Search for Investigate

Use the search tokens below to search and filter Cloud Detection and Response (CDR) findings. Looking for help with writing your query? click here

Detections

tc.findings.cloudAccounttc.findings.cloudAccount

Provide a string value to find findings associated with a specific cloud account ID.

Examples

Find findings for AWS account 123456789012

tc.findings.cloudAccount: 123456789012

tc.findings.affectedResourcetc.findings.affectedResource

Provide a string value to find findings related to a specific affected resource ID.

Examples

Find findings affecting an S3 bucket

tc.findings.affectedResource: my-bucket-name

tc.findings.remoteResourcetc.findings.remoteResource

Provide a string value to find findings involving a specific remote resource.

Examples

Find findings involving a specific IP address

tc.findings.remoteResource: 192.168.1.100

tc.findings.alertClasstc.findings.alertClass

Select the type of alert (API Activity, Detection Activity, Network Activity).

Examples

Find all API Activity alerts

tc.findings.alertClass: API Activity

tc.findings.categorytc.findings.category

Provide a string value to filter findings by their security category. Examples

Find findings in the Data Protection category

tc.findings.category: Data Protection

tc.findings.severitytc.findings.severity

Select a severity level (2, 3, 4, or 5) to find findings with the specified severity.

Examples

Find high-severity findings

tc.findings.severity: 4

tc.findings.cloudProvidertc.findings.cloudProvider

Select the cloud provider (AWS, AZURE, or GCP) to find findings specific to that provider.

Examples

Find findings from AWS resources

tc.findings.cloudProvider: AWS

tc.findings.regiontc.findings.region

Provide a string value to find findings from a specific cloud region. Examples

Find findings from US East 1 region

tc.findings.region: us-east-1

tc.findings.resourceTypetc.findings.resourceType

Provide a string value to find findings related to a specific type of cloud resource.

Examples

Find findings related to virtual machines

tc.findings.resourceType: vm

tc.findings.hashtc.findings.hash

Provide a string value to find findings by their unique hash identifier.

Examples

Find a specific finding using its hash

tc.findings.hash: a1b2c3d4e5f6

tc.findings.remote.citytc.findings.remote.city

Provide a string value to find findings associated with a specific city.

Examples

Find findings from remote sources in London

tc.findings.remote.city: London

tc.findings.remote.countrytc.findings.remote.country

Provide a string value to find findings associated with a specific country.

Examples

Find findings from remote sources in Canada

tc.findings.remote.country: Canada

tc.findings.nodeNametc.findings.nodeName

Provide a string value to view findings based on the node names.

Examples

View findings for the node name ip-10-**-10-2**

tc.findings.nodeName: ip-10-**-10-2**

tc.findings.clusterNametc.findings.clusterName

Provide a string value to view CS event alerts based on cluster name.

Examples

View findings for the cluster name ip-10-**-9-**02

tc.findings.clusterName: ip-10-**-9-**02

tc.findings.namespacetc.findings.namespace

Provide a string value to view CS event alerts based on namespace.

Examples

View findings for the namespace 'defaultname'

tc.findings.namespace: defaultname

tc.findings.podtc.findings.pod

Provide a string value to view CS event alerts based on CS workloads (PODs).

Examples

View findings for the pod name 'xen'

tc.findings.pod: defaultname

tc.findings.containerNametc.findings.containerName

Provide a string value to view CS event alerts based on container names.

Examples

View findings for the container name 'ubuntu-container'

tc.findings.containerName: ubuntu-container

tc.findings.procesNametc.findings.procesName

Provide a string value to view CS event alerts based on CS process Names.

Examples

View findings for the CS process name '/usr/bin/cat'

tc.findings.procesName: /usr/bin/cat

tc.findings.mitre.attack.technique.nametc.findings.mitre.attack.technique.name

Provide a string value to view CS event alerts based on MITRE technique name.

Examples

View findings for the MITRE technique 'Indicator Removal'

tc.findings.mitre.attack.technique.name: Indicator Removal

tc.findings.mitre.attack.technique.idtc.findings.mitre.attack.technique.id

Provide a string value to view CS event alerts based on MITRE technique Id.

Examples

View findings for the MITRE technique Id 'TXXXX.XX5'

tc.findings.mitre.attack.technique.id: TXXXX.XX5

tc.findings.mitre.attack.tactic.idtc.findings.mitre.attack.tactic.id

Provide a string value to view CS event alerts based on MITRE tactic Id.

Examples

View findings for the MITRE tactic Id 'TXXXX5'

tc.findings.mitre.attack.tactic.id: TXXXX5

tc.findings.mitre.attack.tactic.nametc.findings.mitre.attack.tactic.name

Provide a string value to view CS event alerts based on MITRE tactic Id.

