Search for Alerting Rule: GCP Tokens
Use the search tokens below that we provide during rule creation wizard.
Use a text value ##### to show resources based on the unique account ID associated with the connector/ARN at the time of creation.
Example
Show findings with this account ID
aws.accountId: 205767712438
Select the name of the region you're interested in. Select from names in the drop-down menu. The drop-down menu options contains region code. For example, the region code for Singapore is ap-southeast-1. For the complete mapping of region code to region, view AWS Region Mapping.
Example
Find resources in the ap-southeast-1 (Singapore) region
cloud.region: ap-southeast-1
Select the type of service you're interested in. Select from names in the drop-down menu. The drop-down menu options contains service type code. For example, the service code for CloudTrail is CLOUD_TRAIL. For the complete mapping of service type code to service type AWS Service Type Mapping.
Example
Show service type CloudTrail
service.type: CLOUD_TRAIL
cloud.resource.typecloud.resource.type
Select the type of resource you're interested in. Select from names in the drop-down menu. The drop-down menu options contains of resource type code. For example, the service code for S3 Bucket is BUCKET . For the complete mapping of resource type code to resource type, view AWS Resource Type Mapping.
Example
Show resources of type S3 Bucket
cloud.resource.type: BUCKET
cloud.resource.idcloud.resource.id
Use a text value ##### to find resources by the unique ID assigned to the resource.
Example
Show resources with ID acl-8e5198f5
cloud.resource.id: acl-8e5198f5
Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.
Example
Show controls with this ID
control.id: 205767712438
Use values within quotes to help you find controls with a certain name.
Examples
Show findings with this name
control.name: Avoid the use of the root account
Show any findings that contain parts of name
control.name: "Avoid the use of the root account"
control.criticalitycontrol.criticality
Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.
Example
Show controls with High criticality
control.criticality: HIGH
Use control result value (FAIL) to view controls with specific result.
Example
Show controls that failed
control.result: FAIL
cloud.resource.evaluatedDatecloud.resource.evaluatedDate
Use a date range or specific date to define when the resource was evaluated on.
Examples
Show resources discovered within certain dates
cloud.resource.evaluatedDate: [2018-01-01 ... 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
cloud.resource.evaluatedDate: [2018-01-01 ... now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
cloud.resource.evaluatedDate: [now-2w ... now-1s]
Show resources discovered on specific date
cloud.resource.evaluatedDate: 2018-01-08
cloud.resource.lastEvaluatedDatecloud.resource.lastEvaluatedDate
Use a date range or specific date to define when the resource was last evaluated on.
Examples
Show resources last evaluated within certain dates
cloud.resource.lastEvaluatedDate: [2018-01-01 ... 2018-03-01]
Show resources last evaluated starting 2018-10-01, ending 1 month ago
cloud.resource.lastEvaluatedDate: [2018-01-01 ... now-1m]
Show resources last evaluated starting 2 weeks ago, ending 1 second ago
cloud.resource.lastEvaluatedDate: [now-2w ... now-1s]
Show resources last evaluated on specific date
cloud.resource.lastEvaluatedDate: 2018-01-08
cloud.resource.firstEvaluatedDatecloud.resource.firstEvaluatedDate
Use a date range or specific date to define when the resource was first discovered and evaluated.
Examples
Show resources first evaluated within certain dates
cloud.resource.firstEvaluatedDate: [2018-01-01 ... 2018-03-01]
Show resources first evaluated starting 2018-10-01, ending 1 month ago
cloud.resource.firstEvaluatedDate: [2018-01-01 ... now-1m]
Show resources first evaluated starting 2 weeks ago, ending 1 second ago
cloud.resource.firstEvaluatedDate: [now-2w ... now-1s]
Show resources first evaluated on specific date
cloud.resource.firstEvaluatedDate: 2018-01-08
Use values within quotes to find a CIS or AWS policy by name.
Examples
Show findings with this name
policy.name: CIS Amazon Web Services Foundations Benchmark
Show any findings that contain parts of name
policy.name: "CIS Amazon Web Services Foundations Benchmark"
Use a text value ##### to show controls created from QFlow with specified QFlow id.
Examples
Show controls with specific qflow id
qflow.id: 80313390-aa04-11e9-9596-45e2d51410b1
Use values within quotes or back-ticks to find controls created from QFlow with the specified name.
Examples
Show controls that are created from QFlow with a name that partially matches the specified QFlow name.
qflow.name: "Publicly accessible S3 buckets"
Show controls that are created from QFlow with a name that exactly matches the specified QFlow name.
qflow.name: `S3 buckets`
aws.account.statusaws.account.status
Use this is search AWS resources based on their account status.
Example
Show AWS resources with ACTIVE account status
aws.account.status: ACTIVE
cloud.resource.lastFixedDatecloud.resource.lastFixedDate
Use a date range or specific date to find when the misconfigured or vulnerable resources were last fixed.
