This topic describes ways to filter your searches on the Observations page.

Note: Search results are subject to a 10,000 result limit.

You can filter search results in the following ways:

Filter Examples
Type
Note: View observation Type descriptions in Observation Types.
  • CB Analytics
  • Contextual Activity
  • TAU Intelligence
  • Tamper
  • Blocked Hash
  • Intrusion Detection System
  • Network Traffic Analysis
  • Host-based Firewall
  • Indicator of Attack
Event Type
  • netconn
  • childproc
  • filemod
  • crossproc
  • regmod
  • modload
  • scriptload
Process
  • \system32\svchost.exe
  • system32\services
Effective Reputation
  • TRUSTED_WHITE_LIST
  • LOCAL_WHITE
  • COMPANY_WHITE_LIST
  • ADAPTIVE_WHITE_LIST
  • NOT_LISTED
Process Hash
Device
  • macOS_workstation
  • Windows11_workstation
Username
  • NETWORK SERVICE
  • SYSTEM
  • LOCAL SERVICE
Parent Effective Reputation
  • TRUSTED_WHITE_LIST
  • LOCAL_WHITE
  • COMPANY_WHITE_LIST
  • ADAPTIVE_WHITE_LIST
  • NOT_LISTED
TTP
  • NETWORK_ACCESS
  • ACTIVE_SERVER
  • RUN_UNKNOWN_APP
  • CODE_DROP
  • POLICY_DENY
  • INTERNATIONAL_SITE
Location
  • Seattle,WA,United States
  • San Jose,CA,United States
  • Dublin,L,Ireland
Application Protocol
  • HTTP
  • TLS
ATT&CK Tactic
  • TA0002
  • TA0004
ATT&CK Technique
  • T1003.0001
  • T1036.0005
  • T1105
Tip: You can exclude search results by clicking the Exclude icon to the right of a filter. For example:

Example of excluded search criteria