Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Viewing Incidents and Reports > The report catalog > Editing a report > Filter tab
Filter tab
Administrator Help | Forcepoint DLP | Version 8.4.x
Related topics:
*
General tab
*
Table Properties tab
Use the Filter tab of the Report Catalog > Edit Report page to focus the report on the data that is most relevant to you. For example, you can apply the Action filter and display only incidents with the action Block. You can apply as many filters as needed.
For each filter that you want to apply:
1.
Select the filters in the Filter by pane on the left.
2.
Select Enable filter in the properties pane.
3.
Apply properties to the filter in the properties pane.
The filters that are available vary depending on the type of report. Filters and their properties are described below.
*
Data Loss Prevention filters
*
Mobile Device filters
*
Discovery filters
Data Loss Prevention filters
 
Filter
Description
Action
The Action filter enables you to filter incidents by the action (including those on endpoints) that was performed on the incident. Select the check box for each action to be displayed.
You can display incidents with the following actions:
*
Permitted
*
Blocked
*
Attachment(s) dropped
*
Quarantined
*
Encrypted with profile key
*
Encrypted with user password
*
Denied (confirmed)
*
Continued (confirmed)
In addition to the default actions, DLP actions configured in the Forcepoint Security Manager are listed (Forcepoint Email Security only).
Application Name
The Application Name filter enables you to filter incidents by the name of applications found in the incidents. Select the applications to include in the report.
Assigned to
The Assigned to filter enables you to filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display.
Business Unit
The Business Unit filter enables you to filter incidents by the business unit to which they're assigned.
Channel
The Channel filter enables you to limit which channels' incidents are displayed in the report. The list of available channels depends on channels configured in the Security Manager.
If you choose one or more email filters, specify the email direction to display: inbound, outbound, or internal. Email direction is available only for those with the Forcepoint Email Security module, endpoint agent, or protector.
If you choose to apply the endpoint application filter, select the operations you want to display in the report. For example, choose Paste to display all endpoint incidents where users pasted sensitive data into a document.
You can also choose to view incidents from the Discovery channel or File Sync and Sharing channel.
Select File Sync and Sharing to view incidents detected when users synced or shared files with cloud services such as Microsoft OneDrive for Business or Box. Requires the DLP Cloud Applications agent.
Classifier Matches
This filter enables you to display specific classifiers whose thresholds have been exceeded. For example, select a dictionary classifier with profanity in it, and set its threshold to 3. The report displays only incidents where more than 3 terms from this dictionary were detected.
Click Edit to add or remove content classifiers to the filter, then select a threshold for each.
Classifier Type
The Content Classifier Type filter enables you to select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.)
Cloud Service
The Cloud Service channel lets you view incidents from specific cloud services, such as those from Box. Requires the DLP Cloud Applications agent.
Destination
The Destination filter sets the incident list to display only incidents that were directed at specific destinations.
Select Enable filter to select destinations from your resource list or enter them as free text. Choose which method you want to use from the drop-down list. If your free text includes a comma, enclose the value in quotes. For example: "Doe, John".
If you have a role in which source and destination information is hidden for privacy reasons, this filter is not available.
Note that the filter returns values from all columns describing the destination, such as URL category, hostname, IP address, and domain.
Complex filters can affect performance.
See Selecting items to include or exclude in a policy for more details on using this selector.
Detected by
The Detected by filter sets the incident list to display only incidents intercepted that were detected by specific Forcepoint DLP modules. Select each module to be displayed. The list of available modules depends on which modules were configured on the Security Manager System Modules page.
Endpoint Type
The Endpoint Type filter enables you to filter incidents according to the type of endpoint client, e.g. laptop or static device (such as workstations). In the Filter Properties pane, select the endpoint type.
Event Time
The Event Time filter lets you filter incidents by the date and time the policy engine first saw a transaction. An event is any transaction being analyzed. (An incident is an event that breaches policy.)
Select a date range, then select a time of day.
