This article describes the logic behind the Threat Event Log Quick Find search feature in ePO. The description below provides the underlying search logic.
Current Threat Event Log Quick Find design:
- Strings fewer than three characters long are not applied.
NOTE: If the Quick find string length is two characters or less, all rows are included (the search string is ignored).
- If the localized search text exists in any of the columns and matches the search string, the corresponding rows are included in the results.
- If the Quick Find string length is more than two characters, the resulting set contains all rows for which at least one of the conditions below is true:
- The Detecting Product Name contains the search string. For example, VirusScan Enterprise.
- The Event Description contains the search string.
- The Event Category in the current locale contains the search string.
- The search string is an integer and the Event ID contains the search string.
NOTE: The search string '123' matches Event IDs '123', '1234', and '9123'.
- The Threat Severity in the current locale contains the search string. For example: Emergency, Alert, Notice.
- The Threat Name contains the search string.
- The Threat Type in the current locale contains the search string.
- The Action Taken in the current locale contains the search string.
Data that's not able to be searched for (such as ipv4 addresses, or MD5) via the Quick find function can be used within a Custom Filter.
To apply a custom filter to the threat event log:
- Expand the drop-down list, and select Custom.
- Click Add.
- Select the criteria from the Available Properties list, and filter the results displayed in the Threat Events Log.
- Click Update Filter.
- To Edit, Save, or Delete the newly defined custom filter, expand the drop-down list to show Custom. Then, hover the mouse over the entry named Unsaved filter, and select the wanted action.
