Symantec Endpoint Detection and Response provides a number of predefined search filters called "quick filters." Quick filters are designed to help you more easily find the information you need as you work through threat detections and interventions. Each search results page in Symantec EDR has a selection of quick filters specific to the type of search. The pages at the following links list the filters available and their descriptions:
Quick filters do not work with Internet Explorer. To use quick filters, use Firefox, or Chrome.
Displaying and selecting quick filters
Depending on the search page, one of the following methods is used to display quick filters:
Add Filter pop-up dialog
The Add Filter pop-up dialog is used on the following search pages:
Search > Database > Events
Search > Database > Events > Details > Related Events
Logging > Actions
Logging > System Activity
On these pages, the dialog is displayed when you click Add Filter.
Show Filters matrix
The Show Filters matrix is used on the Search > Database > Entities and Search > Endpoint search pages.
When you click the Add Filter option, a pop-up dialog is displayed that lets you select and add quick filters to the Search bar. The dialog provides AND and OR operators, and parentheses for extending or limiting the filtered results. The dialog also provides the ability to create a custom filter that you build from the available Symantec EDR fields.
See the Symantec™ Endpoint Detection and Response Search Fields Reference for a list of fields and their descriptions.
Show Filters matrix
When you click Show Filters, a matrix of quick filters is displayed. Click on a filter to add it to the search bar. When you select additional filters, you are prompted to also select an AND or an OR operator.
Only one type of operator can be chosen for any string of filters. For instance, if you chose AND when you add a second filter, each subsequent filter addition assumes the AND operator.
Manually adding a quick filter
You can also manually add quick filters directly into the Search bar. You must exactly enter the name of the quick filter and enclose it within quotes. You invoke the quick filter with the prefix, quick:, for instance: