Example Filters

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

When you define a filter, any computers that match the criteria appear in the filter group. WatchGuard Endpoint Security can filter a computer into more than one group. When the status of a computer or device changes and it no longer fulfills the conditions of the filter, WatchGuard Endpoint Security automatically removes it from the group defined by the filter.

WatchGuard Endpoint Security includes commonly used filters that you can use to organize and locate network computers. You can edit or delete these predefined filters and you can also create new filters. This topic includes examples of filters commonly created by network administrators. For more information, go to Add a Filter.

Filter Windows Computers Based on the Installed Processor (x86, x64, ARM64)

Lists all computers that have a Windows operating system installed and an ARM microprocessor.

This filter has two conditions linked by the AND operator:

Condition 1

  • Category: Computer
  • Property: Platform
  • Condition: Equals
  • Value: Windows

Condition 2

  • Category: Computer
  • Property: Architecture
  • Condition: Equals
  • Value: {architecture name: ARM64, x86, x64}

Filter Computers without a Specific Patch Installed

Lists computers that do not have a specific patch installed:

  • Category: Software
  • Property: Software name
  • Condition: Doesn’t contain
  • Value: (patch name)

For more information, go to Patch Management Best Practices.

Filter Computers that Have Not Connected to WatchGuard Cloud in x Days

Lists computers that have not connected to WatchGuard Cloud in the specified period:

  • Category: Computer
  • Property: Last connection
  • Condition: Before
  • Value: {Date in dd/mm/yy format}

Filter Isolated Computers

Lists computers that have been isolated from the network:

  • Category: Computer
  • Property: Isolation status
  • Condition: Is equal to
  • Value: Isolated

Filter Computers Integrated with Other Management Tools

Lists computers with a name that matches a computer name specified in a list obtained by a third-party tool:

  • Category: Computer
  • Property: Name
  • Condition: In
  • Value: Computer name list

Each line in the list must end with a carriage return and is considered a computer name.

Filter Computers in RDP Attack Containment Mode

Lists computers that have received a high number of RDP connection attempts which WatchGuard Endpoint Security has started to block:

  • Category: Computer
  • Property: “RDP attack containment” mode
  • Condition: Is equal to
  • Value: True

Filter Computers not Compatible with SHA-256 Signed Drivers

Lists computers not compatible with SHA-256 signed drivers:

  • Category: Computer
  • Property: Supports SHA-256 signed drivers
  • Condition: Is equal to
  • Value: False

Computers with a Public IP Address

Lists computers that accessed the Internet through a device (router, proxy, VPN , or endpoint) that has a specified IP address:

  • Category: Computer
  • Property: Public IP address
  • Condition: Is equal to (list computers that accessed the Internet through a device with a specific IP address)

Computers Discovered in Active Directory

Lists managed and unmanaged computers that have been discovered using Active Directory:

  • Category: Computer
  • Property: Last seen in Active Directory
  • Condition: Is between (list computers discovered between two specific dates)