Date Range
*
Last n days - Select this option to display incidents from the last n days, then select the number of interest. For example, display incidents from the last 30 days.
*
Time period - Select this option to display incidents that transpired in a set period of time, then select the period. Example: last 24 hours, this week, or last month.
*
Exact date and time - Select this option to display incidents that transpired during a time period that you define, then select the From and To dates and times from the drop-down lists.
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30.
Time of Day
By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
*
Entire day - Select Entire day to show all incidents during the date range, no matter what time of day they took place.
*
From ... to ... - Select this option to show only incidents from a specific period.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m.
If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around.
File Name
This filter enables you to filter in or out incidents involving certain files. Enter the file name (wildcards can be used), and click Add. Continue until you've added all you need.
Note that complex filters can affect performance.
History
History lets you filter incidents by the date, administrator, or details contained on the incident History tab. For example, you might display all incidents that jdoe closed during March 2011.
*
Select Filter by date if you are interested in the date and time of the actions that were taken on the incident. Only actions during this period are included in the report. Select a date range and time of day.
*
Select Filter by administrator to filter by the administrator who performed the listed workflow action. Enter the administrator names that you want to view. Separate multiple names by commas. For example: Type "jdoe, bsmith" to view incidents that jdoe and bsmith acted upon.
*
Select Filter by details to filter based on details shown on the incident's History tab. Details are automatically added when a workflow action is taken, such as "incident assigned to jdoe." If administrators add comments to the incident (Workflow > Add Comments), those are appended to the workflow details.
Enter the text for which to search. You can search for all or part of the detail text. For example, you might enter "closed" to search for incidents that were closed during a certain period.
As always, this filter depends on the other filters you define such as Incident Time and Ignored Incident. If you want to filter only by history, define a large range for Incident Time, then define the history filter.
Note that complex filters can affect performance.
Ignored Incident
The Ignored Incident filter lets you filter in or out ignored incidents. By default, ignored incidents are filtered out of all reports.
Incident Tag
Incident Tags let you filter incidents by a tag you earlier defined. (See Tagging incidents). Select the tags by which to filter the report and click Add. Continue until you've added all you need.
You can use these tags to group incidents for external applications.
Note that complex filters can affect performance.
Incident Time
This filter lets you filter incidents by the date and time they were written to the database. An incident is an event that breaches policy. (An event is any transaction being analyzed.)
Select a date range, then select a time of day.
Date Range
*
Last n days - Select this option to display incidents from the last n days, then select the number of interest. For example, display incidents from the last 30 days.
*
Time period - Select this option to display incidents that transpired in a set period of time, then select the period. Example: last 24 hours, this week, or last month.
*
Exact date and time - Select this option to display incidents that transpired during a time period that you define, then select the From and To dates and times from the drop-down lists.
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30.
Time of Day
By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
*
Entire day - Select Entire day to show all incidents during the date range, no matter what time of day they took place.
*
From ... to ... - Select this option to show only incidents from a specific period.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m.
If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around.
Policy
Use the check boxes provided to set which policy's incidents are displayed in the incident list.
Released Incident
This filter enables you to filter in or out SMTP incidents that have been released by an administrator (a reports remediation option).
Rule Name
Lets you filter incidents by the rules they triggered.
Severity
Use this filter to select the severity of incidents to display. Select High if you want to display incidents of high severity, and so on. Select as many severity levels as desired.
Source
The Source filter lets you view only incidents that were initiated by specific sources. You can select sources from your resource list or enter them as free text. Choose which method you want to use from the drop-down list. If your free text includes a comma, enclose the value in quotes. For example: "Doe, John".
If you have a role in which source and destination information is hidden for privacy reasons, you can enter one or more source IDs.
Note that the filter returns values from all columns describing the source, such as URL category, hostname, IP address, and domain.
Complex filters can affect performance.
See Selecting items to include or exclude in a policy for more details on using this selector.
