Search for Investigate
Use the search tokens below to search and filter Cloud Detection and Response (CDR) findings. Looking for help with writing your query? click here
Detections
cloud.accountIdcloud.accountId
Provide a string value to find findings associated with a specific cloud account ID.
Examples
Find findings for AWS account 123456789012
cloud.accountId: 123456789012
finding.affectedResourcefinding.affectedResource
Provide a string value to find findings related to a specific affected resource ID.
Examples
Find findings affecting an S3 bucket
finding.affectedResource: my-bucket-name
finding.alertClassfinding.alertClass
Select the type of alert (API Activity, Detection Activity, Network Activity).
Examples
Find all API Activity alerts
finding.alertClass: API Activity
finding.categoryfinding.category
Provide a string value to filter findings by their security category. Examples
Find findings in the Data Protection category
finding.category: Data Protection
finding.severityfinding.severity
Select a severity level (2, 3, 4, or 5) to find findings with the specified severity.
Examples
Find high-severity findings
finding.severity: 4
Select the cloud provider (AWS, AZURE, or GCP) to find findings specific to that provider.
Examples
Find findings from AWS resources
cloud.provider: AWS
Provide a string value to find findings from a specific cloud region. Examples
Find findings from US East 1 region
cloud.region: us-east-1
finding.resource.typefinding.resource.type
Provide a string value to find findings related to a specific type of cloud resource.
Examples
Find findings related to virtual machines
finding.resource.type: vm
Provide a string value to find findings by their unique hash identifier.
Examples
Find a specific finding using its hash
finding.hash: a1b2c3d4e5f6
finding.remote.cityfinding.remote.city
Provide a string value to find findings associated with a specific city.
Examples
Find findings from remote sources in London
finding.remote.city: London
finding.remote.countryfinding.remote.country
Provide a string value to find findings associated with a specific country.
Examples
Find findings from remote sources in Canada
finding.remote.country: Canada
finding.remote.ipAddressfinding.remote.ipAddress
Provide a string value to find findings associated with a specific IP address.
Examples
View findings for the IP address: XXX.XX.XXX.XXX
finding.remote.ipAddress: XXX.XX.XXX.XXX
container.cluster.k8s.node.namecontainer.cluster.k8s.node.name
Provide a string value to view findings based on the node names.
Examples
View findings for the node name ip-10-**-10-2**
container.cluster.k8s.node.name: ip-10-**-10-2**
container.cluster.namecontainer.cluster.name
Provide a string value to view CS event alerts based on cluster name.
Examples
View findings for the cluster name ip-10-**-9-**02
container.cluster.name: ip-10-**-9-**02
container.cluster.k8s.pod.namespacecontainer.cluster.k8s.pod.namespace
Provide a string value to view CS event alerts based on namespace.
Examples
View findings for the namespace 'defaultname'
container.cluster.k8s.pod.namespace: defaultname
container.cluster.k8s.pod.namecontainer.cluster.k8s.pod.name
Provide a string value to view CS event alerts based on CS workloads (PODs).
Examples
View findings for the pod name 'xen'
container.cluster.k8s.pod.name: defaultname
Provide a string value to view CS event alerts based on container names.
Examples
View findings for the container name 'ubuntu-container'
container.name: ubuntu-container
Provide a string value to view CS event alerts based on CS process Names.
Examples
View findings for the CS process name '/usr/bin/cat'
process.name: /usr/bin/cat
finding.mitre.attack.technique.namefinding.mitre.attack.technique.name
Provide a string value to view CS event alerts based on MITRE technique name.
Examples
View findings for the MITRE technique 'Indicator Removal'
finding.mitre.attack.technique.name: Indicator Removal
finding.mitre.attack.technique.idfinding.mitre.attack.technique.id
Provide a string value to view CS event alerts based on MITRE technique Id.
Examples
View findings for the MITRE technique Id 'TXXXX.XX5'
finding.mitre.attack.technique.id: TXXXX.XX5
finding.mitre.attack.tactic.idfinding.mitre.attack.tactic.id
Provide a string value to view CS event alerts based on MITRE tactic Id.
Examples
View findings for the MITRE tactic Id 'TXXXX5'
finding.mitre.attack.tactic.id: TXXXX5
finding.mitre.attack.tactic.namefinding.mitre.attack.tactic.name
Provide a string value to view CS event alerts based on MITRE tactic name.
Examples
View findings for the MITRE tactic name 'Unsecured Credentials'
finding.mitre.attack.tactic.name: Unsecured Credentials
finding.mitre.attack.rule.namefinding.mitre.attack.rule.name
Provide a string value to view CS event alerts based on MITRE rule name.
Examples
View findings for the MITRE attack rule 'Cloud Credentials Accessed'
finding.mitre.attack.rule.name: Cloud Credentials Accessed
Provide a string value to view findings for a corresponding exception rule.
Examples
View findings for the Exception Rule 'AWS Exception 1'
exception.name: AWS Exception 1
Provide a string value to view findings for a corresponding exception ID.
Examples
View findings for the Exception Rule '7096'
exception.id: 7096
container.host.namecontainer.host.name
Provide a string value to view findings by the name of the host running the container.
Examples
View findings for container with host name as "my-host-name"
container.host.name: my-host-name
container.host.ipAddresscontainer.host.ipAddress
Provide a string value to view findings using the IPv4 address of the host.
