Filter tree

The filter tree is one of the two computer tree views. It enables you to dynamically group computers on the network using rules and conditions that describe characteristics of devices, and logical operators that combine them to produce complex expressions.

The filter tree can be accessed from the left panel, by clicking the filter icon . Clicking different items in the tree updates the right panel, presenting all the computers that meet the criteria established in the selected filter.

About filters

Filters are effectively dynamic groups of computers. A computer automatically belongs to a filter when it meets the criteria established for that filter by the administrator.

A computer can belong to more than one filter.

As such, a filter consists of a series of rules or conditions that computers have to satisfy in order to belong to it. As computers meet these conditions, they join the filter. Similarly, when the status of a computer changes and ceases to fulfill those conditions, it automatically ceases to belong to the group defined by the filter.

Filters can be grouped manually in folders using whatever criteria the administrator chooses.

Predefined filters

Advanced EPDR includes common filters that you can use to organize and locate network computers. You can edit or delete these predefined filters.

Cannot recover a predefined filter after you delete it.

Name Group Description

Server OS

Operating system

Lists computers with a server type operating system installed.

Workstation OS

Operating system

Lists computers with a workstation type operating system installed.

Windows

Operating system

Lists all computers with a Windows operating system installed.

Android

Operating system

Lists all devices with an Android operating system installed.

iOS

Operating system

Lists all devices with an Android operating system installed.

Linux

Operating system

Lists all computers with a Linux operating system installed.

macOS

Operating system

Lists all computers with a macOS operating system installed.

Windows ARM

Operating system

List all computers with Windows operating system and ARM microprocessor

Workstations and servers

System type

Lists physical workstations and servers.

Laptops

System type

Lists physical laptops.

Smartphones and tablets

System type

Lists smartphones and tablets.

Virtual machines

System type

Lists virtual machines.

<2GB of memory

Hardware

Lists computers with memory less than 2 GByte

Java

Software

Lists all computers with the Java JRE SDK installed.

Adobe Acrobat Reader

Software

Lists all computers with Acrobat Reader installed.

Adobe Flash Player

Software

Lists all computers with the Flash Player plugin installed.

Google Chrome

Software

Lists all computers with the Chrome browser installed.

Mozilla Firefox

Software

Lists all computers with the Firefox browser installed.

Predefined filter list

Creating and organizing filters

To create and organize filters, click the context menu icon next to a branch of your choice in the filter tree. A pop-up menu is displayed with the actions available for that particular branch.

Creating folders

  • Click the context menu of the branch where you want to create the folder, and click Add folder.

  • Enter the name of the folder and click OK.

You cannot add a folder below a filter. If you select a filter and then add a folder, the folder is added at the same level as the filter, in the same parent folder.

Creating filters

To create a filter, follow the steps below:

  • Click the context menu of the folder where the filter will be created.

    • If you want to create a hierarchical structure of filters, create folders and move your filters to them. A folder can contain other folders with filters.

  • Click Add filter.

  • Type the name of the filter. It does not have to be a unique name. See Configuring filters for more information.

Deleting filters and folders

To delete a filter or a folder, click the context menu of the branch to delete, and click Delete. This deletes the folder and all of the filters in it.

You cannot delete the Filters root folder.

Moving and copying filters and folders

  • Click the context menu of the branch you want to copy or move.

  • Click Move or Make a copy. A pop-up window appears with the target filter tree.

  • Select the target folder and click OK.

You cannot copy filter folders. Only filters can be copied.

Renaming filters and folders

  • Click the context menu of the branch you want to rename.

  • Click Rename.

  • Type a new name.

You cannot rename the root folder. Additionally, to rename a filter you must edit it.

Searching for filters

In very large IT infrastructures, the filter tree can contain a large number of items. This makes finding specific filters difficult.

To find a filter:

  • Click the icon at the top of the filter tree. A text box appears.

  • Type the letters of the name of the filter you want to find. All filters whose name starts with, ends with, or contains the character string entered are shown.

  • After the search is complete, select the filter you wanted to find. Click the icon. The full filter tree is shown again and the filter you searched for appears selected.

Configuring filters

To configure a filter, click its context menu and select Edit filter from the menu displayed. This opens the filter’s settings window.

A filter consists of one or more rules, which are related to each other with the logical operators AND/OR. A computer is part of a filter if it meets the conditions specified in the filter rules.

