Filtering events

Filter the QRadar Analyst Workflow Events page to display only the specific events you want to investigate.

About this task

As you apply filters, the events table displays only the events that meet your filter criteria.
Tip: You can copy and paste the URL from your browser to share the events page, including all filters and configuration options.

Procedure

  1. To apply a filter, click any of the following categories to see filtering options for that category:
    • Event Time
    • Magnitude
    • Log Source Name
    • Category
    • Source IP
    • Source Port
    • Destination IP
    • Destination Port
    • Event Name
    • User
  2. To include only events with specific attributes, select that attribute in the filters list. To exclude events with specific attributes, click the vertical ellipsis icon [vertical ellipsis] next to the attribute, and click Apply IS NOT Filter.
    Tip: You can right-click on a Log Source, Source IP, Destination IP, Category, or Username in the events table and quickly apply an IS or IS NOT filter to the events.
  3. To sort the events table in ascending or descending order by an attribute, click the appropriate table heading.
  4. To clear individual filters, click the close icon [x] on the filter indicator. To clear all filters, click Clear filters.
  5. Click Update events to refresh the events results.