Searching for AWS Resources
Use the search tokens below to search for resources discovered. You'll need to first choose cloud provider on the Resources tab to see the relevant tokens for your environment. Looking for help with writing your query? click here.
General
Use a text value ##### to show resources based on the unique account ID associated with the connector/ARN at the time of creation.
Example
Show findings with this account ID
aws.accountId: 205767712438
aws.account.aliasaws.account.alias
Use a text value ##### to show connectors based on the account alias associated with the connector/ARN at the time of creation.
Example
Show connectors with this account alias
aws.account.alias: Example_connector
aws.resource.createdDateaws.resource.createdDate
Use a date range or specific date to define when the resource was created.
Example
Show resources created within certain dates
aws.resource.createdDate: [2018-01-01 ... 2018-03-01]
Show resources created starting 2018-10-01, ending 1 month ago
aws.resource.createdDate: [2018-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
aws.resource.createdDate: [now-2w ... now-1s]
Show resources created on specific date
aws.resource.createdDate: 2018-01-08
aws.resource.updatedDateaws.resource.updatedDate
Use a date range or specific date to define when the resource was last updated.
Example
Show resources updated within certain dates
aws.resource.updatedDate: [2018-01-01 ... 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
aws.resource.updatedDate: [2018-01-01 ... now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
aws.resource.updatedDate: [now-2w ... now-1s]
Show resources updated on specific date
aws.resource.updatedDate: 2018-01-08
cloud.resource.namecloud.resource.name
Use values within quotes to help you find the resource cloud.resource.name you're looking for.
Example
Show any findings with this cloud.resource.name
cloud.resource.name: my-resource
Show all the findings that exactly match with this cloud.resource.name
cloud.resource.name: `my-resource`
aws.account.tag.keyaws.account.tag.key
Use values within quotes or backticks to find the list inventory of AWS connectors with the specified tag key.
Example
Show inventory of AWS connectors with the specified tag key.
aws.account.tag.key: "Department"
Show inventory of AWS connectors that match the exact specified tag key.
aws.account.tag.key: `S3 Department`
aws.account.tag.valueaws.account.tag.value
Use values within quotes or backticks to find the list inventory of AWS connectors with the specified tag value.
Example
Show inventory of AWS connectors with the specified tag value.
aws.account.tag.value: "Finance"
Show inventory of AWS connectors that match the exact specified tag value.
aws.account.tag.value: `B1 Finance`
Select the cloud.resource.name of the cloud.region you're interested in. Select from names in the drop-down menu.
Example
Find resources in the Singapore cloud.region
cloud.region: Singapore
cloud.resource.idcloud.resource.id
Use a text value ##### to find resources by the unique ID assigned to the resource.
Example
Show resources with ID acl-8e5198f5
cloud.resource.id: acl-8e5198f5
cloud.resource.type cloud.resource.type
Select the azure.publicIpAddresses.type of resource you're interested in. Select from names in the drop-down menu.
Example
Show resources of azure.publicIpAddresses.type Instance
cloud.resource.type: Instance
Use a text value ##### to define the key of an AWS tag assigned to the resource (case sensitive).
Example
Show findings with key Department
aws.tag.key: Department
Use a text value ##### to define the value of an AWS tag assigned to the resource (case sensitive).
Example
Show findings with tag value Finance
aws.tag.value: Finance
aws.account.statusaws.account.status
Use this is search AWS resources based on their account status.
Example
Show AWS resources with ACTIVE account status
aws.account.status: ACTIVE
connector.tag.nameconnector.tag.name
Use values within quotes or backticks to help you find the resources with the specified tag applied via Connectors or Apply Tag API for Exceptions.
Example
Show any findings that contain "network" and "blue" in cloud.resource.name
connector.tag.name: "network blue"
Show any findings that contain "network" or "blue" in cloud.resource.name (another method)
connector.tag.name: "network" OR connector.tag.name: "blue"
Show any findings that match exact value "Cloud Agent"
connector.tag.name: "Cloud Agent"
Use a boolean query to express your query using AND logic.
Example
Show findings with account ID 205767712438 and type Subnet
account.id: 205767712438 and resource.type: Subnet
Use a boolean query to express your query using NOT logic.
Example
Show findings that are not region Hong Kong
not region: Hong Kong
Use a boolean query to express your query using OR logic.
Example
Show findings with one of these tag values
tag.value: Finance or tag.value: Accounting
AWS: Auto Scaling Groups
These tokens are available in queries with cloud.resource.type: Auto Scaling Group
aws.autoScaling.availabilityZoneaws.autoScaling.availabilityZone
Select the availability zone you're interested in. Select from names in the drop-down menu.
Example
Find auto scaling groups in the us-east-1a availability zone
aws.autoScaling.availabilityZone: us-east-1a
aws.autoScaling.createdTimeaws.autoScaling.createdTime
Use a date range or specific date to define when the Auto Scaling group was created.
Example
Show groups discovered within certain dates
aws.autoScaling.createdTime: [2018-01-01 ... 2018-03-01]
Show groups oci.resource.updatedDate starting 2018-10-01, ending 1 month ago
aws.autoScaling.createdTime: [2018-01-01 ... now-1m]
Show groups oci.resource.updatedDate starting 2 weeks ago, ending 1 second ago
aws.autoScaling.createdTime: [now-2w ... now-1s]
Show groups discovered on specific date
aws.autoScaling.createdTime: 2018-01-08
aws.autoScaling.healthCheckTypeaws.autoScaling.healthCheckType
Select the health check azure.publicIpAddresses.type (ec2 or elb) you're interested in. Select from names in the drop-down menu.
Example
Show groups with health check azure.publicIpAddresses.type ec2
aws.autoScaling.healthCheckType: ec2
aws.autoScaling.instanceIdaws.autoScaling.instanceId
Use a text value ##### to find auto scaling groups with a certain instance ID.
Example
Show findings with this instance ID
aws.autoScaling.instanceId: i-1234567890abcdef0
aws.autoScaling.launchConfigurationNameaws.autoScaling.launchConfigurationName
Use a text value ##### to define the launch configuration cloud.resource.name you're interested in.
Example
Show findings with this launch configuration cloud.resource.name
aws.autoScaling.launchConfigurationName: LaunchConfig-BF31WBIYCM64
aws.autoScaling.loadBalancerNameaws.autoScaling.loadBalancerName
Use a text value ##### to define the load balancer cloud.resource.name you're interested in.
Example
Show findings with this load balancer cloud.resource.name
aws.autoScaling.loadBalancerName: AppServer ELB
AWS: IAM User
These tokens are available in queries with cloud.resource.type: IAM User
aws.iamUser.accessKey1Activeaws.iamUser.accessKey1Active
Use the values true | false to find IAM users with an active access key1.
Example
Show findings with access key1 active
aws.iamUser.accessKey1Active: true
Show findings with access key1 not active
aws.iamUser.accessKey1Active: false
aws.iamUser.accessKey1LastRotatedaws.iamUser.accessKey1LastRotated
Use a date range or specific date to define when access key1 was last rotated.
Example
Show last rotated within certain dates
aws.iamUser.accessKey1LastRotated: [2018-01-01 ... 2018-03-01]
Show last rotated starting 2018-10-01, ending 1 month ago
aws.iamUser.accessKey1LastRotated: [2018-01-01 ... now-1m]
Show last rotated starting 2 weeks ago, ending 1 second ago
aws.iamUser.accessKey1LastRotated: [now-2w ... now-1s]
Show last rotated on specific date
aws.iamUser.accessKey1LastRotated: 2018-01-08
aws.iamUser.accessKey1LastUsedaws.iamUser.accessKey1LastUsed
Use a date range or specific date to define when access key1 was last used.
Example
Show last used within certain dates
aws.iamUser.accessKey1LastUsed: [2018-01-01 ... 2018-03-01]
Show last used starting 2018-10-01, ending 1 month ago
aws.iamUser.accessKey1LastUsed: [2018-01-01 ... now-1m]
Show last used starting 2 weeks ago, ending 1 second ago
aws.iamUser.accessKey1LastUsed: [now-2w ... now-1s]
Show last used on specific date
aws.iamUser.accessKey1LastUsed: 2018-01-08
aws.iamUser.accessKey2Activeaws.iamUser.accessKey2Active
Use the values true | false to find IAM users with an active access key2.
Example
Show findings with access key2 active
aws.iamUser.accessKey2Active: true
Show finings with access key2 not active
aws.iamUser.accessKey2Active: false
aws.iamUser.accessKey2lastRotatedaws.iamUser.accessKey2lastRotated
Use a date range or specific date to define when access key2 was last rotated.
Example
Show last rotated within certain dates
aws.iamUser.accessKey2lastRotated: [2018-01-01 ... 2018-03-01]
Show last rotated starting 2018-10-01, ending 1 month ago
aws.iamUser.accessKey2lastRotated: [2018-01-01 ... now-1m]
Show last rotated starting 2 weeks ago, ending 1 second ago
aws.iamUser.accessKey2lastRotated: [now-2w ... now-1s]
Show last rotated on specific date
aws.iamUser.accessKey2lastRotated: 2018-01-08
aws.iamUser.accessKey2LastUsedaws.iamUser.accessKey2LastUsed
Use a date range or specific date to define when access key2 was last used.
Example
Show last used within certain dates
aws.iamUser.accessKey2LastUsed: [2018-01-01 ... 2018-03-01]
Show last used starting 2018-01-012, ending 1 month ago
aws.iamUser.accessKey2LastUsed: [2018-01-01 ... now-1m]
Show last used starting 2 weeks ago, ending 1 second ago
aws.iamUser.accessKey2LastUsed: [now-2w ... now-1s]
Show last used on specific date
aws.iamUser.accessKey2LastUsed: 2018-01-08
aws.iamUser.arnaws.iamUser.arn
Use a text value ##### to define the Amazon Resource Name (ARN) of interest.
Example
Show findings with this ARN
aws.iamUser.arn: "aws.efs.arn:aws:iam::383031258652:user/LOCAL_1234"
aws.iamUser.mfaActiveaws.iamUser.mfaActive
Use the values true | false to find IAM users with multi factor authentication enabled.
Example
Show findings with multi factor authentication enabled
aws.iamUser.mfaActive: true
Show findings without multi factor authentication enabled
aws.iamUser.mfaActive: false
aws.iamUser.passwordEnabledaws.iamUser.passwordEnabled
Use the values true | false to find IAM users with the user password enabled during account creation.
Example
Show findings with password enabled
aws.iamUser.passwordEnabled: true
Show finings without password enabled
aws.iamUser.passwordEnabled: false
aws.iamUser.passwordLastChangedaws.iamUser.passwordLastChanged
Use a date range or specific date to define when the password was last updated.
Example
Show passwords last oci.resource.updatedDate within certain dates
aws.iamUser.passwordLastChanged: [2018-01-01 ... 2018-03-01]
Show passwords last oci.resource.updatedDate starting 2018-01-01, ending 1 month ago
aws.iamUser.passwordLastChanged: [2018-01-01 ... now-1m]
Show passwords last oci.resource.updatedDate starting 2 weeks ago, ending 1 second ago
aws.iamUser.passwordLastChanged: [now-2w ... now-1s]
Show passwords last oci.resource.updatedDate on specific date
aws.iamUser.passwordLastChanged: 2018-01-08
aws.iamUser.passwordLastUsedaws.iamUser.passwordLastUsed
Use a date range or specific date to define when the password was last used.
Example
Show passwords last used within certain dates
aws.iamUser.passwordLastUsed: [2018-01-01 ... 2018-03-01]
Show passwords last used starting 2018-01-01, ending 1 month ago
aws.iamUser.passwordLastUsed: [2018-01-01 ... now-1m]
Show passwords last used starting 2 weeks ago, ending 1 second ago
aws.iamUser.passwordLastUsed: [now-2w ... now-1s]
Show passwords last used on specific date
aws.iamUser.passwordLastUsed: 2018-01-08
aws.iamUser.passwordNextRotationaws.iamUser.passwordNextRotation
Use a date range or specific date to define the next time the password will be rotated.
Example
Show next rotation within certain dates
aws.iamUser.passwordNextRotation: [2018-01-01 ... 2018-03-01]
Show next rotation starting 2018-01-01, ending 1 month ago
aws.iamUser.passwordNextRotation: [2018-01-01 ... now-1m]
Show next rotation starting 2 weeks ago, ending 1 second ago
aws.iamUser.passwordNextRotation: [now-2w ... now-1s]
Show next rotation on specific date
aws.iamUser.passwordNextRotation: 2018-01-08
aws.iamUser.userCreationTimeaws.iamUser.userCreationTime
Use a date range or specific date to define when the user was created.
Example
Show users oci.resource.createdDate within certain dates
aws.iamUser.userCreationTime: [2018-01-01 ... 2018-03-01]
Show users oci.resource.createdDate from starting 2018-01-01, ending 1 month ago
aws.iamUser.userCreationTime: [2018-01-01 ... now-1m]
Show users oci.resource.createdDate starting 2 weeks ago, ending 1 second ago
aws.iamUser.userCreationTime: [now-2w ... now-1s]
Show users oci.resource.createdDate on specific date
aws.iamUser.userCreationTime: 2018-01-08
aws.iamUser.userIdaws.iamUser.userId
Use values within quotes to help you find IAM users with a certain user ID.
Example
Show any findings with this ID
aws.iamUser.userId: ABCDEFGHIJ1K2
Show any findings that contain parts of ID
aws.iamUser.userId: "ABCDEFGHIJ1K2"
aws.iamUser.usernameaws.iamUser.username
Use values within quotes to help you find IAM users with a certain user name.
Example
Show any findings with this cloud.resource.name
aws.iamUser.username: Jane
aws.iamUser.pathaws.iamUser.path
Use values within quotes to help you find IAM users with path.
Example
Show any findings with this aws.iamRole.path
aws.iamUser.path: /
Show any findings that contain parts of aws.iamRole.path
aws.iamUser.path: "/"
aws.iamUser.group.nameaws.iamUser.group.name
Use values within quotes to help you find IAM users with a certain group name.
