed
- SHA-1—Filter by the executable's hash
- Signature CN #1—macOS only; same as the Windows product name column
- Signature CN #2—macOS only; same as the Windows file version column
- Signature CN #3—macOS only; same as the Windows product version column
- Signature CN #4—macOS only; same as the Windows internal name column
- Signature CN #5—macOS only; same as the Windows original filename
- Signature Id—macOS only; same as the Windows company name column
- Signature Type—Filter by the signature type: Trusted, Valid, None, Invalid or Unknown
- Signer Name —Filter by the signer of the file
- State (ESET LiveGuard)—Filter by the executable's present station in the analysis workflow
- Status (ESET LiveGuard)—Filter by the result of the behavioral analysis or the absence of a result: Unknown, Clean, Suspicious, Highly suspicious or Malicious
- Threats—Filter by the total count of unresolved threat detections on the computer
- Threats (Unique)—Filter by the count of unique unresolved threat detections on computer
- Unresolved—Filter by the total count of unresolved detections on the computer
- Unresolved (Unique)—Filter by the count of unique unresolved detections on the computer
- User Id—macOS only; same as the Windows file description column
- Warnings—Filter by the total count of unresolved warning detections on the computer
- Warnings (Unique)—Filter by the count of unique unresolved warning detections on computer
- Whitelist Type—Filter by the information if an executable is whitelisted
Scripts
- Command Line—Filter by the detections by the command line filename
- Command Line Length—Filter by the length of the command line command (Count of characters)
- Computer—Filter by the computer name. Select equal/unequal to include/exclude specific name; in the Scripts tab, Filter by the name of the computer, where the detection triggered
- Ended—Filter by the time when the process was terminated
- First Child Module Name—Filter by the child process name
- First HTTP Request—Filter by the source HTTP address, if the script accesses the network
- Full name—Filter by the user's full name, if available from Active Directory
- Integrity Level—Filter by the level of integrity
- Job Position—Filter by the user's job position, if available from the Active Directory
- Last Change Date—Filter by the date when the object was last changed
- Last Change Type—Filter by the last change of the object
- Last Changed By—Filter by the last user to change the object
- Note—Filter by the Note
- Parent Module Name—Filter by the parent process name
- Process ID—Filter by the Process ID found in detection details or in the Process Name (ID) column; you can choose whether it is bigger and equal or smaller and equal to the one you are looking for: Known—if the ID is known, Unknown—if the ID is unknown (for example, executable blocked by hash)
- Process Name—Filter by the Process Name that you can find in the details of the Detection or in the column Process Name (ID)
- Resolved Detections—Filter by the total count of resolved detections on the specific computer with no regard to severity
- Safe—Filter by the safe state
- Started—Filter by the time when the process was executed, caused by this process
- Unresolved Detections (Unique)—Filter by the total count of unique unresolved detections on the specific computer
- User Department—Filter by the user's department, if available from the Active Directory
- User Description—Filter by the user's description, if available from the Active Directory
- Username—Filter by the user account that was logged on the computer at the time of the detection trigger
Questions
- Status—Filter by the status of the questions: Active, Accepted, Rejected, Resolved or Don't show
- Timestamp—Set the period: date and time
- Time—Filter by the time of occurrence
Rules
- Author—Name of the currently logged user at the creation or edition
- Category—Filter by the category name that you can find among category tags in the Edit Rule section
- Enabled—Filter by the rule/exclusion: Enabled or disabled
- Hit Count—Filter by the count of detections that were excluded by this exclusion
- Last Change Date—Filter by the date when the object was last changed
- Last Change Type—Filter by the last change to object
- Last Changed By—Filter by the last user to change the object
- MITRE ATT&CK™ TECHNIQUES—Filter by the rule contains an ID of the MITRE ATT&CK™ TECHNIQUE
- OS Name—Filter by the name of the operation system: Windows, macOS or Linux
- Rule Actions—Filter by the rule actions
- Rule Body—Filter by the rule body
- Rule Name—Filter by the name of the rule: Default or Customized
- Severity Score—Filter by the more precise definition of severity: 1–39 > Info, 40–69 > Warning, 70–100 > Threat
- Valid—Filter by the rule with the wrong syntax and invalid tag
Exclusions
- Author—Name of the currently logged user at the creation or edition
- Enabled—Filter by the rule/exclusion: Enabled or Disabled
- Hit Count—Filter by the count of detections that were excluded by this exclusion
- Last Change Date—Filter by the date when the object was changed the last time
- Last Change Type—Filter by the last change of the object (for example, marked as resolved, change of the priority)
- Last Changed By—Filter by the last user to change the object
- Name—Filter by the computer, executable, exclusion, task, blocked hash or report name
- Note—Filter by the Note
- Rule Name—Filter by the name of the rule: Default or Customized
Blocked Hashes
- Cleaned—Filter by when the file was cleaned
- File Description—Filter by the full file description
- First Seen (LiveGrid®)—Filter when an executable was first seen on any computer connected to LiveGrid®
- Last Change Date—Filter by the date when the object was last changed
- Last Change Type—Filter by the last change to the object
- Last Changed By—Filter by the last user to change the object
- Name—Filter by the computer, executable, exclusion, task, blocked hash or report name
- Popularity (LiveGrid®)—Filter by how many computers reported an executable to LiveGrid®
- Reputation (LiveGrid®)—Filter by the number from 1 to 9, indicating how safe the file is: 1–2 Red = malicious, 3–7 Yellow = suspicious and 8–9 Green = safe
- SHA-1—Filter by the executable's hash
- Signature Type—Filter by the signature type: Trusted, Valid, None, Invalid or Unknown
- Signer Name —Filter by the file signer
Tasks
- Author—Name of the currently logged user at the creation or edition
- Created—Filter by the time when was the task created
- Detections—Filter by the number of detections triggered by this task
- From Date—Filter by the date when the task started
- Group—Filter by the name of the group of computers a specific computer belongs to
- Last Change Date—Filter by the date, when the object was changed the last time
- Last Change Type—Filter by the last change of the object (for example, marked as resolved, change of the priority)
- Last Changed By—Filter by the last user to change the object
- Name—Filter by the computer, executable, exclusion, task, blocked hash or report name
- Note—Filter by the Note
- Progress—Filter by the started task's progress
- Rule Name—Filter by the rule name: Default or Customized
- To date—Filter by the date the task ended
Event Filters
- Author—Name of the currently logged user at the creation or edition
- Enabled—Filter by the rule/exclusion: Enabled or Disabled
- Filter Name—Filter by event filter name
- Hit Count—Filter by the count of detections that were excluded by this exclusion
- Last Change Date—Filter by the date when the object was last changed
- Last Change Type—Filter by an object's last change
- Last Changed By—Filter by the last user to change the object
- OS Name—Filter by the name of the operation system: Windows, macOS or Linux
- Rule Actions—Filter by the rule actions
- Valid—Filter by the rule with the wrong syntax and invalid tag
Audit Log
- Action—Select one of the available actions
- Section—Select one of the available sections
- Timestamp—Set the period: date and time
- User—Select the user who performed changes
