Security investigation tool
Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus; Cloud Identity Premium. Compare your edition
When customizing a search in the investigation tool, you can group items by a particular search attribute to quickly understand the breadth of an issue. For example, when conducting a search based on device log events, you can group the search criteria based on the device model.
To group results by specific attributes when customizing your search:
- During your search, click Group Results.
- From the drop-down menu, choose a condition for your search—for example, Device model.
- Click Search.
With this example, a list of devices is displayed in the search results. For each item in the search results, a name for the device model is displayed, and the number of occurrences is displayed for each device model, with the highest number of occurrences listed at the top.
You can then add more conditions to the search criteria by scrolling over items in the search results, clicking the More icon, and then clicking Add condition to search.
Note: Occurrences is referring to the number of events logged in the corresponding reports. For example, if you group by Group email, the column occurrences will have a value corresponding to the number of entries in Groups log events data, when filtering all events by the given group address.