Search for Investigate
Use the search tokens below to search and filter Cloud Detection and Response (CDR) findings. Looking for help with writing your query? click here
Detections
tc.findings.cloudAccounttc.findings.cloudAccount
Provide a string value to find findings associated with a specific cloud account ID.
Examples
Find findings for AWS account 123456789012
tc.findings.cloudAccount: 123456789012
tc.findings.affectedResourcetc.findings.affectedResource
Provide a string value to find findings related to a specific affected resource ID.
Examples
Find findings affecting an S3 bucket
tc.findings.affectedResource: my-bucket-name
tc.findings.remoteResourcetc.findings.remoteResource
Provide a string value to find findings involving a specific remote resource.
Examples
Find findings involving a specific IP address
tc.findings.remoteResource: 192.168.1.100
tc.findings.alertClasstc.findings.alertClass
Select the type of alert (API Activity, Detection Activity, Network Activity).
Examples
Find all API Activity alerts
tc.findings.alertClass: API Activity
tc.findings.categorytc.findings.category
Provide a string value to filter findings by their security category. Examples
Find findings in the Data Protection category
tc.findings.category: Data Protection
tc.findings.severitytc.findings.severity
Select a severity level (2, 3, 4, or 5) to find findings with the specified severity.
Examples
Find high-severity findings
tc.findings.severity: 4
tc.findings.cloudProvidertc.findings.cloudProvider
Select the cloud provider (AWS, AZURE, or GCP) to find findings specific to that provider.
Examples
Find findings from AWS resources
tc.findings.cloudProvider: AWS
tc.findings.regiontc.findings.region
Provide a string value to find findings from a specific cloud region. Examples
Find findings from US East 1 region
tc.findings.region: us-east-1
tc.findings.resourceTypetc.findings.resourceType
Provide a string value to find findings related to a specific type of cloud resource.
Examples
Find findings related to virtual machines
tc.findings.resourceType: vm
tc.findings.hashtc.findings.hash
Provide a string value to find findings by their unique hash identifier.
Examples
Find a specific finding using its hash
tc.findings.hash: a1b2c3d4e5f6
tc.findings.remote.citytc.findings.remote.city
Provide a string value to find findings associated with a specific city.
Examples
Find findings from remote sources in London
tc.findings.remote.city: London
tc.findings.remote.countrytc.findings.remote.country
Provide a string value to find findings associated with a specific country.
Examples
Find findings from remote sources in Canada
tc.findings.remote.country: Canada
tc.findings.nodeNametc.findings.nodeName
Provide a string value to view findings based on the node names.
Examples
View findings for the node name ip-10-**-10-2**
tc.findings.nodeName: ip-10-**-10-2**
tc.findings.clusterNametc.findings.clusterName
Provide a string value to view CS event alerts based on cluster name.
Examples
View findings for the cluster name ip-10-**-9-**02
tc.findings.clusterName: ip-10-**-9-**02
tc.findings.namespacetc.findings.namespace
Provide a string value to view CS event alerts based on namespace.
Examples
View findings for the namespace 'defaultname'
tc.findings.namespace: defaultname
tc.findings.podtc.findings.pod
Provide a string value to view CS event alerts based on CS workloads (PODs).
Examples
View findings for the pod name 'xen'
tc.findings.pod: defaultname
tc.findings.containerNametc.findings.containerName
Provide a string value to view CS event alerts based on container names.
Examples
View findings for the container name 'ubuntu-container'
tc.findings.containerName: ubuntu-container
tc.findings.procesNametc.findings.procesName
Provide a string value to view CS event alerts based on CS process Names.
Examples
View findings for the CS process name '/usr/bin/cat'
tc.findings.procesName: /usr/bin/cat
tc.findings.mitre.attack.technique.nametc.findings.mitre.attack.technique.name
Provide a string value to view CS event alerts based on MITRE technique name.
Examples
View findings for the MITRE technique 'Indicator Removal'
tc.findings.mitre.attack.technique.name: Indicator Removal
tc.findings.mitre.attack.technique.idtc.findings.mitre.attack.technique.id
Provide a string value to view CS event alerts based on MITRE technique Id.
Examples
View findings for the MITRE technique Id 'TXXXX.XX5'
tc.findings.mitre.attack.technique.id: TXXXX.XX5
tc.findings.mitre.attack.tactic.idtc.findings.mitre.attack.tactic.id
Provide a string value to view CS event alerts based on MITRE tactic Id.
