Filter and Refine Panel

Updated 32 minutes ago by Elvis Hovor

The Filter and Refine panel, available when working with Intel Reports or Indicators, is where you can select which Enclaves to use and also which external intelligence sources to use. You may need to scroll down to see all options available to you in the panel.

You can filter information by selecting specific Enclaves or dates. For example, you can choose to only utilize two or three Open Source intelligence (OSINT) Sources rather than use all of them.

The default view for Intel Reports and Indicators is last 90 days. Change the Date Last Seen filter to view all results available.

Using the Filter And Refine Panel

Use the arrows on the top right corner of a section to expand or hide that section. To select all items in a section, click Select All. To select individual items, click on the item and you will see a checkmark appear to the right, indicated it is now a selected item. You can select all the items in a section by clicking Select All, or click it again to deselect everything in that section.

The number of selected filters per category is shown next to the category name; for example: Premium Intel Feeds (4) means that you have selected four Premium Intelligence enclaves and all other Enclaves you have access to in that category will not be used while you conduct the current investigation.

To clear all filters, click the Reset to Default Filters button at the bottom of the panel.

Filter Persistence

Selected filters are automatically applied across all searches, Intel Reports and Indicators. If you select filters in any of the categories, the same filters are applied for all investigations from that point forward. For example, if you filter to show only EU-CERT intelligence in the Reports view, your work going forward will show only Intel Reports and Indicators from EU-CERT and searches will only use the EU-CERT Enclave.

If you are searching for a specific item and do not see expected results, you may need to check filters to see what Enclaves you are searching through and what date ranges are being used.

Available Filters

The table below lists the types of filters in this panel.

Filter

Description

My Enclaves

Lists the Enclaves that you own or that have been shared with you by others.

Premium Intel

External intelligence sources that require a subscription to access and use. These include Premium Intelligence, Open Sources, and Intel Researchers.

Open Sources (OSINT)

External intelligence sources that are free to all users. You may need to register with a specific organization to gain access to an enclave.

Intel Researchers

A curated list of key cyber-intelligence researchers available to all users.

Tags

Displays tags you can use to filter data. Use the search bar at the top of the section to find and select relevant tags.

MITRE ATT&CK

Displays tags for MITRE ATT&CK. Use the search bar at the top of the section to find and select relevant tags.

Link: Information on using MITRE ATT&CK platform and tags.

Date Last Seen (Reports)

Date Last Seen (Indicators)

The date range to filter on, anywhere from one day to all available dates (Max). Max date range is defined as Epoch milliseconds format which goes as far back as Jan. 1st, 1970.

IOC Type

When working with Indicators, you can choose which types to filter out.


How Did We Do?