Status
The Status filter enables you to select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. You cannot filter by statuses that have been deleted from the system.
Top Matches
The Top Matches filter allows you to filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy; the one that has the most matches would be included.
Total Size
This filter enables you to select the size of incidents to display. You can display incidents greater than a certain size (in KB), or between 2 sizes.
Violation Triggers
The Violation Triggers filter lets you select which incident triggers to display in the incident list. In the field, enter a violation trigger of interest and click Add. Continue until you've added all you need.
Note that complex filters can affect performance.
Mobile Device filters
 
Filter
Description
Action
The Action filter enables you to filter incidents by the action that was performed on the incident. Select the check box for each action to be displayed.
Assigned to
The Assigned to filter enables you to filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Forcepoint Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display.
Business Unit
The Business Unit filter enables you to filter incidents by the business unit to which they're assigned.
Classifier Matches
This filter enables you to display specific classifiers whose thresholds have been exceeded. For example, select a dictionary classifier with profanity in it, and set its threshold to 3. The report displays only incidents where more than 3 terms from this dictionary were detected.
Click Edit to add or remove content classifiers to the filter, then select a threshold for each.
Classifier Type
The Classifier Type filter enables you to select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.)
Destination
The Destination filter sets the incident list to display only incidents intercepted that were directed at specific destinations. You can select destinations from your resource list or enter them as free text. Choose which method you want to use from the drop-down list. If your free text includes a comma, enclose the value in quotes. For example: "Doe, John".
If you have a role in which source and destination information is hidden for privacy reasons, this filter is not available.
Note that the filter returns values from all columns describing the destination, such as URL category, hostname, IP address, and domain.
Complex filters can affect performance.
See Selecting items to include or exclude in a policy for more details on using this selector.
Detected by
The Detected by filter sets the incident list to display only incidents intercepted that were detected by specific Forcepoint DLP modules. Select each module to be displayed. The list of available modules depends on which modules were configured on the Security Manager System Modules page.
Device Details
This filter lets you display incidents that match certain device criteria.
1.
In the Field menu, indicate whether you want to filter by device name, ID, user agent, model, operating system, or type.
2.
Indicate whether you want the field to contain a certain value or be empty.
3.
Enter a value in the blank text box.
4.
Click Add.
Device User
This filter lets you display only incidents for specific mobile-device users. You can choose users from your resource list or enter identifying information manually.
If you choose to use the resource list:
*
Use the Display field to indicate whether you want to pick from directory entries, business units, or custom users.
*
Enter a search term in the Filter by field.
*
Click the filter button.
*
Select items from the available list. See Selecting items to include or exclude in a policy for more details on using this selector.
If you choose free text, type a name, email address, or other information in the text box. Note that complex filters can affect performance.
Event Time
The Event Time filter lets you filter incidents by the date and time the policy engine first saw a transaction. An event is any transaction being analyzed. (An incident is an event that breaches policy.)
Select a date range, then select a time of day.
Date Range
*
Last n days - Select this option to display incidents from the last n days, then select the number of interest. For example, display incidents from the last 30 days.
*
Time period - Select this option to display incidents that transpired in a set period of time, then select the period. Example: last 24 hours, this week, or last month.
*
Exact date and time - Select this option to display incidents that transpired during a time period that you define, then select the From and To dates and times from the drop-down lists.
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30.
Time of Day
By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
*
Entire day - Select Entire day to show all incidents during the date range, no matter what time of day they took place.
*
From ... to ... - Select this option to show only incidents from a specific period.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m.
If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around.
File Name
This filter enables you to filter in or out incidents involving certain files. Enter the file name (wildcards can be used), and click Add. Continue until you've added all you need.
Note that complex filters can affect performance.
History
History lets you filter incidents by the date, administrator, or details contained on the incident History tab. For example, you might display all incidents that jdoe closed during March 2011.
*
Select Filter by date if you are interested in the date and time of the actions that were taken on the incident. Only actions during this period are included in the report. Select a date range and time of day.
