Skip Navigation


You can use filters to narrow or expand the scope of a state to account for a smaller or larger number of events to analyze. Event filters use the same event categories, subcategories, and types that are outlined in Data structures that Optics uses to identify threats.
Example 1:
The following example limits inspected events to process start events.
"Filters": [ { "Type": "Event", "Data": { "Category": "Process", "SubCategory": "", "Type": "Start" } } ]
Example 2:
The following example inspects all types of file events (create, write, delete).
"Filters": [ { "Type": "Event", "Data": { "Category": "File", "SubCategory": "", "Type": "*" } } ]