Overview of procedural filtering

Procedural Filtering enables you to further filter information pertaining to an asset, including by event type, log source, network connection status, and Top Level Domain (TLD). The Procedural Filtering menu options change depending on the Chronicle view and the breadth and types of security data currently displayed in the UI.

This describes how to access and use Procedural Filtering when investigating an alert using Chronicle for the following views:

  • Enterprise Insights view
  • User view
  • Rule Detections view
  • Asset view
  • Domain view
  • IP Address view
  • Hash view
  • Raw Log Scan view