Examples
Show the misconfigured or vulnerable resources last fixed within certain dates
cloud.resource.lastFixedDate: [2023-10-01 .. 2023-12-01]
Show the misconfigured or vulnerable resources last fixed starting 2023-01-01, ending 1 month ago
cloud.resource.lastFixedDate: [2023-01-01 .. now-1m]
Show the misconfigured or vulnerable resources last fixed starting 2 weeks ago, ending 1 second ago
cloud.resource.lastFixedDate: [now-2w .. now-1s]
Show the misconfigured or vulnerable resources last fixed on specific date
cloud.resource.lastFixedDate: 2023-01-08
cloud.resource.lastReopenedDatecloud.resource.lastReopenedDate
Use a date range or specific date to find when the misconfigured or vulnerable resources were last reopened.
Examples
Show the misconfigured or vulnerable resources last reopened within certain dates
cloud.resource.lastReopenedDate: [2023-10-01 .. 2023-12-01]
Show the misconfigured or vulnerable resources last reopened starting 2023-01-01, ending 1 month ago
cloud.resource.lastReopenedDate: [2023-01-01 .. now-1m]
Show the misconfigured or vulnerable resources last reopened starting 2 weeks ago, ending 1 second ago
cloud.resource.lastReopenedDate: [now-2w .. now-1s]
Show the misconfigured or vulnerable resources last reopened on specific date
cloud.resource.lastReopenedDate: 2023-01-08
connector.tag.nameconnector.tag.name
Search for connectors based on the applied tag name. Select the tag name from the drop-down.
Example
Show connectors tagged with Production
connector.tag.name: Production
Filter results by the unique identifier (UUID) of a connector.
Example
Show results associated with the connector having UUID 123e4567-e89b-12d3-a456-426614174000
connector.uuid: 123e4567-e89b-12d3-a456-426614174000
Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.
Example
Show controls with this ID
control.id: 205767712438
control.criticalitycontrol.criticality
Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.
Example
Show controls with High criticality
control.criticality: HIGH
Use values within quotes to help you find controls with a certain name.
Examples
Show findings with this name
control.name: Avoid the use of the root account
Show any findings that contain parts of name
control.name: "Avoid the use of the root account"
Select the control result you're interested in: PASS or FAIL.
Examples
Show controls that passed
control.result: PASS
Show controls that failed
control.result: FAIL
Filter results based on the specific evidence key associated with a finding.
Example
Show findings where the evidence key is "encryptionEnabled"
evidence.key: encryptionEnabled
Use a text value ##### to find GCP resources with a certain project Id.
Example
Show resources with this projectId
gcp.projectId: my-project-1513669048551
Filter results based on the specific value captured in the evidence associated with a finding.
Example
Show findings where the evidence value is "false"
evidence.value: false
GCP Region Mapping
| Code | Region Name |
|---|---|
| us-west1 | Oregon |
| us-west2 | Los Angeles |
| us-west3 | Salt Lake City |
| us-west4 | Las Vegas |
| us-central1 | Iowa |
| us-east1 | South Carolina |
| us-east4 | N. Virginia |
| northamerica-northeast1 | Montreal |
| europe-west2 | London |
| europe-west1 | Belgium |
| europe-west4 | Netherlands |
| europe-west3 | Frankfurt |
| europe-west6 | Zürich |
| europe-north1 | Finland |
| asia-south1 | Mumbai |
| asia-southeast1 | Singapore |
| asia-southeast2 | Jakarta |
| asia-east1 | Taiwan |
| asia-east2 | Hong Kong |
| asia-northeast1 | Tokyo |
| asia-northeast2 | Osaka |
| asia-northeast3 | Seoul |
| australia-southeast1 | Sydney |
GCP Service Type Mapping
| Code | Service Type |
|---|---|
| COMPUTE_ENGINE | Compute Engine |
| APP_ENGINE | App Engine |
| IAM | IAM & Admin |
| VIRTUAL_NETWORK | VPC Network |
| STORAGE | Storage |
| SQL | SQL |
| KUBERNETES | Kubernetes Engine |
| SUBNETWORK | Subnetwork |
| CLOUD_FUNCTION | Cloud Function |
| NETWORK_SERVICES | Network Services |
| BIGQUERY | BigQuery |
| LOGGING | Logging |
GCP Resource Type Mapping
| Code | Resource Type |
|---|---|
| VM_INSTANCE | VM Instances |
| NETWORK | Networks |
| SUBNETWORK | Subnetworks |
| FIREWALL_RULES | Firewall Rules |
| SERVICE_ACCOUNT | Service Account |
| PROJECT | Project |
| STORAGE | Storage |
| SQL | SQL |
| K8S_NODE | K8S Node |
| K8S_Cluste | K8S Cluster |
| CLOUD_FUNCTION | Cloud Function |
| VPC_CONNECTOR | VPC Connector |
| CLOUD_DNS | Cloud DNS |
| POSTGRESQL | PostgreSQL |
| MYSQL | MySQL |
| SQL_SERVER | SQL Server |
| DATASET | Dataset |
| TABLE | Table |
| LOGS_ROUTER | Logs Router |
| LOGS_BASED_METRICS | Logs Based Metrics |