*
Select Filter by administrator to filter by the administrator who performed the listed workflow action. Enter the administrator names that you want to view. Separate multiple names by commas. For example: Type "jdoe, bsmith" to view incidents that jdoe and bsmith acted upon.
*
Select Filter by details to filter based on details shown on the incident's History tab. Details are automatically added when a workflow action is taken, such as "incident assigned to jdoe." If administrators add comments to the incident (Workflow > Add Comments), those are appended to the workflow details.
Enter the text for which to search. You can search for all or part of the detail text. For example, you might enter "closed" to search for incidents that were closed during a certain period.
As always, this filter depends on the other filters you define such as Incident Time and Ignored Incident. If you want to filter only by history, define a large range for Incident Time, then define the history filter.
Note that complex filters can affect performance.
Ignored Incident
The Ignored Incident filter lets you filter in or out ignored incidents. By default, ignored incidents are filtered out of all reports.
Incident Tag
Incident Tags let you filter incidents by a tag you earlier defined. (See Tagging incidents). Select the tags by which to filter the report and click Add. Continue until you've added all you need.
You can use these tags to group incidents for external applications.
Note that complex filters can affect performance.
Incident Time
This filter lets you filter incidents by the date and time they were written to the database. An incident is an event that breaches policy. (An event is any transaction being analyzed.)
Select a date range, then select a time of day.
Date Range
*
Last n days - Select this option to display incidents from the last n days, then select the number of interest. For example, display incidents from the last 30 days.
*
Time period - Select this option to display incidents that transpired in a set period of time, then select the period. Example: last 24 hours, this week, or last month.
*
Exact date and time - Select this option to display incidents that transpired during a time period that you define, then select the From and To dates and times from the drop-down lists.
For example, you can show incidents starting from 5:00 a.m. on April 1, 2009 to midnight April 30, 2009. Using the Time of Day options below this, you can specify whether to show all incidents from this period (Entire day) or just those from a time range, for example, 8 a.m. to 5 p.m. If you choose this From/To option, the report would include incidents from 8-5:00 on April 1, 8-5:00 on April 2, and 8-5:00 all other days of April, up to and including April 30.
Time of Day
By default, incidents are displayed no matter what time of day they occurred, as long as the date range matches. To display only those incidents that occurred at certain times of day, select From and choose a time range.
*
Entire day - Select Entire day to show all incidents during the date range, no matter what time of day they took place.
*
From ... to ... - Select this option to show only incidents from a specific period.
For example, if you select Last 60 days and From 8 a.m. to 5 p.m., the report displays all incidents from the last 60 days that were detected between 8 a.m. and 5 p.m.
If you prefer, you can view incidents that occurred during off-peak hours, such as 5 p.m. to 8 a.m. the next day. That way you know if information is being leaked at night when no one is around.
Policy
Use the check boxes provided to set which policy's incidents are displayed in the incident list.
Released Incident
This filter enables you to filter in or out SMTP incidents that have been released by an administrator (a reports remediation option).
Rule Name
Rule Name lets you filter incidents by the rules they triggered.
Severity
Use this filter to select the severity of incidents to display. Select High if you want to display incidents of high severity, and so on. Select as many severity levels as desired.
Source
The Source filter lets you view only incidents intercepted that were directed at specific sources. You can select sources from your resource list or enter them as free text. Choose which method you want to use from the drop-down list. If your free text includes a comma, enclose the value in quotes. For example: "Doe, John".
If you have a role in which source and destination information is hidden for privacy reasons, you can enter one or more source IDs.
Note that the filter returns values from all columns describing the source, such as URL category, hostname, IP address, and domain.
Complex filters can affect performance.
See Selecting items to include or exclude in a policy for more details on using this selector.
Status
The Status filter enables you to select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. You cannot filter by statuses that have been deleted from the system.
Synced by
Use this filter to display incidents on messages that were synchronized by a certain number of mobile-device users.