Example
Show any findings with this group cloud.resource.name
aws.iamUser.group.name: Admin
aws.iamUser.policy.arnaws.iamUser.policy.arn
Use a text value ##### to find users with the Policy Amazon Resource Name (ARN) of interest.
Example
Show Users with this Policy ARN
aws.iamUser.policy.arn: "aws.efs.arn:aws:iam::383031258652:user/LOCAL_1234"
aws.iamUser.boundaryPolicyaws.iamUser.boundaryPolicy
Use a text value ##### to find the IAM User based on the provided Boundary Policy
Example
Show users with this boundary policy
aws.iamUser.boundaryPolicy: DelegatedBoundaries
aws.iamUser.accessKey.idaws.iamUser.accessKey.id
Use a text value ##### to find the IAM User based on the provided Access Key ID
Example
Show users with the specified Acess Key ID
iamuser.accesskey.Id: AKIAIOSFODNN7EXAMPLE
AWS: AMI
Select the AMI state (pending, available, invalid, deregistered, transient, failed, error, disabled) to find Amazon Machine Images in the specified state.
Examples
Find available AMIs aws.ami.state: available
aws.ami.architectureaws.ami.architecture
Select the processor architecture (i386, x86_64, arm64, x86_64_mac, arm64_mac) to find AMIs built for the specified architecture.
Examples
Find AMIs for ARM64 architecture
mi.architecture: arm64
aws.ami.bootmodeaws.ami.bootmode
Select the boot mode (uefi, uefi-preferred, legacy-bios) to find AMIs with the specified boot mode.
Examples
Find AMIs using UEFI boot mode
aws.ami.bootmode: uefi
aws.ami.hypervisoraws.ami.hypervisor
Select the hypervisor azure.publicIpAddresses.type (ovm, xen) to find AMIs using the specified hypervisor.
Examples
Find AMIs using Xen hypervisor
aws.ami.hypervisor: xen
aws.ami.imageTypeaws.ami.imageType
Select the image azure.publicIpAddresses.type (machine, kernel, ramdisk) to find AMIs of the specified type.
Examples
Find machine images
aws.ami.imageType: machine
aws.ami.platformaws.ami.platform
Select the platform azure.publicIpAddresses.type to find AMIs built for specific operating systems and configurations.
Examples
Find Ubuntu Pro AMIs
aws.ami.platform: Ubuntu Pro
AWS: Policy
aws.iamPolicy.typeaws.iamPolicy.type
Select from the dropdown (AWS MANAGED, CUSTOMER MANAGED) to find policies belonging to the specified azure.publicIpAddresses.type
Example
Show policies with this type.
aws.iamPolicy.type: CUSTOMER MANAGED
aws.iamPolicy.subTypeaws.iamPolicy.subType
Select from the dropdown (GLOBAL, US_GOV) to find policies belonging to the specified subtype
Example
Show Policies with this sub type.
aws.iamPolicy.subType: GLOBAL
AWS: Group
aws.iamGroup.managedPolicy.arnaws.iamGroup.managedPolicy.arn
Use a text value to find groups based on their policy ARN
Example
Show policies with this arn.
aws.iamGroup.managedPolicy.arn: aws-policy
aws.iamGroup.inlinePolicy.policyNameaws.iamGroup.inlinePolicy.policyName
Use a text value to find groups based on their Inline policy cloud.resource.name
Example
Show policies with this name.
aws.iamGroup.inlinePolicy.policyName: inline-aws-policy
AWS: Role
aws.iamRole.pathaws.iamRole.path
Use a text value to find roles based on their aws.iamRole.path
Example
Show roles with this path.
aws.iamRole.path: "/"
aws.iamRole.lastActivity.lastUsedDateaws.iamRole.lastActivity.lastUsedDate
Use a date range or specific date to find when the role was used.
Example
Show roles used within certain dates
aws.iamRole.lastActivity.lastUsedDate: [2018-01-01 ... 2018-03-01]
Show roles used from starting 2018-01-01, ending 1 month ago
aws.iamRole.lastActivity.lastUsedDate: [2018-01-01 ... now-1m]
Show roles used starting 2 weeks ago, ending 1 second ago
aws.iamRole.lastActivity.lastUsedDate: [now-2w ... now-1s]
Show users oci.resource.createdDate on specific date
aws.iamRole.lastActivity.lastUsedDate: 2018-01-08
Use a date range or specific date to find when the resource was first discovered.
Example
Show resources discovered within certain dates
aws.iamRole.firstDiscoveredOn: [2024-01-01 ... 2024-03-01]
Show resources created starting 2018-10-01, ending 1 month ago
aws.iamRole.firstDiscoveredOn: [2024-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
aws.iamRole.firstDiscoveredOn: [now-2w ... now-1s]
Show resources created on specific date
aws.iamRole.firstDiscoveredOn: 2024-01-08
aws.iamRole.arnaws.iamRole.arn
Use values within quotes to help you find the resources based on the arn.
Example
Find resources with the given ARN. Use backticks or quotes when providing the ARN value.
aws.iamRole.arn: "arn:aws:ec2:us-east-1:123456789012:instance/i-012abcd34efghi56"
AWS: VPC Endpoint
aws.vpc.endpoint.vpcaws.vpc.endpoint.vpc
Use a text value to find VPC Endpoints by providing VPC ID
Example
Show VPC Endpoints with this VPC ID.
aws.vpc.endpoint.vpc: vpc-7b955c06
aws.vpc.endpoint.typeaws.vpc.endpoint.type
Select from the dropdown ( 'Interface', 'Gateway', 'Gateway Load Balancer') to find VPC Endpoints by providing VPC azure.publicIpAddresses.type
Example
Show VPC Endpoints with this VPC type.
aws.vpc.endpoint.vpc: Interface
aws.vpc.endpoint.stateaws.vpc.endpoint.state
Select from the dropdown ( 'Available', 'Deleted', 'Deleting', 'Pending') to find VPC Endpoints by providing the state
Example
Show VPC Endpoints with this state.
aws.vpc.endpoint.state: Available
aws.vpc.endpoint.privateDnsEnabledaws.vpc.endpoint.privateDnsEnabled
Use true | false to find VPC Endpoints with Private DNS Enabled.
Example
Show VPC Enpoints with private DNS Enabled.
aws.vpc.endpoint.privateDnsEnabled: true
aws.vpc.endpoint.requesterManagedaws.vpc.endpoint.requesterManaged
Use true | false to find VPC Endpoints with VPC manage set to true/false.
Example
Show VPC Endpoints with requester manged set to True.
aws.vpc.endpoint.requesterManaged: true
aws.vpc.endpoint.ipAddressTypeaws.vpc.endpoint.ipAddressType
Select from the dropdown ( 'ipv4', 'ipv6') to find VPC Endpoints by providing the state
Example
Show VPC Endpoints with this IP address type.
aws.vpc.endpoint.ipAddressType: ipv4
AWS: VPC Endpoint Service
aws.vpc.endpointService.typeaws.vpc.endpointService.type
Select from the dropdown ( 'Interface', 'Gateway', 'Gateway Load Balancer') to find VPC Endpoint Service by providing VPC azure.publicIpAddresses.type
Example
Show VPC Endpoints with this VPC type.
aws.vpc.endpointService.type: Interface
aws.vpc.endpointService.supportedIpAddressTypeaws.vpc.endpointService.supportedIpAddressType
Select from the dropdown ( 'ipv4', 'ipv6') to find VPC Endpoints by providing the state
Example
Show VPC Endpoints service with this IP address type.
vpcendpointservice.supportedIpAddressTypee:ipv4
aws.vpc.endpointService.isAcceptanceRequiredaws.vpc.endpointService.isAcceptanceRequired
Use true | false to find VPC Endpoints with acceptance set to required
Example
Show VPC Endpoints with acceptance set to True.
aws.vpc.endpointService.isAcceptanceRequired: true
aws.vpc.endpointService.owneraws.vpc.endpointService.owner
Use an integer value to find VPC Endpoint service based on the VPC owner
Example
Show VPC Endpoint services belonging to the specified owner
aws.vpc.endpointService.owner:951386378875
AWS: Instance
These tokens are available in queries with cloud.resource.type:Instance
aws.ec2.availabilityZoneaws.ec2.availabilityZone
Select the availability zone you're interested in. Select from names in the drop-down menu.
Example
Show findings in the us-east-1a availability zone
aws.ec2.availabilityZone: us-east-1a
aws.ec2.imageIdaws.ec2.imageId
Use a text value ##### to find EC2 instances with a certain Image (AMI) ID.
Example
Show findings with this image ID
aws.ec2.imageId: ami-2ea83347
aws.ec2.isDockerHostaws.ec2.isDockerHost
Use the values true | false to define whether the instance has a docker installed on the host.
Example
Show instances with docker installed on the host
aws.ec2.isDockerHost:true
Show instances without docker installed on the host
aws.ec2.isDockerHost:false
aws.ec2.hasSensoraws.ec2.hasSensor
Use the values true | false to define whether the instance has a Container Security Sensor installed on the host.
Example
Show instances with Container Security Sensor installed on the host
aws.ec2.hasSensor:true
Show instances without Container Security Sensor installed on the host
aws.ec2.hasSensor:false
aws.ec2.dockerVersionaws.ec2.dockerVersion
Use a text value ##### to define Docker version you are looking for.
Example
Show instances with specified docker version
aws.ec2.dockerVersion:8.2
aws.ec2.firstScanDateaws.ec2.firstScanDate
Use a specific date to filter instances based on the timestamp at which they were first scanned using any of the available scan techniques.
Example
Show instances with the first scan date as 2025-04-08
aws.ec2.firstScanDate:2025-04-08
aws.ec2.lastScanDateaws.ec2.lastScanDate
Use a specific date to filter instances based on the timestamp at which they were last scanned using any of the available scan techniques.
Example
Show instances with the last scan date as 2025-04-14
aws.ec2.lastScanDate:2025-04-14
aws.ec2.scanTypeaws.ec2.scanType
Select a scan type from the drop-down to filter instances by that type.
Available options are:
(API Based Scan, Cloud Agent Scan, Cloud Perimeter Scan, Snapshot Based Scan, VM Scan, and Other Scan)
Example
Show instances scanned with API Based Scan
aws.ec2.scanType: "API Based Scan"
aws.ec2.networkInterface.addressIdaws.ec2.networkInterface.addressId
Use a text value ##### to find EC2 instances with a certain network interface address ID.
Example
Show findings with this address ID
aws.ec2.networkInterface.addressId: id-12345
aws.ec2.networkInterface.descriptionaws.ec2.networkInterface.description
Use values within quotes to help you find network interfaces with certain keywords in the description.
Example
Show any findings with this description
aws.ec2.networkInterface.description: My Description
Show any findings that contain parts of description
aws.ec2.networkInterface.description: "My Description"
aws.ec2.networkInterface.groupIdaws.ec2.networkInterface.groupId
Use a text value ##### to find network interfaces with a certain group ID.
Example
Show findings with this group ID
aws.ec2.networkInterface.groupId: sg-1a2b3c4d
aws.ec2.networkInterface.groupNameaws.ec2.networkInterface.groupName
Use a text value ##### to find network interfaces with a certain group name.
Example
Show findings with this group name
aws.ec2.networkInterface.groupName: My Group
aws.ec2.networkInterface.ipv6Ipaws.ec2.networkInterface.ipv6Ip
Use a text value ##### to find EC2 instances having network interface with a certain IPv6 IP address.
Example
Show findings with this IPv6 address
aws.ec2.networkInterface.ipv6Ip: 2010:ab2::1234:zzz:2002:1f
aws.ec2.networkInterface.privateDnsaws.ec2.networkInterface.privateDns
Use a text value ##### to find EC2 instances having network interface with a certain private DNS name.
Example
Show findings with this private DNS name
aws.ec2.networkInterface.privateDns: ip-172-31-33-67.us-east-2.compute.internal
aws.ec2.networkInterface.privateIpAddressaws.ec2.networkInterface.privateIpAddress
Use a text value ##### to find EC2 instances having network interface with a certain private IP address.
Example
Show findings with this private IP
aws.ec2.networkInterface.privateIpAddress: 172.31.28.151
aws.ec2.networkInterface.publicIpaws.ec2.networkInterface.publicIp
Use a text value ##### to find EC2 instances having network interface with a certain public IP address.
Example
Show findings with this public IP address
aws.ec2.networkInterface.publicIp: 13.126.125.189
aws.ec2.networkInterface.secondaryPrivateIpaws.ec2.networkInterface.secondaryPrivateIp
Use a text value ##### to find EC2 instances having network interface with a certain secondary private IP address.
Example
Show findings with this secondary private IP
aws.ec2.networkInterface.secondaryPrivateIp: 10.0.0.85
aws.ec2.networkInterface.subnetIdaws.ec2.networkInterface.subnetId
Use a text value ##### to find EC2 instances having network interface on a certain subnet.
Example
Show findings on this subnet ID
aws.ec2.networkInterface.subnetId: subnet-6f2cec07
aws.ec2.networkInterface.privateDnsaws.ec2.networkInterface.privateDns
Use a text value ##### to find EC2 instances having a private DNS address you're interested in.
Example
Show findings with this private DNS address
aws.ec2.networkInterface.privateDns: ip-10-90-2-85.ec2.internal
aws.ec2.networkInterface.privateIpAddressaws.ec2.networkInterface.privateIpAddress
Use a text value ##### to find EC2 instances having a private IPv4 address you're interested in.
Example
Show findings with this private IP address
aws.ec2.networkInterface.privateIpAddress: 10.90.0.119
aws.ec2.privateDnsaws.ec2.privateDns
Use a text value ##### to find EC2 instances having a private DNS name you're interested in.
Example
Show findings with this private DNS name
aws.ec2.privateDns: ip-10-90-2-85.ec2.internal
aws.ec2.privateIpAddressaws.ec2.privateIpAddress
Use a text value ##### to find EC2 instances having a private IPv4 address you're interested in.