Examples

View findings for the MITRE tactic name 'Unsecured Credentials'

tc.findings.mitre.attack.tactic.name: Unsecured Credentials

tc.findings.mitre.attack.rule.nametc.findings.mitre.attack.rule.name

Provide a string value to view CS event alerts based on MITRE rule name.

Examples

View findings for the MITRE attack rule 'Cloud Credentials Accessed'

tc.findings.attack.rule.name: Cloud Credentials Accessed

tc.findings.exception.nametc.findings.exception.name

Provide a string value to view findings for a corresponding exception rule.

Examples

View findings for the Exception Rule 'AWS Exception 1'

tc.findings.exception.name: AWS Exception 1

tc.findings.exception.idtc.findings.exception.id

Provide a string value to view findings for a corresponding exception ID.

Examples

View findings for the Exception Rule '7096'

tc.findings.exception.id: 7096

Events

event.destination.ipevent.destination.ip

Provide a string value to view connection event for a specific destination IP address or a range of destination IP addresses.

Examples

View findings for the destination IP address '10.10.0.0'

event.destination.ip: 10.10.0.0

View findings for the destination IP addresses ranging from '10.0.0.0'

event.destination.ip > "10.0.0.0"

event.source.ipevent.source.ip

Provide a string value to view connection event for a specific source IP address or a range of source IP addresses.

Examples

View findings for the source IP address '10.10.0.0'

event.source.ip: 10.10.0.0

View findings for the destination IP addresses ranging from '10.0.0.0'

event.source.ip > "10.0.0.0"

event.destination.location.cityevent.destination.location.city

Provide a string value to view connection event based on the city associated with the destination IP.

Examples

View findings for IP destination city 'Boardman'

event.destination.location.city: "Boardman"

event.source.location.cityevent.source.location.city

Provide a string value to view the connection event based on the city associated with the source IP.

Examples

View findings for IP source city 'Redmond'

event.source.location.city: "Redmond"

event.destination.location.continentevent.destination.location.continent

Provide a string value to view the connection event based on the continent associated with the destination IP.

Examples

View findings for IP destination continent 'North America'

event.destination.location.continent: "North America"

event.source.location.continentevent.source.location.continent

Provide a string value to view the connection event based on the continent associated with the source IP.

Examples

View findings for IP source continent 'North America'

event.source.location.continent: "North America"

event.destination.location.countryevent.destination.location.country

Provide a string value to view the connection event based on the country associated with the destination IP.

Examples

View findings for IP destination country 'United States'

event.destination.location.country: "United States"

event.source.location.countryevent.source.location.country

Provide a string value to view the connection event based on the country associated with the source IP.

Examples

View findings for IP source country 'United States'

event.source.location.country: "United States"

event.destination.location.regionevent.destination.location.region

Provide a string value to view the connection event based on the region associated with the destination IP.

Examples

View findings for IP destination region 'Oregon'

event.destination.location.region: "Oregon"

event.source.location.regionevent.source.location.region

Provide a string value to view the connection event based on the region associated with the source IP.

Examples

View findings for IP source region 'Oregon'

event.source.location.region: "Oregon"

event.appliance.nameevent.appliance.name

Provide a string value to view the connection events for a specific appliance.

Examples

View findings for appliance 'aws-appliance-1'

event.appliance.name: "aws-appliance-1"

event.serviceevent.service

Provide a string value to view the connection event for a network service.

Examples

View findings for newwork service 'dns'

event.service: "dns"

event.cloudTypeevent.cloudType

Provide a string value to view the connection event for a specific cloud provider.

Examples

View findings for cloud provider 'AWS'

event.cloudType: "AWS"

event.protocolevent.protocol

Provide a string value to view the connection event based on the network protocol.

Examples

View findings for network protocol. 'TCP'

event.protocol: "TCP"

event.portevent.port

Provide a string value to view the connection event based on the network port.

Examples

View findings for network port. '53/udp'

event.port: "53/udp"

event.traffic.outevent.traffic.out

Provide a integer value to view the connection event by a specific range of uploaded data size.

Examples

View events with upload size > 1000 bytes.

event.traffic.out: > 1000

event.traffic.inevent.traffic.in

Provide a integer value to view the connection event by a specific range of downloaded data size.

Examples

View events with download size > 1000 bytes.

event.traffic.in: > 1000

event.traffic.totalevent.traffic.total

Provide a integer value to view the connection event by total data transfered (upload + download)s.

Examples

View events with total data transfered > 2000 bytes.

event.traffic.total: > 2000