Now you see them, now you don’t. (Part #1 - Manual data refinement)

Objective

While filters have been around for quite a few iterations, this one is good to talk about specifically and when and why you would use them. Filters are a secondary sorting mechanism that Axonius offers to further show EXACTLY what you want to see once you have made a query. There are a few ways to get where you want to get so let’s walk through these methods!

Filter Magic from the main page

The concept of filters isn’t a revolutionary one, however, it is important to note. The idea of filters is that you can take a query that you have already done and only show the information that matters. This could be information from a particular adapter, a specific CVE, a range of versions… really the sky is the limit.

Filters can be found in two different places. In the user or devices section, if you look at a header note, you will see that there is nothing remarkable next to it. However, if you hover over the top right corner of the header section, you will see a filter will appear in fields that tend to have more than one field (Float).  

As of 4.6, when you go in and click on the filter icon in the right corner of the, you are greeted with this page that walks you through a significant amount of options that you can do with the filtering options.

Field Values - Refine by Condition

The refine by condition filter allows you to dig into what the specific field is doing. You will find I did a filter for Network Interfaces: Region and when I chose the filter, the “Network Interfaces: Region” Icon is grayed out. You will not be able to do multiple filters from one location.

With the field values – refine by condition, you show only specific values for a specific piece of information across the results.

Use case: As a user I want to get a list of the CVE IDs of the critical CVEs. By using this type, you can do that.

Field Values – Refine by Adapter Connection

When we look at “Field Values – Refine by Adapter Connection” filter, our primary focus is to show specific values for the selected column (select list of adapters/connections to be excluded from the results). The primary feature here hides values for a specific piece of information that were derived from defined source(s), as those might not be accurate on in the source.

Use Case: OS type retrieved from Rapid7 Nexpose tends to be incorrect. As a user, I want to create a query that contains correct OS type (without Rapid7 Nexpose), but I don’t want to hide all Rapid7 Nexpose data. I want to use the IPs and the vulnerabilities data from the Rapid7 Nexpose adapter.

Asset Entities – Refine by Condition

Now we start looking at asset entity operators. Asset entities exist so we can show specific asset entity data across the entire result. If there were multiple CSV files or two data types by AWS (SSM & EC2 Data) this allows you to dig into a specific asset entity with the greatest of ease.

With this function, you can show asset entities information originating from specific sources, based on a given conditions. You may also find this may be very useful if an asset has been correlated by multiple asset entities from the same adapter.

Use Case: Multiple users have been correctly correlated together. However, some of those user records are from different domains. Another instance may be that as user, I want to create a user query that shows only the user data from a specific domain.

Asset Entities – Refine by adapter connection

Finally, we end with the “Asset Entities – Refine by adapter connection” field. This field shows specific asset entities data across the entire results - select a  list of adapters/connections to be excluded from the results. Elements that you may want to be aware of: Show asset entities information originating from specific sources, based on a given list of adapters/connections. This may be very useful if an asset has been correlated by multiple asset entities from the same adapter.

Use Case: As a user, I want to create a query that shows me only data from a specific AD adapter connection (although there are several different AD adapter connections in my env)

Considerations

The biggest consideration that exists here is that when looking at doing the manual filter, you must make sure you set your cursor on the rightmost part of the header cell. If you simply try to click the triangle next to the header name, you will end up filtering vs HOVER over the field and have the filter appear.

Stay tuned to part 2 of this article where we dive into utilizing the query wizard to refine data.

 

Special thanks

**A large part of this article was provided with special help from the Product Management team and documentation team.

1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post