Example
Show findings with this private IP address
aws.ec2.privateIpAddress: 10.90.0.119
aws.ec2.publicDnsaws.ec2.publicDns
Use a text value ##### to find EC2 instances having a public DNS address you're interested in.
Example
Show findings with this public DNS address
aws.ec2.publicDns: ec2-52-70-141-154.compute-1.amazonaws.com
aws.ec2.publicIpAddressaws.ec2.publicIpAddress
Use a text value ##### to find EC2 instances having a public IPv4 address you're interested in.
Example
Show findings with this public IP address
aws.ec2.publicIpAddress: 52.70.141.154
aws.ec2.secondaryPrivateIpAddressaws.ec2.secondaryPrivateIpAddress
Use a text value ##### to find EC2 instances having a secondary private IPv4 address you're interested in.
Example
Show findings with this secondary private IP
aws.ec2.secondaryPrivateIpAddress: 10.90.0.119
aws.ec2.securityGroup.idaws.ec2.securityGroup.id
Use a text value ##### to find EC2 instances having a certain security group ID.
Example
Show EC2 instances with this security group ID
aws.ec2.securityGroup.id: sg-4798a22f
instance.securityGroup.nameinstance.securityGroup.name
Use a text value ##### to find EC2 instances having a certain security group name.
Example
Show findings with this security group name
instance.securityGroup.name: Windows RDP Allow Group
aws.ec2.spotInstanceRequestIdaws.ec2.spotInstanceRequestId
Use a text value ##### to find EC2 instances having a certain Spot Instance request ID.
Example
Show findings with this Spot Instance request ID
aws.ec2.spotInstanceRequestId: sir-08b93456
aws.ec2.instanceStateaws.ec2.instanceState
Select a state name (pending, running, shutting-down, terminated, etc) to find EC2 instances with a certain state. Select from names in the drop-down menu.
Example
Show running EC2 instances
aws.ec2.instanceState: running
Select the status (ok, impaired, insufficient-data, etc) you're interested in. Select from names in the drop-down menu.
Example
Show EC2 instances with impaired status
aws.ec2.status: impaired
aws.ec2.subnetIdaws.ec2.subnetId
Use a text value ##### to find EC2 instances residing on a certain subnet ID.
Example
Show findings on this subnet ID
aws.ec2.subnetId: subnet-bc02c0d4
aws.ec2.instanceTypeaws.ec2.instanceType
Select the type of EC2 instance you're interested in. Select from names in the drop-down menu.
Example
Show findings with this instance type
aws.ec2.instanceType: t2.micro
Use a text value ##### to find EC2 instances having a certain VPC ID.
Example
Show findings with this VPC ID
aws.ec2.vpcId: vpc-1e37cd76
aws.ec2.profileNameaws.ec2.profileName
Use a text value ##### to find EC2 instances having a certain profile name.
Example
Show all EC2 instances having ANY instance profile
aws.ec2.profileName: (*..*)
aws.ec2.profileArnaws.ec2.profileArn
Use a text value ##### to find EC2 instances having a certain profile arn.
Example
Show all EC2 instances having profile arn
aws.ec2.profileArn: abc12345arnsample
Show all EC2 instances that exactly match the specified profile arn
aws.ec2.profileArn: `abc12345arnsample`
instanceProfile.roleNameinstanceProfile.roleName
Enter the name of roles associated with the profiles to search all the EC2 instances associated with it.
Example
Show all instances NOT associated with any roles in the profile
instanceProfile.roleName is null
instanceProfile.roleArninstanceProfile.roleArn
Enter the instance profile arn to search all the EC2 instances associated with it.
Example
Show all instances associated with any arn
instanceProfile.roleArn: (*..*)
Show all instances that exactly match the arn
instanceProfile.roleArn:`1de1e0a7-4f67-4812-917d-1236853844e1`
aws.ec2.truRiskaws.ec2.truRisk
Use an integer value (0-1000) to search for all the EC2 instances with the specified risk score.
Example
Show all instances with a risk score greater than 125
aws.ec2.truRisk > 125
Show all instances with the risk score of 125
aws.ec2.truRisk: 125
connector.isRemediationEnabledconnector.isRemediationEnabled
Use true to view the resources associated with the connector for which remediation is enabled.
Example
Show resources associated with the connector for which remediation is enabled
connector.isRemediationEnabled: TRUE
Select the action status ("Sucess", "Queued", "Error") you're interested in. Select from names in the drop-down menu.
Example
Show resources with success status for remediation action
action.status: Success
aws.ec2.hasAgentaws.ec2.hasAgent
Select (True, False) to define whether the instance has a cloud agent installed.
Example
Show findings with a cloud agent
aws.ec2.hasAgent:true
Show findings without a cloud agent
aws.ec2.hasAgent:false
aws.ec2.hasThreatsaws.ec2.hasThreats
Select (True, False) to find instances that have or have not been associated with any detected threats.
Example
Show instances that have been associated with any detected threats
aws.ec2.hasThreats: true
Show instances that have not been associated with any detected threats
aws.ec2.hasThreats: false
aws.ec2.hasSecretsaws.ec2.hasSecrets
Select (True, False) to find instances that have or have not been associated with any exposed secrets.
Example
Show instances that have been associated with any exposed secrets
aws.ec2.hasSecrets: true
Show instances that have not been associated with any detected threats
aws.ec2.hasSecrets: false
aws.ec2.networkInterface.publicIpV6aws.ec2.networkInterface.publicIpV6
Use a text value ##### to find EC2 instances having network interface with a certain public IPV6 address.
Example
Show findings with this public IPV6 address
aws.ec2.networkInterface.publicIpV6: 13.126.125.189
hasThreat.SuspiciousComm.PortScanhasThreat.SuspiciousComm.PortScan
Select (True, False) to find assets that have or have not been detected performing port scanning activities.
Example
Show assets detected performing port scans
hasThreat.SuspiciousComm.PortScan: true
hasThreat.SuspiciousComm.AddressScanhasThreat.SuspiciousComm.AddressScan
Select (True, False) to find assets that have or have not been detected performing address scanning activities.
Example
Show assets detected performing address scans
hasThreat.SuspiciousComm.AddressScan: true
hasThreat.LateralMove.RDPHotAccounthasThreat.LateralMove.RDPHotAccount
Select (True, False) to find assets associated with RDP hot accounts, which may indicate potential lateral movement attempts.
Example
Show assets associated with RDP hot accounts
hasThreat.LateralMove.RDPHotAccount: true
hasThreat.LateralMove.RDPbruteforcehasThreat.LateralMove.RDPbruteforce
Select (True, False) to find assets that have or have not been targets of RDP brute force attempts.
Example
Show assets that have been targets of RDP brute force attempts
hasThreat.LateralMove.RDPbruteforce: true
hasThreat.LateralMove.RDPScanhasThreat.LateralMove.RDPScan
Select (True, False) to find assets that have or have not been detected performing RDP scanning activities.
Example
Show assets detected performing RDP scans
hasThreat.LateralMove.RDPScan: true
hasThreat.LateralMove.SSHbruteforcehasThreat.LateralMove.SSHbruteforce
Select (True, False) to find assets that have or have not been targets of SSH brute force attempts.
Example
Show assets that have been targets of SSH brute force attempts
hasThreat.LateralMove.SSHbruteforce: true
hasThreat.CnC.DNShasThreat.CnC.DNS
Select (True, False) to find assets that have or have not been detected communicating with potential Command and Control (C&C) servers over DNS.
Example
Show assets detected communicating with potential C&C servers over DNS
hasThreat.CnC.DNS: true
hasThreat.CnC.HTTPShasThreat.CnC.HTTPS
Select (True, False) to find assets that have or have not been detected communicating with potential Command and Control (C&C) servers over HTTPS.
Example
Show assets detected communicating with potential C&C servers over HTTPS
hasThreat.CnC.HTTPS: true
hasThreat.CnC.HTTPhasThreat.CnC.HTTP
Select (True, False) to find assets that have or have not been detected communicating with potential Command and Control (C&C) servers over HTTP.
Example
Show assets detected communicating with potential C&C servers over HTTP
hasThreat.CnC.HTTP: true
hasThreat.Exfiltration.DNShasThreat.Exfiltration.DNS
Select (True, False) to find assets that have or have not been detected potentially exfiltrating data over DNS.
Example
Show assets detected potentially exfiltrating data over DNS
hasThreat.Exfiltration.DNS: true
hasThreat.MalwarehasThreat.Malware
Select (True, False) to find assets that have or have not been detected with potential malware infections.
Example
Show assets detected with potential malware infections
hasThreat.Malware: true
scanType.isSnapshotScanEnabledscanType.isSnapshotScanEnabled
Select (True, False) to find instances discovered by Connectors with Snapshot Scan enabled.
Example
Show instances discovered by Connectors with Snapshot Scan enabled
scanType.isSnapshotScanEnabled: true
threats.eventNotethreats.eventNote
Provide a string value to find instances with threats based on their event note.
Example
Show instances with the specified threat event note
threats.eventNote: truephishing
AWS: Secrets
aws.secrets.rotationEnabledaws.secrets.rotationEnabled
Select (True, False) to find secrets with rotation enabled or disabled.
Example
Show secrets with rotation enabled
aws.secrets.rotationEnabled: true
aws.secrets.kmsKeyIdaws.secrets.kmsKeyId
Provide a string value to find secrets associated with a specific AWS Key Management Service (KMS) key ID.
Example
Find secrets using the KMS key ID "1234abcd-12ab-34cd-56ef-1234567890ab"
aws.secrets.kmsKeyId: 1234abcd-12ab-34cd-56ef-1234567890ab
aws.secrets.arnaws.secrets.arn
Provide a string value to find secrets with a specific Amazon Resource Name (ARN).
Example
Find a secret with the ARN "aws.efs.arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3"
aws.secrets.arn: "aws.efs.arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecret-a1b2c3"
aws.secrets.nameaws.secrets.name
Provide a string value to find secrets with a specific name.
Example
Find secrets named "database-credentials"
aws.secrets.name: database-credentials
AWS: SageMaker Notebook
aws.sageMaker.notebook.arnaws.sageMaker.notebook.arn
Provide a string value in quotes (" ") or backtick (` `) to find SageMaker Notebook instances with a specific Amazon Resource Name (ARN).
Example
Find a SageMaker Notebook instance with the ARN "aws.efs.arn:aws:sagemaker:us-west-2:123456789012:notebook-instance/my-notebook"
aws.sageMaker.notebook.arn: "aws.efs.arn:aws:sagemaker:us-west-2:123456789012:notebook-instance/my-notebook"
aws.sageMaker.notebook.nameaws.sageMaker.notebook.name
Provide a string value to find SageMaker Notebook instances with a specific name.
Example
Find SageMaker Notebook instances named "data-science-notebook"
aws.sageMaker.notebook.name: data-science-notebook
aws.sageMaker.notebook.statusaws.sageMaker.notebook.status
Select the required status from the drop-down menu (InService, Stopped, Failed, Deleting, Pending) to find SageMaker Notebook instances based on their current status.
Example
Show SageMaker Notebook instances that are currently in service
aws.sageMaker.notebook.status: InService
AWS: CloudFront Distribution
aws.cloudFront.distributions.idaws.cloudFront.distributions.id
Provide a string value to find CloudFront distributions with a specific ID.
Example Find a CloudFront distribution with the ID "E2QWRUHAPOMQZL"
aws.cloudFront.distributions.id: E2QWRUHAPOMQZL
aws.cloudFront.distributions.domainNameaws.cloudFront.distributions.domainName
Provide a string value to find CloudFront distributions with a specific domain name.
Example
Find CloudFront distributions with the domain cloud.resource.name "d111111abcdef8.cloudfront.net"
aws.cloudFront.distributions.domainName: d111111abcdef8.cloudfront.net
aws.cloudFront.distributions.enabledaws.cloudFront.distributions.enabled
Select (True, False) to find CloudFront distributions that are enabled or disabled.
Example
Show CloudFront distributions that are currently enabled
aws.cloudFront.distributions.enabled: true
aws.cloudFront.distributions.priceClassaws.cloudFront.distributions.priceClass
Find CloudFront distributions based on their price class. Select the required class from the drop-down menu (PriceClass_100, PriceClass_200, PriceClass_All).
Example
Show CloudFront distributions with the price class PriceClass_200
aws.cloudFront.distributions.priceClass: PriceClass_200
aws.cloudFront.distributions.stagingaws.cloudFront.distributions.staging
Select (True, False) to find CloudFront distributions that are in staging or production environment.
Example
Show CloudFront distributions that are in the staging environment
aws.cloudFront.distributions.staging: true
aws.cloudFront.distributions.arnaws.cloudFront.distributions.arn
Provide a string value to find CloudFront distributions with a specific Amazon Resource Name (ARN).
Example
Find a CloudFront distribution with the ARN "aws.efs.arn:aws:cloudfront::123456789012:distribution/E2QWRUHAPOMQZL"
aws.cloudFront.distributions.arn: "aws.efs.arn:aws:cloudfront::123456789012:distribution/E2QWRUHAPOMQZL"
aws.cloudFront.distributions.loggingEnabledaws.cloudFront.distributions.loggingEnabled
Select (True, False) to find CloudFront distributions with logging enabled or disabled.
Example
Show CloudFront distributions with logging enabled
aws.cloudFront.distributions.loggingEnabled: true
Route 53 Domains
aws.route53.domain.autoRenewaws.route53.domain.autoRenew
Select (True, False) to find Route 53 domains based on their auto-renewal status.
Example
Show domains with auto-renewal enabled.
aws.route53.domain.autoRenew: true
Route 53 Hosted Zones
route53.hostedZone.recordnameroute53.hostedZone.recordname
Provide a string value to find Route 53 hosted zones with the specified record name.
Example
Find hosted zones with the record "www.example.com"
route53.hostedZone.recordname: www.example.com
Select (True, False) to find Route 53 hosted zones based on whether they are private or public.
Example
Show private hosted zones.
route53.hostedZone.isPrivateZone: true
Provide a string value to find Route 53 hosted zones with the specified Amazon Resource Name (ARN).
