Example Filters
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP
When you define a filter, any computers that match the criteria appear in the filter group. WatchGuard Endpoint Security can filter a computer into more than one group. When the status of a computer or device changes and it no longer fulfills the conditions of the filter, WatchGuard Endpoint Security automatically removes it from the group defined by the filter.
WatchGuard Endpoint Security includes commonly used filters that you can use to organize and locate network computers. You can edit or delete these predefined filters and you can also create new filters. This topic includes examples of filters commonly created by network administrators. For more information, go to Add a Filter.
Filter Windows Computers Based on the Installed Processor (x86, x64, ARM64)
Lists all computers that have a Windows operating system installed and an ARM microprocessor.
This filter has two conditions linked by the AND operator:
Condition 1
- Category: Computer
- Property: Platform
- Condition: Equals
- Value: Windows
Condition 2
- Category: Computer
- Property: Architecture
- Condition: Equals
- Value: {architecture name: ARM64, x86, x64}
Filter Computers without a Specific Patch Installed
Lists computers that do not have a specific patch installed:
- Category: Software
- Property: Software name
- Condition: Doesn’t contain
- Value: (patch name)
For more information, go to Patch Management Best Practices.
Filter Computers that Have Not Connected to WatchGuard Cloud in x Days
Lists computers that have not connected to WatchGuard Cloud in the specified period:
- Category: Computer
- Property: Last connection
- Condition: Before
- Value: {Date in dd/mm/yy format}
Filter Isolated Computers
Lists computers that have been isolated from the network:
- Category: Computer
- Property: Isolation status
- Condition: Is equal to
- Value: Isolated
Filter Computers Integrated with Other Management Tools
Lists computers with a name that matches a computer name specified in a list obtained by a third-party tool:
- Category: Computer
- Property: Name
- Condition: In
- Value: Computer name list
Each line in the list must end with a carriage return and is considered a computer name.
Filter Computers in RDP Attack Containment Mode
Lists computers that have received a high number of RDP connection attempts which WatchGuard Endpoint Security has started to block:
- Category: Computer
- Property: “RDP attack containment” mode
- Condition: Is equal to
- Value: True
Filter Computers not Compatible with SHA-256 Signed Drivers
Lists computers not compatible with SHA-256 signed drivers:
- Category: Computer
- Property: Supports SHA-256 signed drivers
- Condition: Is equal to
- Value: False
Computers with a Public IP Address
Lists computers that accessed the Internet through a device (router, proxy, VPN , or endpoint) that has a specified IP address:
- Category: Computer
- Property: Public IP address
- Condition: Is equal to (list computers that accessed the Internet through a device with a specific IP address)
Computers Discovered in Active Directory
Lists managed and unmanaged computers that have been discovered using Active Directory:
- Category: Computer
- Property: Last seen in Active Directory
- Condition: Is between (list computers discovered between two specific dates)