Using the Filter and Refine Panel

Updated 2 years ago by TruSTAR

The Filter and Refine panel is available when you are working with Intel Reports or Indicators. It enables you to select which Enclaves to use and also which Intelligence Sources to use. You may need to scroll down to see all options available to you in the panel.

You can filter information by selecting specific Enclaves or dates. For example, you can choose to only utilize two or three Open Source intelligence (OSINT) Sources rather than use all of them.

The default view for Intel Reports and Indicators is last 90 days. Change the Date Last Seen filter to view all results available.

Using the Filter And Refine Panel

Use the arrows on the top right corner of a section to expand or hide that section. To select all items in a section, click Select All. To select individual items, click on the item and you will see a checkmark appear to the right, indicated it is now a selected item. You can select all the items in a section by clicking Select All, or click it again to deselect everything in that section.

The number of selected filters per category is shown next to the category name; for example: Premium Intel Feeds (4) means that you have selected four Premium Intelligence enclaves and all other Enclaves you have access to in that category will not be used while you conduct the current investigation.

To clear all filters, click the Reset to Default Filters button at the bottom of the panel.

Filter Persistence

Selected filters are automatically applied across all searches, Intel Reports and Indicators. If you select filters in any of the categories, the same filters are applied for all investigations from that point forward. For example, if you filter to show only EU-CERT intelligence in the Reports view, your work going forward will show only Intel Reports and Indicators from EU-CERT and searches will only use the EU-CERT Enclave.

If you are searching for a specific item and do not see expected results, you may need to check filters to see what Enclaves you are searching through and what date range is specified.

Available Filters

The table below lists the types of filters in this panel.



My Enclaves

Lists the Enclaves that you own or that have been shared with you by others.

Premium Intel

External intelligence sources that require a subscription to access and use. These include Premium Intelligence and Open Sources.

Open Sources (OSINT)

External intelligence sources that are free to all users. You may need to register with a specific organization to gain access to an enclave.


Displays tags you can use to filter data using 'AND' logic. Use the search bar at the top of the section to find and select relevant tags.


Displays tags for MITRE ATT&CK. Use the search bar at the top of the section to find and select relevant tags.

Link: Information on using MITRE ATT&CK platform and tags.

Date Last Seen (Reports)

Date Last Seen (Indicators)

The date range to filter on, anywhere from one day to all available dates (Max). Max date range is defined as Epoch milliseconds format which goes as far back as Jan. 1st, 1970.

IOC Type

When working with Indicators, you can choose which types to filter out.

How Did We Do?