Example
Find a hosted zone with a specific ARN.
route53.hostedZone.arn: "aws.efs.arn:aws:route53:::hostedzone/Z1PA6795UKMFR9"
Redshift
aws.redshift.clusterIdentifieraws.redshift.clusterIdentifier
Provide a string value to find Redshift clusters with the specified cluster identifier.
Example
Find a Redshift cluster with identifier "my-redshift-cluster"
aws.redshift.clusterIdentifier: my-redshift-cluster
aws.redshift.clusterStatusaws.redshift.clusterStatus
Select from available options (e.g., available, creating, deleting, final-snapshot, modifying, rebooting, renaming, resizing) to find Redshift clusters with the specified status.
Example
Show Redshift clusters that are currently available.
aws.redshift.clusterStatus: available
aws.redshift.clusterNamespaceArnaws.redshift.clusterNamespaceArn
Provide a string value to find Redshift clusters with the specified namespace ARN (Amazon Resource Name).
Example
Find a Redshift cluster with a specific namespace ARN.
aws.redshift.clusterNamespaceArn: "aws.efs.arn:aws:redshift:us-west-2:123456789012:namespace:my-namespace"
aws.redshift.kmsKeyIdaws.redshift.kmsKeyId
Provide a string value to find Redshift clusters using the specified KMS (Key Management Service) key ID for encryption.
Example
Find Redshift clusters using a specific KMS key.
aws.redshift.kmsKeyId: 1234abcd-12ab-34cd-56ef-1234567890ab
Elastic Container Registry
aws.ecr.registryIdaws.ecr.registryId
Provide a string value to find ECR repositories associated with the specified registry ID.
Example
Find ECR repositories in registry "123456789012" aws.ecr.registryId: 123456789012
Provide a string value to find ECR repositories with the specified Amazon Resource Name (ARN).
Example
Find an ECR repository with a specific ARN
aws.ecr.arn: aws.efs.arn:aws:ecr:us-west-2:123456789012:repository/my-repo
aws.ecr.encryptionConfigurations.encryptionTypeaws.ecr.encryptionConfigurations.encryptionType
Select from available options (e.g., AES256, KMS) to find ECR repositories with the specified encryption type.
Example
Show ECR repositories using KMS encryption.
ecr.encryyptionConfigurations.encryptionType: KMS
aws.ecr.imageTagMutabilityaws.ecr.imageTagMutability
Select from available options (MUTABLE, IMMUTABLE) to find ECR repositories with the specified image tag mutability setting.
Example
Show ECR repositories with immutable tags. aws.ecr.imageTagMutability: IMMUTABLE
aws.ecr.imageScanningConfiguration.scanOnPushaws.ecr.imageScanningConfiguration.scanOnPush
Select (True, False) to find ECR repositories based on whether they're configured to scan images on push.
Example
Show ECR repositories with scan on push enabled.
aws.ecr.imageScanningConfiguration.scanOnPush: true
aws.ecr.imageDigestaws.ecr.imageDigest
Provide a string value to find ECR images with the specified image digest.
Example
Find an ECR image with a specific digest aws.ecr.imageDigest: sha256:a1b2c3d4e5f6...
aws.ecr.repositoryUriaws.ecr.repositoryUri
Provide a string value to find ECR repositories with the specified URI.
Example
Find an ECR repository with URI "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo"
aws.ecr.repositoryUri: 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo
Vulnerability Tokens
These tokens are available in queries with cloud.resource.type:vulnerability
finding.vulnerability.qidfinding.vulnerability.qid
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
finding.vulnerability.qid:90405
finding.vulnerability.severityfinding.vulnerability.severity
Select a severity (1-5) to find assets having vulnerabilities with this severity. Select from values in the drop-down menu.
Example
Show findings with severity 4
finding.vulnerability.severity:4
finding.vulnerability.customerSeverityfinding.vulnerability.customerSeverity
Use an integer value ##### to view the severity level set by Qualys to find assets having vulnerabilities. The severity level ranges between 1-5. Select from values in the drop-down menu.
Example
Show findings with custom severity 3
finding.vulnerability.customerSeverity:3
finding.vulnerability.exploitabilityfinding.vulnerability.exploitability
Use values within quotes or backticks to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to this description
finding.vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
finding.vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
finding.vulnerability.exploitability: `GIF Parser Heap`
finding.vulnerability.isPatchAvailablefinding.vulnerability.isPatchAvailable
Use the values true | false to define vulnerabilities with patch available.
Example
Show findings with patch available
finding.vulnerability.isPatchAvailable: "true"
Show findings with no patch available
finding.vulnerability.isPatchAvailable: "false"
finding.vulnerability.firstFoundDatefinding.vulnerability.firstFoundDate
Use a date range or specific date to define when findings were first found.
Example
Show findings first found within certain dates
finding.vulnerability.firstFoundDate: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
finding.vulnerability.firstFoundDate: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
finding.vulnerability.firstFoundDate: [now-2w ... now-1s]
Show findings first found on certain date
finding.vulnerability.firstFoundDate:'2015-11-11'
finding.vulnerability.lastFoundDatefinding.vulnerability.lastFoundDate
Use a date range or specific date to define when findings were last found.
Example
Show findings last found within certain dates
finding.vulnerability.lastFoundDate: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
finding.vulnerability.lastFoundDate: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
finding.vulnerability.lastFoundDate: [now-2w ... now-1s]
Show findings last found on certain date
finding.vulnerability.lastFoundDate:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
finding.vulnerability.lastFoundDate: '2017-01-12' AND finding.vulnerability.isPatchAvailable: "true")
finding.vulnerability.titlefinding.vulnerability.title
Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to this title
finding.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
finding.vulnerability.title: "Remote Code"
Show any findings that match exact value
finding.vulnerability.title: `Remote Code`
finding.vulnerability.descriptionfinding.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to description
finding.vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
finding.vulnerability.description: "remote code execution"
Show any findings that match exact value
finding.vulnerability.description: `remote code execution`
finding.vulnerability.cveIdfinding.vulnerability.cveId
Use a text value ##### to find the CVE name you're interested in.
Example
Show findings with CVE name CVE-2015-0313
finding.vulnerability.cveId: CVE-2015-0313
finding.vulnerability.categoryfinding.vulnerability.category
Select a category (CGI, Database, DNS, BIND, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.
Example
Show findings with the category CGI
finding.vulnerability.category: "CGI"
finding.vulnerability.cvss3BaseScorefinding.vulnerability.cvss3BaseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show assets with this score
finding.vulnerability.cvss3BaseScore: 7.8
finding.vulnerability.cvss3TemporalScorefinding.vulnerability.cvss3TemporalScore
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show assets with this score
finding.vulnerability.cvss3TemporalScore: 6.4
finding.vulnerability.cvss2AccessVectorfinding.vulnerability.cvss2AccessVector
Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.
Example
Show findings with this name
finding.vulnerability.cvss2AccessVector: "NETWORK"
finding.vulnerability.portfinding.vulnerability.port
Use an integer value ##### to help you find assets with some open port.
Example
Show vulnerability with port 80
finding.vulnerability.port: 80
finding.vulnerability.protocolfinding.vulnerability.protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Example
Show findings found on TCP
finding.vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
finding.vulnerability.typeDetectedfinding.vulnerability.typeDetected
Select a detection type (e.g. Confirmed, Potential, Information) to find instances with vulnerabilities of this type. Select from names in the drop-down menu.
Example
Show findings with this type
finding.vulnerability.typeDetected:Confirmed
finding.vulnerability.isPCIfinding.vulnerability.isPCI
Use the values true | false to find vulnerabilities that must be fixed for PCI Compliance (per PCI DSS).
Example
Show PCI vulnerabilities
finding.vulnerability.isPCI:TRUE
Do not show PCI vulnerabilities
finding.vulnerability.isPCI:FALSE
finding.vulnerability.authTypefinding.vulnerability.authType
Select the name (WINDOWS_AUTH, UNIX_AUTH, ORACLE_AUTH, etc) of an authentication type you're interested in. Select from names in the drop-down menu.
Example
Show findings with Windows auth type
finding.vulnerability.authType:WINDOWS_AUTH
finding.vulnerability.bugTraqIdfinding.vulnerability.bugTraqId
Use a text value ##### to find a BugTraq number you're interested in.
Example
Show findings with BugTraq ID 22211
finding.vulnerability.bugTraqId:22211
finding.vulnerability.compliance.descriptionfinding.vulnerability.compliance.description
Use quotes or backticks within values to help you find the compliance description you're looking for.
Example
Show any findings related to this description
finding.vulnerability.compliance.description:malicious software
Show any findings that contain "malicious" or "software" in description
finding.vulnerability.compliance.description:"malicious software"
Show any findings that match exact value "malicious software"
finding.vulnerability.compliance.description:`malicious software`
finding.vulnerability.compliance.sectionfinding.vulnerability.compliance.section
Use quotes or backticks within values to help you find the compliance section you're looking for.
Example
Show any findings related to this section
finding.vulnerability.compliance.section:164.308
Show any findings that contain parts of section
finding.vulnerability.compliance.section:"164.308"
Show any findings that match exact value "164.308"
finding.vulnerability.compliance.section:`164.308`
finding.vulnerability.compliance.typefinding.vulnerability.compliance.type
Select the name ##### of a compliance type you're interested in (e.g. COBIT, HIPAA, GLBA, SOX). Select from names in the drop-down menu.
Example
Show findings with the compliance type HIPAA
finding.vulnerability.compliance.type:HIPAA
finding.vulnerability.consequencefinding.vulnerability.consequence
Use quotes or backticks within values to help you find the consequence you're looking for.
Example
Show any findings related to consequence
finding.vulnerability.consequence:sensitive information
Show any findings that contain "sensitive" or "information" in consequence
finding.vulnerability.consequence:"sensitive information"
Show any findings that match exact value "sensitive information"
finding.vulnerability.consequence:`sensitive information`
finding.vulnerability.flagfinding.vulnerability.flag
Use a text value ##### to find the Qualys defined vulnerability property of interest (e.g. REMOTE, WINDOWS_AUTH, UNIX_AUTH, PCI_RELATED etc).
Example
Show findings with this flag
finding.vulnerability.flag:PCI_RELATED
finding.vulnerability.listfinding.vulnerability.list
Use a text value ##### to find the vulnerability list of interest (e.g. SANS_20, QUALYS_20, QUALYS_INT_10, QUALYS_EXT_10).
Example
Show findings with vulnerabilities in SANS Top 20
finding.vulnerability.list:SANS_20
finding.vulnerability.patchesfinding.vulnerability.patches
Use an integer value ##### to help you find the patch QID you're interested in.
Example
Show assets with this patch QID
finding.vulnerability.patches:90753
finding.vulnerability.publishedDatefinding.vulnerability.publishedDate
Use a date range or specific date to define when vulnerabilities were first published in the KnowledgeBase.
Example
Show findings for vulnerabilities published within certain dates
finding.vulnerability.publishedDate:[2015-10-21 ... 2016-01-15]
Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago
finding.vulnerability.publishedDate:[2017-01-01 ... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
finding.vulnerability.publishedDate:[now-2w ... now-1s]
Show findings for vulnerabilities published on certain date
finding.vulnerability.publishedDate:'2018-01-15'
finding.vulnerability.riskfinding.vulnerability.risk
Use an integer value ##### to define the vulnerability risk rating you're interested in. For confirmed and potential issues risk is 10 times severity, for information gathered it is severity.
Example
Show findings with risk 50
finding.vulnerability.risk:50
finding.vulnerability.cvss2BaseScorefinding.vulnerability.cvss2BaseScore
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show instances with this score
finding.vulnerability.cvss2BaseScore:7.8
finding.vulnerability.cvss2TemporalScorefinding.vulnerability.cvss2TemporalScore
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show instances with this score
finding.vulnerability.cvss2TemporalScore:6.4
finding.vulnerability.discoveryTypefinding.vulnerability.discoveryType
Select a discovery type (Remote or Authenticated) to find instances with vulnerabilities having this discovery type. Select from names in the drop-down menu.
Example
Show findings with Remote discovery type
finding.vulnerability.discoveryType:REMOTE
finding.vulnerability.sans20Categoriesfinding.vulnerability.sans20Categories
Use a text value ##### to find vulnerabilities in the SANS 20 category you're interested in (e.g. Anti-virus Software, Backup Software, etc).
Example
Show findings with this category name
finding.vulnerability.sans20Categories:Media Players
finding.vulnerability.solutionfinding.vulnerability.solution
Use quotes or backticks within values to help you find the solution you're looking for.
Example
Show any findings related to this solution
finding.vulnerability.solution:Bulletin MS10-006
Show any findings that contain parts of solution
finding.vulnerability.solution:"Bulletin MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
finding.vulnerability.solution:`Bulletin MS10-006`
finding.vulnerability.statusfinding.vulnerability.status
Select the vulnerability status (ACTIVE, FIXED, NEW, REOPENED) you're interested in. Select from names from the drop-down menu.
Example
Show vulnerabilities with ACTIVE status
finding.vulnerability.status:ACTIVE
finding.vulnerability.supportedBy.serviceNamefinding.vulnerability.supportedBy.serviceName
Select a Qualys service (VM, Agent type, etc) to show vulnerabilities that can be detected by this service. Select from names in the drop-down menu.
Example
Show vulnerabilities supported by Linux Agent
finding.vulnerability.supportedBy.serviceName:LINUX_AGENT
finding.vulnerability.vendorReffinding.vulnerability.vendorRef
Use a text value ##### to find the vendor reference you're interested in.
Example
Show this vendor reference
finding.vulnerability.vendorRef:KB3021953
finding.vulnerability.vendorProductNamefinding.vulnerability.vendorProductName
Use a text value ##### to find the vendor product name you're interested in.
Example
Show findings with this vendor product name
finding.vulnerability.vendorProductName:Windows
finding.vulnerability.vendorNamefinding.vulnerability.vendorName
Use a text value ##### to find the vendor name you're interested in.
