Machine Serial Number
The Machine Serial Number condition allows you to filter dataflows based on an endpoint device's unique hardware identifier. This capability is crucial for quickly isolating activity associated with a specific machine. It enables focused investigation of host-specific incidents and helps ensure accurate scoping of datasets or security policies that target a single device.
Filter Scope and Application
This condition filters security and data events where the source or destination machine matches the serial number you specify.
The filter is applied using the Source category when searching by source, and the Locations category when searching by destination.
Where to Use It
You can apply the Machine Serial Number condition in the following areas:
Risks Overview → Search by Source → Add condition → Source → Machine Serial NumberRisks Overview → Search by Destination → Add condition → Locations → Machine Serial Number
Operators and Input Guidance
The Machine Serial Number filter supports comprehensive text operators. These include positive and negative matching conditions.
Available operators are:
is/is none ofstarts with/doesn't start withends with/doesn't end withcontains/doesn't containmatches regexp/doesn't match regexp(when not using lists)is any of(when using lists)
Case sensitivity for matching can be toggled. Use the a/A control for this function.
Best Practice for Input
Always use the exact serial number as it appears in your inventory or event details. Partial matches are possible with operators like Contains or Starts with. However, using an exact match will consistently produce the most precise results.
Example
Machine Serial Number is any of "VMware-56 4d 5f 39 37 68 09 …" under either the Source or Destination search will retrieve all events associated with that unique device.
Need quick access later? Add this attribute to a saved query or dataset scope so you can revisit the filtered view without re-entering the serial number.