About quick filters

Symantec Endpoint Detection and Response
provides a number of predefined search filters called "quick filters." Quick filters are designed to help you more easily find the information you need as you work through threat detections and interventions. Each search results page in
Symantec EDR
has a selection of quick filters specific to the type of search. The pages at the following links list the filters available and their descriptions:
Quick filters do not work with Internet Explorer. To use quick filters, use Firefox, or Chrome.
Displaying and selecting quick filters
Depending on the search page, one of the following methods is used to display quick filters:
  • Add Filter
    pop-up dialog
    The Add Filter pop-up dialog is used on the following search pages:
    • Search > Database > Events
    • Search > Database > Events > Details > Related Events
    • Logging > Actions
    • Logging > System Activity
    On these pages, the dialog is displayed when you click
    Add Filter
  • Show Filters
    The Show Filters matrix is used on the
    Search > Database > Entities
    Search > Endpoint
    search pages.
Add Filter
When you click the
Add Filter
option, a pop-up dialog is displayed that lets you select and add quick filters to the Search bar. The dialog provides AND and OR operators, and parentheses for extending or limiting the filtered results. The dialog also provides the ability to create a custom filter that you build from the available
Symantec EDR
Show Filters matrix
When you click Show Filters, a matrix of quick filters is displayed. Click on a filter to add it to the search bar. When you select additional filters, you are prompted to also select an AND or an OR operator.
Only one type of operator can be chosen for any string of filters. For instance, if you chose
when you add a second filter, each subsequent filter addition assumes the
Manually adding a quick filter
You can also manually add quick filters directly into the Search bar. You must exactly enter the name of the quick filter and enclose it within quotes. You invoke the quick filter with the prefix,
, for instance:
quick: "Get File"