For example, you want to know when the same violating message was synchronized by more than 10 users.
Top Matches
The Top Matches filter allows you to filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy; the one that has the most matches would be included.
Total Size
This filter enables you to select the size of incidents to display. You can display incidents greater than a certain size (in KB), or between 2 sizes.
Transaction Type
Use this filter to display only incidents of a certain type, then select the types: email, calendar event, or tasks.
Violation Triggers
The Violation Triggers filter enables you to select which incident triggers to display in the incident list. In the field, enter a violation trigger of interest and click Add. Continue until you've added all you need.
Note that complex filters can affect performance.
Discovery filters
 
Filter
Description
Assigned to
The Assigned to filter enables you to filter incidents by the person to whom they are assigned. Unassigned displays all incidents that have not been assigned to any administrator. Because filters can be available for all administrators, checking the Assigned to current administrator check box displays incidents assigned to the administrator who is currently logged onto the Forcepoint Security Manager. Assigned to selected administrators enables you to select specific administrators whose assigned incidents you want to display.
Channel
The Channel filter enables you to limit which channels' incidents are displayed in the report.
The list of available channels depends on channels configured in the Security Manager.
Email Direction is available only for those with the Forcepoint Email Security module, endpoint agent, or protector.
Content Classifier Name
The Content Classifier Name filter enables you to select which specific content classifiers should be displayed in the incident list.
Content Classifier Type
The Content Classifier Type filter enables you to select which content classifier type should be displayed in the incident list (key phrases, dictionaries, etc.)
Date Accessed
If you want to see when data in violation of policy was accessed, use this filter, then select the dates and times you want to see. Incidents relating to the access dates you choose are shown in the report.
You can display incidents for data that was accessed within the last x days, within a date range, or on exact dates. You can also specify time periods.
Date Created
If you want to see when a file in violation of policy was created, use this filter, then select the dates and times you want to see. Incidents relating to the creation dates you choose are shown in the report.
You can display incidents for data that was created within the last x days, within a date range, or on exact dates. You can also specify time periods.
Date Modified
If you want to see when a file in violation of policy was modified, use this filter, then select the dates and times you want to see. Incidents relating to the modify dates you choose are shown in the report.
You can display incidents that transpired within the last x days, within a date range, or on exact dates. You can also specify time periods.
Detected by
The Detected by filter sets the incident list to display only incidents that were detected by specific Forcepoint DLP modules. Select each module of interest. The list of available modules depends on which modules configured on the Security Manager System Modules page.
Discovery Task
Use this filter to select the discovery tasks to display in the report.
Discovery Type
Use this filter to select the type of discovery to display in the report: File System, Endpoint, SharePoint, SharePoint Online, Database, Exchange, Exchange Online, Outlook PST, and/or Domino.
Endpoint Type
The Endpoint Type filter enables you to filter incidents according to the type of endpoint client, e.g. laptop or static device.
Event Time
This filter allows you to select incidents by the date and time the policy engine first saw the transaction.
For filter properties, select one of the following:
*
Last nn days - Select this option if you want to display incidents from the last nn days, then select the number of days from the spinner.
*
Time period - Select this option if you want to display incidents that transpired in a particular date range, then select the range from the drop-down list. Example: last 24 hours or this week.
*
Exact dates - Select this option if you want to display incidents that transpired during a specific period, then select the From and To dates from the drop-down lists.
Folder
This filter allows you to view incidents from a certain folder or folders. Type a valid folder name into the field box, then click Add.
File Name
This filter enables you to filter in or out incidents involving certain files. Enter the file name (wildcards can be used), and click Add. Continue until you've added all you need.
Note that complex filters can affect performance.
File Owner
Use this filter to filter incidents by file owner. Type a valid owner name into the field box, then click Add.
File Permissions
Use this filter to filter incidents by file permissions. Type a standard Access Control List (ACL) permission into the field box (such as USER name, password, services, or roles), then click Add. The values apply to all file-system scanning and Windows shares.
