Use Lists with Filters
Filters can be applied using lists as the filter items. The following filter fields can be populated from lists:
- Application
- Classification
- Common Event
- Entity
- General String Values, including:
- Action
- Address
- Command
- CVE
- Domain Impacted
- Domain Origin
- Group
- Hash
- Host Name
- MAC Address
- Message
- Object
- Object Name
- Parent Process Id
- Parent Process Name
- Parent Process Path
- Policy
- Process
- Reason
- Response Code
- Result
- Serial Number
- Session
- Session Type
- Status
- Subject
- Threat Id
- Threat Name
- URL
- User
- User Agent
- Vendor Info
- Vendor Message ID
- Host
- Identity
- IP Address
- IP Range
- Location
- Log Source
- Log Source Type
- MPE Rule
- Network
- Root Entity
- User
To use a list to populate filter items:
- From the feature you want to add a filter to, select an option in the Add New Field Filter.
- Click Edit Values.
- Click Add List.
List types that match the filter type appear in the List Selector. - Select a list, and then click OK.
- (Optional) To learn more about the list or modify it, double-click it in the text box in the field Filter Values window.
The List Properties window appears. From here, you can add items and other lists to the list, and modify other settings if you have permission.