Example
Show findings with this vendor name
finding.vulnerability.vendorName:Adobe
Threat Protection
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
finding.vulnerability.threatIntel.isActiveAttackfinding.vulnerability.threatIntel.isActiveAttack
Use the values true | false to define real-time threats due to active attacks.
Example
Show resources with threats due to active attacks
finding.vulnerability.threatIntel.isActiveAttack: "true"
Use the values true | false to define real-time threats due to denial of service.
Example
Show resources with threats due to denial of service
finding.vulnerability.threatIntel.isDenialOfService: "true"
vulnerability.threatIntel.easyExploitvulnerability.threatIntel.easyExploit
Use the values true | false to define real-time threats due to easy exploit.
Example
Show resources with threats due to easy exploit
vulnerability.threatIntel.easyExploit: "true"
finding.vulnerability.threatIntel.exploitKitfinding.vulnerability.threatIntel.exploitKit
Use the values true | false to define real-time threats due to exploit kit.
Example
Show resources with threats due to exploit kit
finding.vulnerability.threatIntel.exploitKit: "true"
finding.vulnerability.threatIntel.exploitKitNamefinding.vulnerability.threatIntel.exploitKitName
Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
finding.vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
finding.vulnerability.threatIntel.exploitKitName: `Angler`
finding.vulnerability.threatIntel.isHighDataLossfinding.vulnerability.threatIntel.isHighDataLoss
Use the values true | false to define real-time threats due to high data loss.
Example
Show resources with threats due to high data loss
finding.vulnerability.threatIntel.isHighDataLoss: "true"
Use the values true | false to define real-time threats due to high lateral movement.
Example
Show resources with threats due to high lateral movement
finding.vulnerability.threatIntel.isHighLateralMovement: "true"
finding.vulnerability.threatIntel.isMalwarefinding.vulnerability.threatIntel.isMalware
Use the values true | false to define real-time threats due to malware.
Example
Show resources with threats due to malware
finding.vulnerability.threatIntel.isMalware: "true"
finding.vulnerability.threatIntel.malwareNamefinding.vulnerability.threatIntel.malwareName
Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
finding.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
finding.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
finding.vulnerability.threatIntel.hasNoPatchfinding.vulnerability.threatIntel.hasNoPatch
Use the values true | false to define real-time threats due to no patch available.
Example
Show resources with threats due to no patch available
finding.vulnerability.threatIntel.hasNoPatch: "true"
finding.vulnerability.threatIntel.isPublicExploitfinding.vulnerability.threatIntel.isPublicExploit
Use the values true | false to define real-time threats due to public exploit.
Example
Show resources with threats due to public exploit
finding.vulnerability.threatIntel.isPublicExploit: "true"
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
finding.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
finding.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
finding.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
finding.vulnerability.threatIntel.isZeroDayfinding.vulnerability.threatIntel.isZeroDay
Use the values true | false to define real-time threats due to zero day exploit.
Example
Show resources with threats due to zero day exploit
finding.vulnerability.threatIntel.isZeroDay: "true"
AWS: Internet Gateway
These tokens are available in queries with cloud.resource.type:Internet Gateway
aws.internetGateway.stateaws.internetGateway.state
Use a text value ##### to find internet gateways having a certain state.
Example
Show findings with this state
aws.internetGateway.state: available
aws.internetGateway.vpcIdaws.internetGateway.vpcId
Use a text value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
aws.internetGateway.vpcId: vpc-1e37cd76
AWS: Load Balancer
These tokens are available in queries with cloud.resource.type:Load Balancer
aws.elb.availabilityZoneaws.elb.availabilityZone
Select the availability zone you're interested in. Select from names in the drop-down menu.
Example
Find resources in the us-east-1a availability zone
aws.elb.availabilityZone: us-east-1a
aws.elb.createdTimeaws.elb.createdTime
Use a date range or specific date to define when the resource was created.
Example
Show resources oci.resource.createdDate within certain dates
aws.elb.createdTime: [2018-01-01 ... 2018-03-01]
Show resources oci.resource.createdDate from starting 2018-01-01, ending 1 month ago
aws.elb.createdTime: [2018-01-01 ... now-1m]
Show resources oci.resource.createdDate starting 2 weeks ago, ending 1 second ago
aws.elb.createdTime: [now-2w ... now-1s]
Show resources oci.resource.createdDate on specific date
aws.elb.createdTime: 2018-01-08
aws.elb.dnsNameaws.elb.dnsName
Use a text value ##### to find load balancers with a certain DNS name.
Example
Show findings with this DNS cloud.resource.name
aws.elb.dnsName: load-balancer-12345.elb.us-west.amazonaws.com
aws.elb.instanceIdaws.elb.instanceId
Use a text value ##### to find resources with a certain instance ID.
Example
Show resources with this instance ID
aws.elb.instanceId: 10.90.0.119
aws.elb.ipAddressTypeaws.elb.ipAddressType
Use a text value ##### to find load balancers with certain IP address type.
Example
Show findings with this IP address azure.publicIpAddresses.type
aws.elb.ipAddressType: ipv4
aws.elb.listener.instancePortaws.elb.listener.instancePort
Use a text value ##### to find load balancer listeners on a certain instance port.
Example
Show load balancers on this instance port
aws.elb.listener.instancePort: 200
aws.elb.listener.instanceProtocolaws.elb.listener.instanceProtocol
Select the load balancer listener instance protocol (HTTP or HTTPS) you're interested in. Select from names in the drop-down menu.
Example
Show findings with this instance protocol
aws.elb.listener.instanceProtocol: HTTPS
aws.elb.listener.loadBalancerPortaws.elb.listener.loadBalancerPort
Use a text value ##### to find load balancer listeners on a certain load balancer port.
Example
Show findings on this load balancer port
aws.elb.listener.loadBalancerPort: 200
aws.elb.listener.protocolaws.elb.listener.protocol
Select the load balancer listener protocol (HTTP or HTTPS) you're interested in. Select from names in the drop-down menu.
Example
Show findings running on this listener protocol
aws.elb.listener.protocol: HTTP
Use a text value ##### to find load balancer listeners with a certain scheme.
Example
Show findings with this scheme
aws.elb.scheme: internet-facing
aws.elb.securityGroupIdaws.elb.securityGroupId
Use a text value ##### to find resources in a certain security group.
Example
Show findings with this security group ID
aws.elb.securityGroupId: sg-1a2b3c4d
Select the load balancer state you're interested in. Select from names in the drop-down menu.
Example
Show findings with this load balancer state
aws.elb.state: active
Use a text value ##### to find load balancers having a certain type.
Example
Show findings with this load balancer azure.publicIpAddresses.type
aws.elb.type: classic
Use a text value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
aws.elb.vpcId: vpc-1e37cd76
Use a text value ##### to find load balancers in a certain subnet.
Example
Show findings in this subnet
aws.elb.subnet: subnet-cc96efa8
AWS: Network ACL
These tokens are available in queries with cloud.resource.type:Network ACL
aws.networkAcl.association.subnetIdaws.networkAcl.association.subnetId
Use a text value ##### to define resources having an association with a certain subnet.
Example
Show findings with this ID
aws.networkAcl.association.subnetId: subnet-6f2cec07
aws.networkAcl.cidrBlockaws.networkAcl.cidrBlock
Use a text value ##### to find network ACLs having a certain IPv4 CIDR range.
Example
Show findings with this IPv4 CIDR block
aws.networkAcl.cidrBlock: 172.31.0.0/16
aws.networkAcl.defaultAclaws.networkAcl.defaultAcl
Use the values true | false to find a network ACL that is the default network ACL for the VPC.
Example
Show findings with the default network ACL
aws.networkAcl.defaultAcl: true
Show findings not defined with default network ACL
aws.networkAcl.defaultAcl: false
aws.networkAcl.egressaws.networkAcl.egress
Use the values true | false to find a network ACL that applies (or doesn't apply) to egress traffic.
Example
Show findings where the network ACL does apply to egress traffic
aws.networkAcl.egress: true
Show findings where it does not apply to egress traffic
aws.networkAcl.egress: false
aws.networkAcl.ipv6CidrBlockaws.networkAcl.ipv6CidrBlock
Use a text value ##### to define the IPv6 CIDR range associated with the network ACL.
Example
Show findings with this IPv6 CIDR block
aws.networkAcl.ipv6CidrBlock: 2001:db8::/32
aws.networkAcl.portRange.fromaws.networkAcl.portRange.from
Use an integer value ##### to define the start of the port range specified in the network ACL rule entry.
Example
Show findings with rules with port range starting at 1024
aws.networkAcl.portRange.from: 1024
aws.networkAcl.portRange.toaws.networkAcl.portRange.to
Use an integer value ##### to define the end of the port range specified in the network ACL rule entry.
Example
Show findings with rules with port range ending at 65535
aws.networkAcl.portRange.to: 65535
aws.networkAcl.protocolaws.networkAcl.protocol
Use a text value ##### to define the protocol (tcp, udp, etc) specified in the network ACL rule entry.
Example
Show findings with rules for protocol tcp
aws.networkAcl.protocol: tcp
aws.networkAcl.ruleActionaws.networkAcl.ruleAction
Use a text value ##### to find network ACLs with a certain rule action (allow or deny).
Example
Show findings with rules that allow matching traffic
aws.networkAcl.ruleAction: allow
aws.networkAcl.ruleNumberaws.networkAcl.ruleNumber
Use an integer value ##### to find network ACLs with a certain rule number.
Example
Show findings with rule number 130
aws.networkAcl.ruleNumber: 130
aws.networkAcl.vpcIdaws.networkAcl.vpcId
Use a text value ##### to define the ID of the VPC for the network ACL.
Example
Show findings with this VPC ID
aws.networkAcl.vpcId: vpc-1e37cd76
aws.networkAcl.association.idaws.networkAcl.association.id
Use a text value ##### to find network ACLs with a certain association ID.
Example
Show findings with this association ID
aws.networkAcl.association.id: aclassoc-3999875b
aws.networkAcl.association.networkAclIdaws.networkAcl.association.networkAclId
Use a text value ##### to find network ACLs having an association with a certain network ACL ID.
Example
Show findings with this ID
aws.networkAcl.association.networkAclId: acl-211bf848
AWS: Route Table
These tokens are available in queries with cloud.resource.type:Route Table
aws.routeTable.mainaws.routeTable.main
Use the values true | false to find the main route table for the VPC.
Example
Show findings for the main route table
aws.routeTable.main: true
Show findings that are not the main route table
aws.routeTable.main: false
aws.routeTable.route.destinationCidrBlockaws.routeTable.route.destinationCidrBlock
Use a text value ##### to find route tables having routes with a certain IPv4 CIDR range used for destination match.
Example
Show findings with this IPv4 CIDR range
aws.routeTable.route.destinationCidrBlock: 10.0.0.0/16
aws.routeTable.route.stateaws.routeTable.route.state
Select a route state (active or blackhole) to help you find route tables having routes with this state. Select from names in the drop-down menu.
Example
Show findings with this route state
aws.routeTable.route.state: active
aws.routeTable.subnetIdaws.routeTable.subnetId
Use a text value ##### to define resources having an association with a certain subnet ID.
Example
Show findings with this ID
aws.routeTable.subnetId: subnet-6f2cec07
aws.routeTable.vpcIdaws.routeTable.vpcId
Use a text value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
aws.routeTable.vpcId: vpc-1e37cd76
aws.routeTable.association.idaws.routeTable.association.id
Use a text value ##### to find route tables with a certain association ID.
Example
Show findings with this ID
aws.routeTable.association.id: rtbassoc-781d0d1a
aws.routeTable.association.routeTableIdaws.routeTable.association.routeTableId
Use a text value ##### to find route tables having a certain route table ID involved in the association between route table and subnet.
Example
Show findings for this ID
aws.routeTable.association.routeTableId: rtb-ffbe1297
aws.routeTable.route.destinationIpv6CidrBlockaws.routeTable.route.destinationIpv6CidrBlock
Use a text value ##### to find route tables having routes with a certain IPv6 CIDR range used for destination match.
Example
Show findings with this IPv6 CIDR range
aws.routeTable.route.destinationIpv6CidrBlock: 2001:db8::/32
aws.routeTable.route.destinationPrefixaws.routeTable.route.destinationPrefix
Use a text value ##### to find route tables having routes with a certain ID (prefix) of the AWS service.
Example
Show findings with this prefix list ID
aws.routeTable.route.destinationPrefix: pl-63a5400a
aws.routeTable.route.egressInternetGatewayIdaws.routeTable.route.egressInternetGatewayId
Use a text value ##### to find route tables having routes with a certain egress-only Internet gateway ID.
Example
Show findings with this ID
aws.routeTable.route.egressInternetGatewayId: pl-eigw-1234567890
aws.routeTable.route.gatewayIdaws.routeTable.route.gatewayId
Use a text value ##### to find route tables having routes with a certain virtual private gateway ID.
Example
Show findings with this virtual private gateway ID
aws.routeTable.route.gatewayId: igw-12345678
aws.routeTable.route.instanceIdaws.routeTable.route.instanceId
Use a text value ##### to find route tables having routes with a certain NAT instance ID.
Example
Show findings with this ID
aws.routeTable.route.instanceId: rtb-f8805e91
aws.routeTable.route.instanceOwnerIdaws.routeTable.route.instanceOwnerId
Use a text value ##### to find route tables having routes with a NAT instance that has a certain owner.
Example
Show findings with this AWS account ID
aws.routeTable.route.instanceOwnerId: aws-acct-id
aws.routeTable.route.natGatewayIdaws.routeTable.route.natGatewayId
Use a text value ##### to find route tables having routes with a certain NAT gateway ID.
Example
Show findings with this ID
aws.routeTable.route.natGatewayId: local
aws.routeTable.route.networkInterfaceIdaws.routeTable.route.networkInterfaceId
Use a text value ##### to find route tables having routes with a certain network interface ID.
Example
Show findings with this ID
aws.routeTable.route.networkInterfaceId: eni-12345
aws.routeTable.route.vpcPeeringIdaws.routeTable.route.vpcPeeringId
Use a text value ##### to find route tables having routes with a certain VPC peering connection.
