Filter security events
Security events can be filtered to reduce clutter and see specific events. Filtering the events list can help analyze high-risk events, events of a particular category, or attacks targeted at specific APIs.
Security events can be filtered from the Events Summary widgets and using the Advanced filters located above the Events List view.
| Filtering the events list using a Summary widget sets the Advanced filter to the criteria for the legend or data you click on the widget. Using the Advanced filters on top of the filtering criteria set by the widget filters the events list further. For example, clicking Critical in the Severity widget, and setting the Advanced filter to Resolution = New and Impact = Succeeded, filters the list to show critical attacks. |
|
Advanced filters
Advanced filters can be used to filter events by severity, category, risk level, impact, and other criteria. The list can be filtered solely using Advanced filters.
Click the Filter icon at the top-right corner of the events listing to open the filters menu.
| Filter | Filtering action |
|---|---|
| Endpoint | Security events seen with APIs with the selected endpoint URLs. Select endpoint URLs or search for URLs by text strings. Use Precise Match if required |
| Method | Security events seen with APIs that use the selected call methods ( DELETE, GET, OPTIONS, POST, PUT, and TRACE) |
| Category | Security events in the selected categories |
| Sub Category |
Security events in the selected subcategories |
| User | Security events that resulted from the selected users |
| Severity | Security events of the selected severity levels ( Critical, Major, Minor, and Info) |
| Status |
Security events in the selected statuses ( Open, Analyzed, In Progress, and Resolved) |
| Resolution | Security events in the selected resolution statuses ( New, Fixed, False Positive, and Inconclusive) |
| Action |
Security events that are actioned with the selected action ( Blocked or Allowed) |
| Risk Level |
Security events that are of the selected risk levels ( Critical, High, Medium, None, and so on) |
| Impact | Security events that resulted in the following impact ( Succeeded, Client Error, and Server Error) |
| Event ID | Security events with the selected event IDs |
| First Discovered From | Security events seen in your environment with this date as the start date of the event occurrence period |
| First Discovered To | Security events seen in your environment with this date as the end date of the event occurrence period |
Show Aggregation mode
By default, the Show Aggregation switch is set to ON, and the events list is aggregated—events of the same category and sub-category are listed only once with the count of events in the Severity column. The timestamp, event ID, and user details displayed are for the latest occurrence of the event.
With the Show Aggregation switch set to OFF, all events are listed in the List view. The options to change the event fix status (Status) and resolution status (Resolution) are unavailable.
Precise Match
Precise Match is a switch to filter the text string columns of the events list by the exact match of the text you enter to filter the list.
By default, the Precise Match switch is set to ON.
Show Resolved Events filter
Set the Show Resolved Events filter to ON to see only events that have been resolved (Resolution = Fixed).
Download filtered list
You can download the filtered list of events as a CSV file for offline analysis. Without filters applied, all events are listed in the file.
- Click Download above the events list.