Examples
View findings for the MITRE tactic Id 'TXXXX5'
tc.findings.mitre.attack.tactic.id: TXXXX5
tc.findings.mitre.attack.tactic.nametc.findings.mitre.attack.tactic.name
Provide a string value to view CS event alerts based on MITRE tactic Id.
Examples
View findings for the MITRE tactic name 'Unsecured Credentials'
tc.findings.mitre.attack.tactic.name: Unsecured Credentials
tc.findings.mitre.attack.rule.nametc.findings.mitre.attack.rule.name
Provide a string value to view CS event alerts based on MITRE rule name.
Examples
View findings for the MITRE attack rule 'Cloud Credentials Accessed'
tc.findings.attack.rule.name: Cloud Credentials Accessed
tc.findings.exception.nametc.findings.exception.name
Provide a string value to view findings for a corresponding exception rule.
Examples
View findings for the Exception Rule 'AWS Exception 1'
tc.findings.exception.name: AWS Exception 1
tc.findings.exception.idtc.findings.exception.id
Provide a string value to view findings for a corresponding exception ID.
Examples
View findings for the Exception Rule '7096'
tc.findings.exception.id: 7096
Events
event.destination.ipevent.destination.ip
Provide a string value to view connection event for a specific destination IP address or a range of destination IP addresses.
Examples
View findings for the destination IP address '10.10.0.0'
event.destination.ip: 10.10.0.0
View findings for the destination IP addresses ranging from '10.0.0.0'
event.destination.ip > "10.0.0.0"
event.source.ipevent.source.ip
Provide a string value to view connection event for a specific source IP address or a range of source IP addresses.
Examples
View findings for the source IP address '10.10.0.0'
event.source.ip: 10.10.0.0
View findings for the destination IP addresses ranging from '10.0.0.0'
event.source.ip > "10.0.0.0"
event.destination.location.cityevent.destination.location.city
Provide a string value to view connection event based on the city associated with the destination IP.
Examples
View findings for IP destination city 'Boardman'
event.destination.location.city: "Boardman"
event.source.location.cityevent.source.location.city
Provide a string value to view the connection event based on the city associated with the source IP.
Examples
View findings for IP source city 'Redmond'
event.source.location.city: "Redmond"
event.destination.location.continentevent.destination.location.continent
Provide a string value to view the connection event based on the continent associated with the destination IP.
Examples
View findings for IP destination continent 'North America'
event.destination.location.continent: "North America"
event.source.location.continentevent.source.location.continent
Provide a string value to view the connection event based on the continent associated with the source IP.
Examples
View findings for IP source continent 'North America'
event.source.location.continent: "North America"
event.destination.location.countryevent.destination.location.country
Provide a string value to view the connection event based on the country associated with the destination IP.
Examples
View findings for IP destination country 'United States'
event.destination.location.country: "United States"
event.source.location.countryevent.source.location.country
Provide a string value to view the connection event based on the country associated with the source IP.
Examples
View findings for IP source country 'United States'
event.source.location.country: "United States"
event.destination.location.regionevent.destination.location.region
Provide a string value to view the connection event based on the region associated with the destination IP.
Examples
View findings for IP destination region 'Oregon'
event.destination.location.region: "Oregon"
event.source.location.regionevent.source.location.region
Provide a string value to view the connection event based on the region associated with the source IP.
Examples
View findings for IP source region 'Oregon'
event.source.location.region: "Oregon"
event.appliance.nameevent.appliance.name
Provide a string value to view the connection events for a specific appliance.
Examples
View findings for appliance 'aws-appliance-1'
event.appliance.name: "aws-appliance-1"
Provide a string value to view the connection event for a network service.
Examples
View findings for newwork service 'dns'
event.service: "dns"
event.cloudTypeevent.cloudType
Provide a string value to view the connection event for a specific cloud provider.
Examples
View findings for cloud provider 'AWS'
event.cloudType: "AWS"
Provide a string value to view the connection event based on the network protocol.
Examples
View findings for network protocol. 'TCP'
event.protocol: "TCP"
Provide a string value to view the connection event based on the network port.
Examples
View findings for network port. '53/udp'
event.port: "53/udp"
event.traffic.outevent.traffic.out
Provide a integer value to view the connection event by a specific range of uploaded data size.
Examples
View events with upload size > 1000 bytes.
event.traffic.out: > 1000
event.traffic.inevent.traffic.in
Provide a integer value to view the connection event by a specific range of downloaded data size.
Examples
View events with download size > 1000 bytes.
event.traffic.in: > 1000
event.traffic.totalevent.traffic.total
Provide a integer value to view the connection event by total data transfered (upload + download)s.
Examples
View events with total data transfered > 2000 bytes.
event.traffic.total: > 2000