Example
Show findings with this ID
aws.routeTable.route.vpcPeeringId: pcx-00197469
AWS: S3 Bucket
These tokens are available in queries with cloud.resource.type:S3 Bucket
aws.s3.creationDateaws.s3.creationDate
Use a date range or specific date to define when the S3 bucket was created.
Example
show S3 buckets oci.resource.createdDate within certain dates
aws.s3.creationDate: [2018-01-01 ... 2018-03-01]
Show S3 bucketscreated from starting 2018-01-01, ending 1 month ago
aws.s3.creationDate: [2018-01-01 ... now-1m]
Show S3 bucketscreated starting 2 weeks ago, ending 1 second ago
aws.s3.creationDate: [now-2w ... now-1s]
Show S3 buckets oci.resource.createdDate on specific date
aws.s3.creationDate: 2018-01-08
aws.s3.isPubliclyAccessibleaws.s3.isPubliclyAccessible
Use the values true | false to find s3 buckets that are (or aren't) publicly accessible.
Example
Show s3 buckets that are publicly accessible
aws.s3.isPubliclyAccessible: true
Show s3 buckets that are not publicly accessible
aws.s3.isPubliclyAccessible: false
Use a text value ##### to define S3 bucket owner ID of interest.
Example
Show findings with this owner ID
aws.s3.ownerId: a3a33997d333416174cb4c27fa89364a2f31b12498ffc
aws.s3.ownerNameaws.s3.ownerName
Use values within quotes to help you find the S3 bucket owner name of interest.
Example
Show any findings with this owner name
aws.s3.ownerName: Andrew Smith
Show any findings that contain parts of owner name
aws.s3.ownerName: "Andrew Smith"
aws.s3.hasThreatsaws.s3.hasThreats
Use this token to view S3 buckets that are identified as having threats or those without any threats.
Example
Show all S3 buckets that have known threats.
aws.s3.hasThreats: true
Show all S3 buckets without threats:
aws.s3.hasThreats: false
down text here
AWS: Security Group
These tokens are available in queries with cloud.resource.type:Security Group
aws.vpc.securityGroup.descriptionaws.vpc.securityGroup.description
Use values within quotes to help you find security groups with certain keywords in the security group description.
Example
Show any findings with this description
aws.vpc.securityGroup.description: Allow RDP to Windows Machines
Show any findings that contain parts of description
aws.vpc.securityGroup.description: "Allow RDP to Windows Machines"
aws.vpc.securityGroup.inboundRule.fromPortaws.vpc.securityGroup.inboundRule.fromPort
Use an integer value ##### to find security groups having inbound rules with a certain from port.
Example
Show findings with this from port
aws.vpc.securityGroup.inboundRule.fromPort: 200
aws.vpc.securityGroup.inboundRule.ipProtocolaws.vpc.securityGroup.inboundRule.ipProtocol
Select an IP protocol (tcp, udp, icmp) to find security groups having inbound rules with a certain IP protocol. Select from names in the drop-down menu.
Example
Show findings with the tcp protocol
aws.vpc.securityGroup.inboundRule.ipProtocol: tcp
aws.vpc.securityGroup.inboundRule.ipv4Rangeaws.vpc.securityGroup.inboundRule.ipv4Range
Use a text value ##### to find security groups having inbound rules with a certain IPv4 range.
Example
Show findings with this range
aws.vpc.securityGroup.inboundRule.ipv4Range: 203.0.113.0/24
aws.vpc.securityGroup.inboundRule.ipv6Rangeaws.vpc.securityGroup.inboundRule.ipv6Range
Use a text value ##### to find security groups having inbound rules with a certain IPv6 range.
Example
Show findings with this range
aws.vpc.securityGroup.inboundRule.ipv6Range: 2001:db8::/32
aws.vpc.securityGroup.inboundRule.toPortaws.vpc.securityGroup.inboundRule.toPort
Use an integer value ##### to find security groups having inbound rules with a certain to port.
Example
Show findings with this group ID
aws.vpc.securityGroup.inboundRule.toPort: 200
securitygroup.namesecuritygroup.name
Use a text value ##### to find security groups with a certain group cloud.resource.name in an inbound security group rule.
Example
Show findings with this group cloud.resource.name
securitygroup.name: Windows RDP Allow Group
aws.vpc.securityGroup.outboundRule.fromPortaws.vpc.securityGroup.outboundRule.fromPort
Use an integer value ##### to find security groups having outbound rules with a certain from port.
Example
Show findings with this from port
aws.vpc.securityGroup.outboundRule.fromPort: 200
aws.vpc.securityGroup.outboundRule.ipProtocolaws.vpc.securityGroup.outboundRule.ipProtocol
Select an IP protocol (tcp, udp, icmp) to find security groups having outbound rules with a certain IP protocol. Select from names in the drop-down menu.
Example
Show findings with the tcp protocol
aws.vpc.securityGroup.outboundRule.ipProtocol: tcp
aws.vpc.securityGroup.outboundRule.ipv4Rangeaws.vpc.securityGroup.outboundRule.ipv4Range
Use a text value ##### to find security groups having outbound rules with a certain IPv4 range.
Example
Show findings with this range
aws.vpc.securityGroup.outboundRule.ipv4Range: 203.0.113.0/24
aws.vpc.securityGroup.outboundRule.ipv6Rangeaws.vpc.securityGroup.outboundRule.ipv6Range
Use a text value ##### to find security groups having outbound rules with a certain IPv6 range.
Example
Show findings with this range
aws.vpc.securityGroup.outboundRule.ipv6Range: 2001:db8::/32
aws.vpc.securityGroup.outboundRule.toPortaws.vpc.securityGroup.outboundRule.toPort
Use an integer value ##### to find security groups having outbound rules with a certain to port.
Example
Show findings with this to port
aws.vpc.securityGroup.outboundRule.toPort: 151
aws.vpc.securityGroup.vpcIdaws.vpc.securityGroup.vpcId
Use an integer value ##### to find resources having a certain VPC ID.
Example
Show findings with this VPC ID
aws.vpc.securityGroup.vpcId: vpc-1e37cd76
AWS: Vulnerability Tokens
association.instances.vulnerability.qidassociation.instances.vulnerability.qid
Use an integer value ##### to define the QID in question.
Example
Show findings with QID 90405
association.instances.vulnerability.qid:90405
association.instances.vulnerability.severityassociation.instances.vulnerability.severity
Select a severity (1-5) to find resources having vulnerabilities with this severity. Select from values in the drop-down menu.
Example
Show findings with severity 4
association.instances.vulnerability.severity:4
Select a severity (1-5) to find resources having vulnerabilities with this customizedseverity. Select from values in the drop-down menu.
Example
Show findings with severity 3
association.instances.vulnerability.customerSeverity:3
association.instances.vulnerability.exploitabilityassociation.instances.vulnerability.exploitability
Use quotes or backticks within values to help you find known exploit description you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to this description
association.instances.vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
association.instances.vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
association.instances.vulnerability.exploitability: `GIF Parser Heap`
association.instances.vulnerability.patchAvailableassociation.instances.vulnerability.patchAvailable
Use the values true | false to define vulnerabilities with patch available.
Example
Show findings with patch available
association.instances.vulnerability.patchAvailable: "true"
Show findings with no patch available
association.instances.vulnerability.patchAvailable: "false"
association.instances.vulnerability.firstFoundassociation.instances.vulnerability.firstFound
Use a date range or specific date to define when findings were first found.
Example
Show findings first found within certain dates
association.instances.vulnerability.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
association.instances.vulnerability.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
association.instances.vulnerability.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
association.instances.vulnerability.firstFound:'2015-11-11'
association.instances.vulnerability.lastFoundassociation.instances.vulnerability.lastFound
Use a date range or specific date to define when findings were last found.
Example
Show findings last found within certain dates
association.instances.vulnerability.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
association.instances.vulnerability.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
association.instances.vulnerability.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
association.instances.vulnerability.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12' AND association.instances.vulnerability.patchAvailable: "true")
association.instances.vulnerability.titleassociation.instances.vulnerability.title
Use quotes or backticks within values to help you find the title you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to this title
association.instances.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
association.instances.vulnerability.title: "Remote Code"
Show any findings that match exact value
association.instances.vulnerability.title: `Remote Code`
association.instances.vulnerability.descriptionassociation.instances.vulnerability.description
Use quotes or backticks within values to help you find the vulnerability description you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings related to description
association.instances.vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
association.instances.vulnerability.description: "remote code execution"
Show any findings that match exact value
association.instances.vulnerability.description: `remote code execution`
association.instances.vulnerability.cveIdsassociation.instances.vulnerability.cveIds
Use a text value ##### to find the CVE name you're interested in.
Example
Show findings with CVE name CVE-2015-0313
association.instances.vulnerability.cveIds: CVE-2015-0313
association.instances.vulnerability.categoryassociation.instances.vulnerability.category
Select a category (CGI, Database, Debian, OEL, etc) to find vulnerabilities with this category. Select from names in the drop-down menu.
Example
Show findings with the category CGI
association.instances.vulnerability.category: "CGI"
Use an integer value ##### to help you find the CVSS base score you're interested in.
Example
Show resources with this score
association.instances.vulnerability.cvssInfo.baseScore: 7.8
Use an integer value ##### to help you find the CVSS temporal score you're interested in.
Example
Show resources with this score
association.instances.vulnerability.cvssInfo.temporalScore: 6.4
Select the name ##### of a CVSS access vector you'd like to find (e.g. UNDEFINED, LOCAL_ACCESS, ADJACENT_NETWORK, NETWORK). Select from names in the drop-down menu.
Example
Show findings with this name
association.instances.vulnerability.cvssInfo.accessVector: "NETWORK"
instance.securityGroup.nameinstance.securityGroup.name
Use a text value ##### to find the security group name you're looking for.
Example
Find security group related to name
instance.securityGroup.name: abc.qualys.com
Find security group that match exact value
instance.securityGroup.name: `abc.qualys.com`
association.instances.publicIpAddressassociation.instances.publicIpAddress
Use a text value ##### to define a public IPv4 address or range of IPs you're interested in.
Example
Find security groups with this public IP address
association.instances.publicIpAddress: 52.70.141.154
Find security groups within this IP range
association.instances.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
association.instances.vulnerability.portassociation.instances.vulnerability.port
Use an integer value ##### to help you find assets with some open port.
Example
Show vulnerability with port 80
association.instances.vulnerability.port: 80
association.instances.vulnerability.protocolassociation.instances.vulnerability.protocol
Use a text value ##### (UDP or TCP) to define the port protocol you're interested in.
Example
Show findings found on TCP
association.instances.vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
Threat Protection
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
Use the values true | false to define real-time threats due to active attacks.
Example
Show resources with threats due to active attacks
association.instances.vulnerability.threatIntel.activeAttacks: "true"
Use the values true | false to define real-time threats due to denial of service.
Example
Show resources with threats due to denial of service
association.instances.vulnerability.threatIntel.denialOfService: "true"
Use the values true | false to define real-time threats due to easy exploit.
Example
Show resources with threats due to easy exploit
association.instances.vulnerability.threatIntel.easyExploit: "true"
Use the values true | false to define real-time threats due to exploit kit.
Example
Show resources with threats due to exploit kit
association.instances.vulnerability.threatIntel.exploitKit: "true"
Use quotes or backticks within values to help you find the exploit kit name you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
association.instances.vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
association.instances.vulnerability.threatIntel.exploitKitName: `Angler`
Use the values true | false to define real-time threats due to high data loss.
Example
Show resources with threats due to high data loss
association.instances.vulnerability.threatIntel.highDataLoss: "true"
Use the values true | false to define real-time threats due to high lateral movement.
Example
Show resources with threats due to high lateral movement
association.instances.vulnerability.threatIntel.highLateralMovement: "true"
Use the values true | false to define real-time threats due to malware.
Example
Show resources with threats due to malware
association.instances.vulnerability.threatIntel.malware: "true"
Use quotes or backticks within values to help you find the malware name you're looking for. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
association.instances.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
association.instances.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
Use the values true | false to define real-time threats due to no patch available.
Example
Show resources with threats due to no patch available
association.instances.vulnerability.threatIntel.noPatch: "true"
Use the values true | false to define real-time threats due to public exploit.
Example
Show resources with threats due to public exploit
association.instances.vulnerability.threatIntel.publicExploit: "true"
Use quotes or backticks within values to help you find the public exploit name of interest. Quotes can be used when the value has more than one word.
Example
Show any findings with this name
association.instances.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
association.instances.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
association.instances.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
Use the values true | false to define real-time threats due to zero day exploit.
Example
Show resources with threats due to zero day exploit
association.instances.vulnerability.threatIntel.zeroDay: "true"
AWS: Subnet
These tokens are available in queries with cloud.resource.type:Subnet
aws.subnet.autoAssignIpv6Addressaws.subnet.autoAssignIpv6Address
Use the values true | false to find a subnet with auto-assign IPv6 addresses enabled.
Example
Show subnets with auto-assign IPv6 address
aws.subnet.autoAssignIpv6Address: true
Show subnets without auto-assign IPv6 address
aws.subnet.autoAssignIpv6Address: false
aws.subnet.autoAssignPublicIpaws.subnet.autoAssignPublicIp
Use the values true | false to find subnets where a public IPv4 address is assigned on launch.
Example
Show subnets with public IP address assigned on launch
aws.subnet.autoAssignPublicIp: true
Show subnets without public IP address assigned on launch
aws.subnet.autoAssignPublicIp: false
aws.subnet.availabilityZoneaws.subnet.availabilityZone
Use a text value ##### to find subnets by availability zone.
Example
Show findings in the us-east-1a availability zone
aws.subnet.availabilityZone: us-east-1a
aws.subnet.availableIpCountaws.subnet.availableIpCount
Use a text value ##### to find subnets by available IP count.
Example
Show findings with this available IP count
aws.subnet.availableIpCount: 4091
aws.subnet.cidrBlockaws.subnet.cidrBlock
Use a text value ##### to find resources having a certain IPv4 CIDR block.