A filter has four sections:

Filter settings overview

  • Filter name (1): Identifies the filter.

  • Filter rules (2): Enables you to set the conditions for belonging to a filter. A filter rule defines only one characteristic of the computers on the network.

  • Logical operators (3): Enable you to combine filter rules with the logical operators AND or OR.

  • Groupings (4): Enable you to change the order of the filter rules related with logical operators.

Filter rules

A filter rule consists of the items described below:

  • Category: Groups the properties in sections to make it easy to find them.

  • Property: The characteristic of a computer that determines whether or not it belongs to the filter.

  • Operator: Determines the way in which the computer’s characteristics are compared to the values set in the filter.

  • Value: The content of the property. Depending on the type of property, the value field reflects entries such as ‘date’, etc.

To add rules to a filter, click the icon. To delete them, click .

Logical operators

To combine two rules in the same filter, use the logical operators AND and OR. This way, you can interrelate several rules. As soon as you add a rule to a filter, the options AND/OR automatically appear to establish the relation between the rules.

Filter rule groupings

In a logical expression, parentheses are used to change the order in which operators (in this case, the filter rules) are evaluated.

As such, to group two or more rules in a parenthesis, you must create a grouping by selecting the corresponding rules and clicking Group conditions. A thin line appears covering the filter rules that are part of the grouping.

The use of parentheses enables you to group operands at different levels in a logical expression.

Example filters

This topic includes examples of filters commonly created by network administrators:

Filter Windows computers based on the installed processor (x86, x64, ARM64)

Lists all computers that have a Windows operating system installed and an ARM microprocessor.

This filter has two conditions linked by the AND operator:

  • Condition 1:

    • Category: Computer

    • Property: Platform

    • Condition: Is equal to

    • Value: Windows

  • Condition 2:

    • Category: Computer

    • Property: Architecture

    • Condition: Is equal to

    • Value: {architecture name: ARM64, x86, x64}

Filter computers without a specific patch installed

Lists computers that do not have a specific patch installed. See Cytomic Patch (Updating vulnerable programs) for more information about Cytomic Patch.

  • Category: Software

  • Property: Software name

  • Condition: Doesn’t contain

  • Value: {Patch name}

Filter computers that have not connected to the Cytomic cloud in X days

Lists computers that have not connected to the Cytomic cloud in the specified period.

  • Category: Computer

  • Property: Last connection

  • Condition: Before

  • Value: {Date in dd/mm/yy format}

Filter computers that cannot connect to the Cytomic security intelligence services

Finds all computers that have problems connecting to any of the Cytomic security intelligence services. Create the following rules linked by the OR operator:

  • Rule:

    • Category: Security

    • Property: Connection for sending events.

    • Condition: Is equal to

    • Value: With problems

  • Rule:

    • Category: Security

    • Property: Connection for collective intelligence.

    • Condition: Is equal to

    • Value: With problems

  • Rule:

    • Category: Security

    • Property: Connection for web protection.

    • Condition: Is equal to

    • Value: With problems

Filter isolated computers

Lists computers that have been isolated from the network. See Computer isolation for more information.

  • Category: Computer

  • Property: Isolation status

  • Condition: Is equal to

  • Value: Isolated

Filter computers in RDP attack containment mode

Lists computers that have received a high number of RDP connection attempts which have started to be blocked by Advanced EPDR.

  • Category: Computer

  • Property: “RDP attack containment” mode

  • Condition: Is equal to

  • Value: True

Filter computers integrated with other management tools

Lists computers with a name that matches a computer name specified in a list obtained by a third-party tool. Each line in the list must end with a carriage return and is considered a computer name.

  • Category: Computer

  • Property: Name

  • Condition: In

  • Value: Computer name list

Filter computers not compatible with SHA-256 signed drivers

  • Category: Computer

  • Property: Supports SHA-256 signed drivers

  • Condition: Is equal to

  • Value: False

Computers with a public IP address

Lists computers that accessed the Internet through a device (router/proxy/VPN endpoint) that has the specified IP address.

  • Category: Computer

  • Property: Public IP address

  • Condition: Is equal to (lists computers that accessed the Internet through a device with a specific IP address).

Computers discovered in Active Directory

Lists managed and unmanaged computers that have been discovered using Active Directory.

  • Category: Computer

  • Property: Last seen in Active Directory

  • Condition: Is between (to list computers discovered between two specific dates).