Split multiple rows by commas and single rows by colons. For example:
Unix user\ramon:rwx,Unix Group\developers:r-x,\Everyone:r--
File Size
Use this filter to filter incidents by file size, then choose the size of the file to include in the report.
Folder Owner
Use this filter to filter incidents by folder owner. Type a valid owner name into the field box, then click Add.
History
History lets you filter incidents by the date, administrator, or details contained on the incident History tab. For example, you might display all incidents that jdoe closed during March 2011.
*
Select Filter by date if you are interested in the date and time of the actions that were taken on the incident. Only actions during this period are included in the report. Select a date range and time of day.
*
Select Filter by administrator to filter by the administrator who performed the listed workflow action. Enter the administrator names that you want to view. Separate multiple names by commas. For example: Type "jdoe, bsmith" to view incidents that jdoe and bsmith acted upon.
*
Select Filter by details to filter based on details shown on the incident's History tab. Details are automatically added when a workflow action is taken, such as "incident assigned to jdoe." If administrators add comments to the incident (Workflow > Add Comments), those are appended to the workflow details.
Enter the text for which to search. You can search for all or part of the detail text. For example, you might enter "closed" to search for incidents that were closed during a certain period.
As always, this filter depends on the other filters you define such as Incident Time and Ignored Incident. If you want to filter only by history, define a large range for Incident Time, then define the history filter.
Host Name
Use Host Name to filter incidents by the host on which they were detected. Type a valid hostname into the field box, then click Add.
Ignored Incident
The Ignored Incident filter lets you filter in or out ignored incidents. By default, ignored incidents are filtered out of all reports.
Incident Tag
Incident Tags let you filter incidents by a tag you earlier defined. (See Tagging incidents). Select the tags by which to filter the report and click Add. Continue until you've added all you need.
You can use these tags to group incidents for external applications.
Note that complex filters can affect performance.
Incident Time
This filter lets you filter incidents by the date and time they were written to the database. Use it to select the time for the incidents you want to display.
IP Address
Use IP Address to filter incidents by the host on which they were detected. Type a valid IP address into the field box, then click Add.
Locked
Use this filter to show incidents that are locked or unlocked. You have 2 options:
*
Show only locked incidents - Select this option to show only incidents that have been locked.
*
Exclude locked incidents - Select this option to show only unlocked incidents.
Disable the filter if you want to display both locked and unlocked incidents.
Locking an incident prevents it from being overwritten with new data in subsequent scans. (To lock an incident, choose Workflow > Lock in the Discovery incident report.)
Mailbox Type
This filter applies only to Exchange discovery. Select Private mailbox if you want to display incidents from private mailboxes. Select Public mailbox if you want to display incidents from public mailboxes. You can select both if desired.
Policy
Use the check boxes provided to set which policy's incidents are displayed in the incident list.
Rule Name
Lets you filter incidents by the rules they triggered.
Severity
Use this filter to select the severity of incidents to display. Select High if you want to display incidents of high severity, and so on. Select as many severity levels as desired.
Status
The Status filter enables you to select which incidents to show by their status—for example, New, Closed, In Process, False Positive, or Escalated. You cannot filter by statuses that have been deleted from the system.
Top Matches
The Top Matches filter allows you to filter according to the rule that triggers the most matches. For example, if rules A, B, and C trigger incidents in MyPolicy; the one that has the most matches would be included.
Total Size
This filter enables you to select the size of incidents to display. You can display incidents greater than a certain number of KB, or between x KB and y KB.
Violation Triggers
The Violation Triggers filter enables you to select which incident triggers to display in the incident list. In the field, enter the list of violation triggers to be displayed, separated by commas.
Note that complex filters can affect performance.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Viewing Incidents and Reports > The report catalog > Editing a report > Filter tab
Copyright 2017 Forcepoint. All rights reserved.