Example
Show findings with this IPv4 CIDR block
aws.subnet.cidrBlock: 172.31.0.0/16
aws.subnet.defaultSubnetaws.subnet.defaultSubnet
Use the values true | false to find the default subnet.
Example
Show subnets that are the default
subnet.defaultsubnet: true
Show subnets that are not the default
aws.subnet.defaultSubnet: false
aws.subnet.ipv6CidrBlockaws.subnet.ipv6CidrBlock
Use a text value ##### to find resources having a certain IPv6 CIDR block.
Example
Show findings with this IPv6 CIDR block
aws.subnet.ipv6CidrBlock: 2001:db8::/32
aws.subnet.vpcIdaws.subnet.vpcId
Use a text value ##### to find resources with a certain VPC ID.
Example
Show findings with this VPC ID
aws.subnet.vpcId: vpc-1e37cd76
AWS: VPC
These tokens are available in queries with cloud.resource.type:VPC
aws.vpc.cidrBlockaws.vpc.cidrBlock
Use a text value ##### to help you find resources (VPCs/subnets) having a certain IPv4 CIDR block.
Example
Show findings with this IPv4 CIDR block
aws.vpc.cidrBlock: 172.31.0.0/16
aws.vpc.defaultVpcaws.vpc.defaultVpc
Use the values true | false to find the default VPC.
Example
Show VPCs that are the default
aws.vpc.defaultVpc: true
Show VPCs that are not the default
aws.vpc.defaultVpc: false
aws.vpc.instanceTenancyaws.vpc.instanceTenancy
Use values within quotes to find VPCs with certain instance tenancy.
Example
Show any findings with this tenancy
aws.vpc.instanceTenancy: default
Show findings that contain parts of tenancy
aws.vpc.instanceTenancy: "default"
aws.vpc.ipv6CidrBlockaws.vpc.ipv6CidrBlock
Use a text value ##### to find resources (VPCs/subnets) with a certain IPv6 CIDR block.
Example
Show findings with this IPv6 CIDR block
aws.vpc.ipv6CidrBlock: 2001:db8::/32
AWS: RDS
These tokens are available in queries with cloud.resource.type:RDS
aws.rds.dbInstanceIdentifieraws.rds.dbInstanceIdentifier
Use a text value ##### to help you find resources (RDS) having a certain DB instance name.
Example
Show RDS resources with this DB instance cloud.resource.name
aws.rds.dbInstanceIdentifier: RDSdatabasename
aws.rds.endpoint.portaws.rds.endpoint.port
Use a text value ##### to find RDS resources with specified port as endpoint.
Example
Show RDS resources that use this port as endpoint
aws.rds.endpoint.port: 5432
Use values within quotes to find resources with certain engine name.
Example
Show RDS resources with this engine cloud.resource.name
aws.rds.engine: mysql
aws.rds.instanceClassaws.rds.instanceClass
Use a text value ##### to find resources (RDS) with a certain size.
Example
Show RDS resources with this size
aws.rds.instanceClass: db.t2.micro
aws.rds.publiclyAccessibleaws.rds.publiclyAccessible
Use the values true | false to find if the resource is publicly accessible or not.
Example
Show RDS resources that are the accessible
aws.rds.publiclyAccessible: true
Show RDS resources that are not publicly accessible
aws.rds.publiclyAccessible: false
aws.rds.securityGroup.idaws.rds.securityGroup.id
Use a text value ##### to find RDS resources with specified security group Id.
Example
Show RDS resources with this security group Id.
aws.rds.securityGroup.id: sg-3abe5246
Use a text value ##### to find resources (RDS) with a certain state.
Example
Show RDS resources that are available
aws.rds.status: available
aws.rds.subnetGroup.dbSubnetVpcIdaws.rds.subnetGroup.dbSubnetVpcId
Use a text value ##### to find resources (RDs) with a certain VPC Id .
Example
Show RDS resources with this VPC Id
aws.rds.subnetGroup.dbSubnetVpcId: vpc-1e37cd7e
AWS: EBS Volume
These tokens are available in queries with cloud.resource.type:EBS Volume
aws.ebsVolume.encryptedaws.ebsVolume.encrypted
Use the values true | false to know if the resource is encrypted or not.
Example
Show EBS volume resources that are encrypted.
aws.ebsVolume.encrypted: true
aws.ebsVolume.instanceaws.ebsVolume.instance
Use a text value ##### to find EBS Volume resources with a certain instance ID.
Example
Show resources with this instance ID
aws.ebsVolume.instance: i-045d8dd17d8a2a96f
aws.ebsVolume.stateaws.ebsVolume.state
Use available or in-use state to find EBS volume instances with a certain state.
Example
Show running EBS volume instances
aws.ebsVolume.state: in-use
aws.ebsVolume.volumeIdaws.ebsVolume.volumeId
Use a text value ##### to find resources (EBS volumne) with a certain volumeId.
Example
Show resources with this volumeId
aws.ebsVolume.volumeId: vol-0ac36138436791ca5
AWS: Lambda Function
aws.lambda.tracingConfigaws.lambda.tracingConfig
Use the values Active or Passthrough to decide if we can sample and trace a subset of incoming requests with AWS X-Ray.
Example
Show resources which allow to sample and trace incoming requests with AWS X-Ray. Use Active to achieve this.
aws.lambda.tracingConfig: Active
aws.lambda.timeoutaws.lambda.timeout
Use a numberic value ##### in seconds to find resources (Lambda function) with a certain timeout value. Timeout is the amount of time that Lambda allows a function to run before stopping it. By default, it is 3 seconds. Maximum allowable timeout value is 900 seconds.
Example
Show resources with this volumeId
aws.lambda.timeout: vol-0ac36138436791ca5
aws.lambda.roleaws.lambda.role
Use a text value ##### to find resources (Lambda function) with a certain role name.
Example
Show resources with role cloud.resource.name as sample_role_lambda
aws.lambda.role: sample_role_lambda
aws.lambda.runtimeaws.lambda.runtime
Use a text value ##### to find resources (Lambda function) based on the programming language used to write the lambda function.
Example
Show resources that are written in Python 2.7
aws.lambda.runtime: python2.7
lambda.functionNamelambda.functionName
Use a text value ##### to find resources (Lambda function) with a certain name.
Example
Show resources with exact cloud.resource.name match as sample_lambda_function
lambda.functionName: sample_lambda_function
aws.lambda.memorySizeaws.lambda.memorySize
Use a numeric value ##### to find resources (Lambda function) based on memory size (in MB) assigned to lambda function for execution.
Example
Show resources with 128 MB memory allocated for execution
aws.lambda.memorySize: 128
aws.lambda.trigger.arnaws.lambda.trigger.arn
Use a value ##### to define the Amazon Resource Name (ARN) that would trigger the Lambda function.
Example
Show resources that are triggered on specified ARN
aws.lambda.trigger.arn: aws.efs.arn:aws:iam::383031258652:user/LOCAL_1234
aws.lambda.trigger.typeaws.lambda.trigger.type
Use a text value ##### to define the azure.publicIpAddresses.type of trigger to be initiated when to execute Lambda function.
Example
Show resources that triggered on s3 azure.publicIpAddresses.type
aws.lambda.trigger.type: s3
aws.lambda.layer.nameaws.lambda.layer.name
Use a text value ##### to find resources (Lambda function) with cloud.resource.name of layer assigned to the lambda function.
Example
Show resources with this cloud.resource.name assigned to the layer
aws.lambda.layer.name: Sample_layer_name
aws.lambda.vpcIdaws.lambda.vpcId
Use a text value ##### to find resources (Lambda function) associated with a certain VPCID.
Example
Show resources with this VPCID
aws.lambda.vpcId: vpc-4bd3013
aws.lambda.hasThreatsaws.lambda.hasThreats
Select (True, False) to find lambda resources that have or have not been associated with any detected threats.
Example
Show resources that have been associated with any detected threats
aws.lambda.hasThreats: true
Show resources that have not been associated with any detected threats
aws.lambda.hasThreats: false
Use a text value ##### to define the key of an AWS or Azure tag assigned to the Lambda function (case sensitive).
Example
Show resources with key Department
tag.key: Department
Use a text value ##### to define the value of an AWS or Azure tag assigned to the resource (case sensitive).
Example
Show resources with tag value Finance
tag.value: Finance
AWS: EKS Cluster
ekscluster.nameekscluster.name
Use a text value ##### to find resources (EKS Cluster) with specific name.
Example
Show resources with specific name.
ekscluster.name: testCluster
aws.eksCluster.statusaws.eksCluster.status
Use to search for EKS Clusters with certain status. Select the status (ACTIVE, UPDATING, FAILED, etc.) of EKS Cluster you're interested in.
Example
Show resources with ACTIVE status
aws.eksCluster.status: ACTIVE
aws.eksCluster.versionaws.eksCluster.version
Use Kubernetes versions such as 1.15. 1.16, 1.18 etc to find EKS Clusters with the specified Kubernetes version.
Example
Show resources with specified Kubernetes version
aws.eksCluster.version: 1.18
aws.eksCluster.platformVersionaws.eksCluster.platformVersion
Use a text value ##### to find resources (EKS Cluster) with specified EKS Cluster platform version.
Example
Show resources with specified platform version
aws.eksCluster.platformVersion: eks.3
aws.eksCluster.endpointPublicAccessaws.eksCluster.endpointPublicAccess
Use the values true | false to define whether the EKS Cluster has a API server public endpoint access.
Example
Show resources with public endpoint access of API server
aws.eksCluster.endpointPublicAccess: true
aws.eksCluster.endpointPrivateAccessaws.eksCluster.endpointPrivateAccess
Use the values true | false to define whether the EKS Cluster has a API server private endpoint access.
Example
Show resources with private endpoint access of API server
aws.eksCluster.endpointPrivateAccess: true
aws.eksCluster.endpointaws.eksCluster.endpoint
Use a text value ##### to find resources (EKS Cluster) with certain API server endpoint.
Example
Show resources with specified API server endpoint
aws.eksCluster.endpoint: https://F41FF93B0AF978CF32886442BF14945B.sk1.ap-south-1.eks.amazonaws.com
aws.eksCluster.role.nameaws.eksCluster.role.name
Use a text value ##### to find resources (EKS Cluster) with IAM role name.
Example
Show resources with specified IAM role cloud.resource.name
aws.eksCluster.role.name: eksclusterrole
aws.eksCluster.eksNodeGroup.nameaws.eksCluster.eksNodeGroup.name
Use a text value ##### to find resources (EKS Cluster) with the associated node group name.
Example
Show resources with specified associated node group cloud.resource.name
aws.eksCluster.eksNodeGroup.name: testNodeGroup
aws.eksCluster.fargateProfile.nameaws.eksCluster.fargateProfile.name
Use a text value ##### to find resources (EKS Cluster) with the associated Fargate Profile name.
Example
Show resources with specified associated Fargate Profile cloud.resource.name
aws.eksCluster.fargateProfile.name: testFargate
aws.eksCluster.vpcIdaws.eksCluster.vpcId
Use a text value ##### to find resources (EKS Cluster) with a VPC Id.
Example
Show resources with specified VPC Id
aws.eksCluster.vpcId: vpc-b00ce2db
aws.eksCluster.subnetIdaws.eksCluster.subnetId
Use a text value ##### to find resources (EKS Cluster) with a subnet Id.
Example
Show resources with specified subnet Id
aws.eksCluster.subnetId: subnet-d17cf3aa
AWS: EKS Node Group
eksnodegroup.nameeksnodegroup.name
Use a text value ##### to find resources (EKS Node Group) with specific name.
Example
Show resources with specific name.
eksnodegroup.name: testNodeGroup
aws.eksNodeGroup.statusaws.eksNodeGroup.status
Use to search for EKS Node Group with certain status. Select the status (ACTIVE, UPDATING, FAILED, etc.) of EKS Node Group you're interested in.
Example
Show resources with ACTIVE status
aws.eksNodeGroup.status: ACTIVE
aws.eksNodeGroup.versionaws.eksNodeGroup.version
Use Kubernetes versions such as 1.15. 1.16, 1.18 etc to find EKS Node Group with the specified Kubernetes version.
Example
Show resources with specified Kubernetes version
aws.eksNodeGroup.version: 1.18
aws.eksNodeGroup.desiredSizeaws.eksNodeGroup.desiredSize
Use a number to find resources (EKS Node Group) with desired node size.
Example
Show resources with specified node size
aws.eksNodeGroup.desiredSize: 1
aws.eksNodeGroup.amiTypeaws.eksNodeGroup.amiType
Use a text value ##### to find resources (EKS Node Group) with the ami azure.publicIpAddresses.type of the EKS worker nodes.
Example
Show resources with specified ami azure.publicIpAddresses.type of EKS worker nodes
aws.eksNodeGroup.amiType: AL2_x86_64
aws.eksNodeGroup.instanceTypeaws.eksNodeGroup.instanceType
UUse a text value ##### to find resources (EKS Node Group) with certain instance type.
Example
Show resources with specified instance azure.publicIpAddresses.type
aws.eksNodeGroup.instanceType: t3.micro
aws.eksNodeGroup.diskSizeaws.eksNodeGroup.diskSize
Use a disk Size value to find resources (EKS Node Group) with certain disk Size.
Example
Show resources with specified disk size value
aws.eksNodeGroup.diskSize: 20
aws.eksNodeGroup.minSizeaws.eksNodeGroup.minSize
Use a number to find resources (EKS Node Group) with minimum node group size.
Example
Show resources with specified minimum node group size
aws.eksNodeGroup.minSize: 1
aws.eksNodeGroup.maxSizeaws.eksNodeGroup.maxSize
Use a number to find resources (EKS Node Group) with maximum node group size.
Example
Show resources with specified maximum node group size
aws.eksNodeGroup.maxSize: 1
aws.eksNodeGroup.labels.keyaws.eksNodeGroup.labels.key
Use a text value ##### to find resources (EKS Node Group) with the Kubernetes label key.
