Advanced filters for Flow Explorer

Advanced filters for Flow Explorer can help you reduce clutter on the Flow Explorer page. Advanced filters provide a filtered view of the traffic flow details collected from the managed assets. With Advanced filters, traffic flows can be filtered by filters/factors such as the malicious nature associated with the flows, and the processes, services, and geo-locations involved in the flows. Advanced filters can also help filter traffic flows source-centric (outbound flows) or destination-centric (inbound flows).

Advanced filters - properties

Carousel view - Advanced filters are available as a Carousel, below the Asset filters. You can customize the Carousel to display only the filters you require.
Dynamic - some Advanced filters such as GEO LOCATION are dynamic. The options/operands for these depend on the Time filter set for Flow Explorer. With a shorter Time filter, you will see No data available! in a dynamic filter.
Additive - Advanced filters are mutually additive. When you apply multiple filters (Asset filters included) for a single filter operation, the operands for a filter are not restricted by the preceding filter.
Persistent across login sessions - Advanced filters you apply persist across your login sessions to the ColorTokens Spectrum portal.

Filters

Filter	Options and description
POLICY ACTION	Authorized - allowed flows on Observed and Enforced workloads and the associated user assets Unauthorized - policy-violating flows observed on Observed workloads and the associated user assets Blocked - policy-violating blocked flows on Enforced workloads and the associated User assets
UNSAFE FLOWS	Low Reputed - flows flagged as IP Threat Status, High Risk, Suspicious, or Moderate Risk by Xshield's Threat Intelligence service. Vulnerable - flows associated with CVSS-vulnerable ports on the assets
ANOMALY FLOWS	Flows associated with Inbound Scan alerts triggered for the assets. The filtered flows include all inbound connection requests on the blocked ports that led to an Inbound Scan alert.
PROTOCOL	Protocols involved in the flows. For example, TCP.
PROCESS	Absolute paths of the processes involved in the flows. For example, C:\Users\ctuser\AppData\Local\Microsoft\Teams\current\Teams.exe.
SOURCE	source-centric filter for outbound traffic flows from the selected source assets. You can select sources by: Hostnames - hostnames of the assets IPs - IP addresses of the assets Managed Groups - Workload groups and/or Endpoint groups to which the assets belong Tags - values of the tags assigned to the assets Private Networks - Class A, Class B, and Class C IP addresses in the flows Internet - public IP addresses involved in the flows
DESTINATION	destination-centric filter for inbound traffic flows to selected destination assets. You can select destinations by: Hostnames - hostnames of the assets IPs - IP addresses of the assets Managed Groups - Workload groups and/or Endpoint groups to which the assets belong Tags - values of the tags assigned to the assets Private Networks - Class A, Class B, and Class C IP addresses involved in the flows Internet - public IP addresses involved in the flows
DEPARTMENTS	IDP/LDAP departments of the users who use managed user assets
USERS	usernames of the users who use managed user assets
SERVICES	Xshield Access parameter associated with the flows
GEO LOCATION	Geo-locations of the sources and destinations of the Internet flows, as categorized by Xshield's Threat Intelligence service.

Apply Advanced filters

Decide upon the filters involved in the query. Remember that you can use Asset filters too, to filter the traffic flows to specific assets. For example, to filter blocked flows related to a service on a workload, the typical filters involved are Hostname (Asset filter) and SERVICES and POLICY ACTION (Advanced filters).

Go to Flow Explorer.
Select the required factors/operands for an Advanced filter.
Use the Right and Left to move through the Carousel.
Repeat step 2 to add more filters and to construct a filter query.
Click the Search icon (located at the top-right corner of the Advanced filters Carousel).

Example 1 - Advanced filters for malicious flows for user assets

To see malicious flows for user assets from a specific geo-location, set the filters as follows:

UNSAFE FLOWS - select Low Reputed and Vulnerable
ANOMALY FLOWS - select Inbound scan
SOURCE - select the related Endpoint groups (for outbound flows)
DESTINATION - select the related Endpoint groups (for inbound flows)
GEO LOCATION - select the geo-location. For example,

Example 2 - Advanced filters for blocked inbound flows to workloads

To see blocked inbound flows to some workloads and the protocols used in the flows, set the filters as follows:

DESTINATION - select the hostnames of the workloads
POLICY ACTION - select Blocked
PROTOCOL - select the protocols used in the flows

Analyze filtered flows

Analyze and investigate filtered traffic flows in Flow Explorer. The ways to analyze the data filtered using Asset filters depend on the page you are on Assets, Visualizer, or Flow Explorer).

Customize Carousel

Carousel customization does not persist across your login sessions to the Spectrum portal.

Click + (located at the top-right corner of the Carousel).
From the drop-down list, select or clear the filters.