Example
Show resources with specified Kubernetes label key
aws.eksNodeGroup.labels.key: testLabelKey
aws.eksNodeGroup.labels.valueaws.eksNodeGroup.labels.value
Use a text value ##### to find resources (EKS Node Group) with the Kubernetes label value.
Example
Show resources with specified Kubernetes label value
aws.eksNodeGroup.labels.value: testLabelValue
aws.eksNodeGroup.role.nameaws.eksNodeGroup.role.name
Use a text value ##### to find resources (EKS Node Group) with IAM role name.
Example
Show resources with specified IAM role cloud.resource.name
aws.eksNodeGroup.role.name: nodeGroupRole
aws.eksNodeGroup.subnetIdaws.eksNodeGroup.subnetId
Use a text value ##### to find resources (EKS Node Group) with a subnet Id.
Example
Show resources with specified subnet Id
aws.eksNodeGroup.subnetId: subnet-d17cf3aa
eksnodegroup.autoScalingGroup.Nameeksnodegroup.autoScalingGroup.Name
Use a text value ##### to find resources (EKS Node Group) with the associated auto scaling group.
Example
Show resources with specified auto scaling group cloud.resource.name
eksnodegroup.autoScalingGroup.Name: eks-ecbbcabe-6a2c-9e3b-41a9-0670c6d325a1
aws.eksNodeGroup.eksCluster.nameaws.eksNodeGroup.eksCluster.name
Use a text value ##### to find resources (EKS Node Group) with associated EKS cluster name.
Example
Show resources with specified EKS cluster cloud.resource.name
aws.eksNodeGroup.eksCluster.name: testCluster
aws.eksNodeGroup.securityGroupaws.eksNodeGroup.securityGroup
Use a text value ##### to find resources (EKS Node Group) with associated security group.
Example
Show resources with specified security group
aws.eksNodeGroup.securityGroup: nodeGroupRole
AWS: EKS Fargate Profile
eksfargateprofile.nameeksfargateprofile.name
Use a text value ##### to find resources (EKS Fargate Profile) with specific name.
Example
Show resources with specific name.
eksfargateprofile.name: testNodeGroup
aws.eksFargateProfile.statusaws.eksFargateProfile.status
Use to search for EKS Fargate Profile resources with certain status. Select the status (ACTIVE, UPDATING, FAILED, etc.) of EKS Node Group you're interested in.
Example
Show resources with ACTIVE status
eksfargateprofile.statuss: ACTIVE
aws.eksFargateProfile.selectors.namespace.nameaws.eksFargateProfile.selectors.namespace.name
Use a text value ##### to find resources (Fargate Profile) with the associated selector namespace.
Example
Show resources with specified associated selector namespace
aws.eksFargateProfile.selectors.namespace.name: testSelectorNameSpace
Use a text value ##### to find resources (Fargate Profile) with the associated selector namespace's key.
Example
Show resources with specified key of the associated selector namespace
aws.eksFargateProfile.selectors.namespace.labels.key: testLabelKey
Use a text value ##### to find resources (Fargate Profile) with the associated selector namespace's value.
Example
Show resources with specified value of the associated selector namespace
aws.eksFargateProfile.selectors.namespace.labels.value: testLabelValue
aws.eksFargateProfile.role.nameaws.eksFargateProfile.role.name
Use a text value ##### to find resources (Fargate Profile) with IAM role name.
Example
Show resources with specified IAM role cloud.resource.name
aws.eksFargateProfile.role.name: fargateRole
aws.eksFargateProfile.subnetIdaws.eksFargateProfile.subnetId
Use a text value ##### to find resources (Fargate Profile) with a subnet Id.
Example
Show resources with specified subnet Id
aws.eksFargateProfile.subnetId: subnet-d17cf3aa
aws.eksFargateProfile.eksCluster.nameaws.eksFargateProfile.eksCluster.name
Use a text value ##### to find resources (Fargate Profile) with associated EKS cluster name.
Example
Show resources with specified EKS cluster cloud.resource.name
aws.eksFargateProfile.eksCluster.name: testCluster
AWS: Elastic Container Service (ECS)
aws.ecs.cluster.arnaws.ecs.cluster.arn
Provide a string value to find ECS clusters with the specified ARN.
Example
Find an ECS cluster with ARN "aws.efs.arn:aws:ecs:us-west-2:123456789012:cluster/my-cluster"
aws.ecs.cluster.arn: "aws.efs.arn:aws:ecs:us-west-2:123456789012:cluster/my-cluster"
aws.ecs.cluster.nameaws.ecs.cluster.name
Provide a string value to find ECS clusters with the specified name.
Example
Find an ECS cluster named "my-cluster"
aws.ecs.cluster.name: my-cluster
aws.ecs.cluster.statusaws.ecs.cluster.status
Select from available options (e.g., ACTIVE, PROVISIONING, DEPROVISIONING, FAILED, INACTIVE) to find ECS clusters with the specified status.
Example
Show active ECS clusters.
aws.ecs.cluster.status: ACTIVE
aws.ecs.cluster.namespaceaws.ecs.cluster.namespace
Provide a partial string value to find ECS clusters with matching namespace.
Example
Find ECS clusters with namespace containing "prod"
aws.ecs.cluster.namespace: prod
AWS: Elastic Network Interface (ENI)
Provide a string value to find ENIs with the specified ID.
Example
Find an ENI with ID "eni-1234567890abcdef0"
id: eni-1234567890abcdef0
aws.networkInterfaces.statusaws.networkInterfaces.status
Select from available options (e.g., available, attaching, in-use, detaching) to find ENIs with the specified status.
Example
Show in-use ENIs.
aws.networkInterfaces.status: in-use
aws.networkInterfaces.interfaceTypeaws.networkInterfaces.interfaceType
Select from available options (e.g., interface, nat_gateway) to find ENIs of the specified type.
Example
Show standard interface ENIs.
aws.networkInterfaces.interfaceType: interface
aws.networkInterfaces.availabilityZoneaws.networkInterfaces.availabilityZone
Provide a partial string value to find ENIs in matching availability zones.
Example
Find ENIs in availability zones containing "us-west"
aws.networkInterfaces.availabilityZone: us-west
aws.networkInterfaces.sourceDestCheckaws.networkInterfaces.sourceDestCheck
Select (True, False) to find ENIs based on their source/destination check setting.
Example
how ENIs with source/destination check enabled.
aws.networkInterfaces.sourceDestCheck: true
aws.networkInterfaces.requesterManagedaws.networkInterfaces.requesterManaged
Select (True, False) to find ENIs based on whether they are requester-managed.
Example
Show requester-managed ENIs.
aws.networkInterfaces.requesterManaged: true
aws.networkInterfaces.operator.managedaws.networkInterfaces.operator.managed
Select (True, False) to find ENIs based on whether they are operator-managed.
Example
Show operator-managed ENIs.
aws.networkInterfaces.operator.managed: true
aws.networkInterfaces.association.natEnabledaws.networkInterfaces.association.natEnabled
Select (True, False) to find ENIs based on whether NAT is enabled for their association.
Example
Show ENIs with NAT enabled.
aws.networkInterfaces.association.natEnabled: true
AWS: Elastic File System (EFS)
Provide a string value to find EFS file systems with the specified name.
Example
Find an EFS named "my-efs"
aws.efs.name: my-efs
Provide a string value to find EFS file systems with the specified ARN.
Example
Find an EFS with specified ARN.
aws.efs.arn: arn:aws:elasticfilesystem:us-west-2:123456789012:file-system/fs-12345678
Select from available options (e.g., available, creating, deleting, deleted) to find EFS file systems in the specified state.
Example
Show available EFS file systems.
aws.efs.state: available
Provide a string value to find EFS file systems in the specified AWS region.
Example
Find EFS file systems in the us-west-2 region
aws.efs.region: us-west-2
AWS: Custom Domain Names
aws.customDomainNames.statusaws.customDomainNames.status
Select from available options (e.g., AVAILABLE, PENDING, DELETING) to find custom domain names with the specified status.
Example
Show available custom domain names.
aws.customDomainNames.status: AVAILABLE
aws.customDomainNames.tlsVersionaws.customDomainNames.tlsVersion
Select from available options (e.g., TLS_1_0, TLS_1_2) to find custom domain names with the specified security policy.
Example
Show custom domains using TLS 1.2.
aws.customDomainNames.tlsVersion: TLS_1_2
aws.customDomainNames.apiEndpointTypeaws.customDomainNames.apiEndpointType
Select from available options (e.g., REGIONAL, EDGE) to find custom domain names with the specified endpoint type.
Example
Show regional custom domain names.
aws.customDomainNames.apiEndpointType: REGIONAL
AWS: Step Function (State Machine)
aws.stateMachine.nameaws.stateMachine.name
Provide a string value to find state machines with the specified name.
Example
Find a state machine named "my-workflow"
aws.stateMachine.name: my-workflow
aws.stateMachine.stateMachineArnaws.stateMachine.stateMachineArn
Provide a string value to find state machines with the specified ARN.
Example
Find a state machine with ARN "aws.efs.arn:aws:states:us-west-2:123456789012:stateMachine:my-workflow"
aws.stateMachine.stateMachineArn: "aws.efs.arn:aws:states:us-west-2:123456789012:stateMachine:my-workflow"
aws.stateMachine.typeaws.stateMachine.type
Select from available options (e.g., STANDARD, EXPRESS) to find state machines of the specified type.
Example
Show standard state machines.
aws.stateMachine.type: STANDARD
aws.stateMachine.statusaws.stateMachine.status
Select from available options (e.g., ACTIVE, DELETE) to find state machines with the specified status.
Example
Show active state machines.
aws.stateMachine.status: ACTIVE
aws.stateMachine.tracingEnabledaws.stateMachine.tracingEnabled
Select (True, False) to find state machines based on whether tracing is enabled.
Example
Show state machines with tracing enabled.
aws.stateMachine.tracingEnabled: true
aws.stateMachine.loggingLevelaws.stateMachine.loggingLevel
Select from available options (e.g., OFF, ERROR, ALL) to find state machines with the specified logging level.
Example
Show state machines with all logging enabled.
aws.stateMachine.loggingLevel: ALL
AWS: Simple Notification Service (SNS)
aws.sns.topic.isFifoaws.sns.topic.isFifo
Select (True, False) to find SNS topics based on whether they are FIFO topics.
Example
Show FIFO SNS topics.
aws.sns.topic.isFifo: true
AWS: Simple Queue Service (SQS)
aws.sqs.queue.isFifoaws.sqs.queue.isFifo
Select (True, False) to find SQS queues based on whether they are FIFO queues.
Example
Show FIFO SQS queues.
aws.sqs.queue.isFifo: true
AWS: API Gateway
aws.apiGateway.deploymentIdaws.apiGateway.deploymentId
Provide a string value to find API Gateway resources with the specified deployment ID.
Example
Find an API Gateway with deployment ID "a1b2c3d4e5"
aws.apiGateway.deploymentId: a1b2c3d4e5
aws.apiGateway.ipv6aws.apiGateway.ipv6
Select (True, False) to find API Gateway resources based on whether IPv6 is enabled.
Example
Show API Gateways with IPv6 enabled.
aws.apiGateway.ipv6: true
AWS: Bedrock Foundation Model
aws.foundationModel.arnaws.foundationModel.arn
Search for AWS foundation model resources based on their Amazon Resource Name (ARN).
Example
Show foundation model with a specific ARN
aws.foundationModel.arn: arn:aws:bedrock:us-east-1:123456789012:foundation-model/anthropic.claude-v2
aws.foundationModel.supportedCustomizationsaws.foundationModel.supportedCustomizations
Search for AWS foundation models based on the types of customizations they support, such as fine-tuning or inference-only.
Example
Show foundation models that support fine-tuning
aws.foundationModel.supportedCustomizations: FINE_TUNING
aws.foundationModel.supportedInferenceTypesaws.foundationModel.supportedInferenceTypes
Search for AWS foundation models based on the inference types they support, such as On-Demand or Provisioned.
Example
Show foundation models that support provisioned inference.
aws.foundationModel.supportedInferenceTypes: PROVISIONED
aws.foundationModel.inputModalitiesaws.foundationModel.inputModalities
Search for AWS foundation models based on the types of input modalities they support, such as TEXT, IMAGE, or SPEECH.
Example
Show foundation models that accept image as input.
aws.foundationModel.inputModalities: IMAGE
aws.foundationModel.outputModalitiesaws.foundationModel.outputModalities
Search for AWS foundation models based on the types of outputs they can generate, such as Text, Image, or Embeddings.
Example
Show foundation models that generate text output
aws.foundationModel.outputModalities: TEXT
AWS: Bedrock Custom Model
aws.customModel.arnaws.customModel.arn
Search for AWS custom models based on their Amazon Resource Name (ARN).
Example
Show a custom model with a specific ARN
aws.customModel.arn: arn:aws:bedrock:us-east-1:123456789012:custom-model/my-model-id
aws.customModel.supportedCustomizationsaws.customModel.supportedCustomizations
Search for AWS custom models based on the types of customizations they support, such as Fine-tuning or Evaluation.
Example
Show custom models that support fine-tuning.
aws.customModel.supportedCustomizations: FINE_TUNING
AWS: Bedrock Knowledge Bases
aws.knowledgeBases.arnaws.knowledgeBases.arn
Search for AWS Knowledge Bases using their Amazon Resource Name (ARN).
Example
Show a custom model with a specific ARN
aws.knowledgeBases.arn: arn:aws:bedrock:us-east-1:123456789012:knowledge-base/kb-1234abcd
aws.knowledgeBases.configurationTypeaws.knowledgeBases.configurationType
Search for AWS custom models based on their Amazon Resource Name (ARN).
Example
Show vector-based knowledge bases
aws.knowledgeBases.configurationType: VECTOR
AWS: sagemaker Model
aws.sagemakerModel.arnaws.sagemakerModel.arn
Search for AWS SageMaker models based on their Amazon Resource Name (ARN).
Example
Show a SageMaker model with a specific ARN
aws.sagemakerModel.arn: arn:aws:bedrock:us-east-1:123456789012:knowledge-base/kb-1234abcd