Examples
View findings with host IPv4 address "XX.XX.XX.XXX"
container.host.ipAddress: XX.XX.XX.XXX
container.host.ipV6Addresscontainer.host.ipV6Address
Provide a string value to view findings using the IPv6 address of the host.
Examples
View findings with host IPv6 address "XXXX:X:X:X:XXXX:XXXX:XXXX:XXXX"
container.host.ipV6Address: XXXX:X:X:X:XXXX:XXXX:XXXX:XXXX
container.portMapping.hostIpcontainer.portMapping.hostIp
Provide a string value to view findings based on the IP address of the host machine used in container port mapping.
Examples
View findings with host IP address "XXX.XXX.XXX.XXX"
container.portMapping.hostIp: XXX.XXX.XXX.XXX
container.portMapping.hostPortcontainer.portMapping.hostPort
Provide a string value to view findings based on the IP address of the host machine used in container port mapping.
Examples
View findings with host IP address "XXX.XXX.XXX.XXX"
container.portMapping.hostPort: XXX.XXX.XXX.XXX
container.portMapping.portcontainer.portMapping.port
Provide a string value to view findings by the internal port exposed by the container.
Examples
View findings with port "XXXXX"
container.portMapping.port: XXXXX
container.portMapping.protocolcontainer.portMapping.protocol
Provide a string value to view findings based on the network protocol (e.g., TCP, UDP) used in the port mapping.
Examples
View findings with "UDP" network protocol
container.portMapping.protocol: UDP
Use a boolean query to express your query using AND logic.
Example
Show findings with account ID 205767712438 and type Subnet
account.id: 205767712438 and resource.type: Subnet
Use a boolean query to express your query using NOT logic.
Example
Show findings that are not region Hong Kong
not region: Hong Kong
Use a boolean query to express your query using OR logic.
Example
Show findings with one of these tag values
tag.value: Finance or tag.value: Accounting
Provide a integer value to view findings based on the TruRisk™ score.
Examples
View findings with TruRisk™ score "60"
asset.truRisk: 60
Events
event.destination.ipevent.destination.ip
Provide a string value to view connection event for a specific destination IP address or a range of destination IP addresses.
Examples
View findings for the destination IP address '10.10.0.0'
event.destination.ip: 10.10.0.0
View findings for the destination IP addresses ranging from '10.0.0.0'
event.destination.ip > "10.0.0.0"
event.source.ipevent.source.ip
Provide a string value to view connection event for a specific source IP address or a range of source IP addresses.
Examples
View findings for the source IP address '10.10.0.0'
event.source.ip: 10.10.0.0
View findings for the destination IP addresses ranging from '10.0.0.0'
event.source.ip > "10.0.0.0"
event.destination.location.cityevent.destination.location.city
Provide a string value to view connection event based on the city associated with the destination IP.
Examples
View findings for IP destination city 'Boardman'
event.destination.location.city: "Boardman"
event.source.location.cityevent.source.location.city
Provide a string value to view the connection event based on the city associated with the source IP.
Examples
View findings for IP source city 'Redmond'
event.source.location.city: "Redmond"
event.destination.location.continentevent.destination.location.continent
Provide a string value to view the connection event based on the continent associated with the destination IP.
Examples
View findings for IP destination continent 'North America'
event.destination.location.continent: "North America"
event.source.location.continentevent.source.location.continent
Provide a string value to view the connection event based on the continent associated with the source IP.
Examples
View findings for IP source continent 'North America'
event.source.location.continent: "North America"
event.destination.location.countryevent.destination.location.country
Provide a string value to view the connection event based on the country associated with the destination IP.
Examples
View findings for IP destination country 'United States'
event.destination.location.country: "United States"
event.source.location.countryevent.source.location.country
Provide a string value to view the connection event based on the country associated with the source IP.
Examples
View findings for IP source country 'United States'
event.source.location.country: "United States"
event.destination.location.regionevent.destination.location.region
Provide a string value to view the connection event based on the region associated with the destination IP.
Examples
View findings for IP destination region 'Oregon'
event.destination.location.region: "Oregon"
event.source.location.regionevent.source.location.region
Provide a string value to view the connection event based on the region associated with the source IP.
Examples
View findings for IP source region 'Oregon'
event.source.location.region: "Oregon"
event.appliance.nameevent.appliance.name
Provide a string value to view the connection events for a specific appliance.
Examples
View findings for appliance 'aws-appliance-1'
event.appliance.name: "aws-appliance-1"
Provide a string value to view the connection event for a network service.
Examples
View findings for newwork service 'dns'
event.service: "dns"
event.cloudTypeevent.cloudType
Provide a string value to view the connection event for a specific cloud provider.
Examples
View findings for cloud provider 'AWS'
event.cloudType: "AWS"
Provide a string value to view the connection event based on the network protocol.
Examples
View findings for network protocol. 'TCP'
event.protocol: "TCP"
Provide a string value to view the connection event based on the network port.
Examples
View findings for network port. '53/udp'
event.port: "53/udp"
event.traffic.outevent.traffic.out
Provide a integer value to view the connection event by a specific range of uploaded data size.
Examples
View events with upload size > 1000 bytes.
event.traffic.out: > 1000
event.traffic.inevent.traffic.in
Provide a integer value to view the connection event by a specific range of downloaded data size.
Examples
View events with download size > 1000 bytes.
event.traffic.in: > 1000
event.traffic.totalevent.traffic.total
Provide a integer value to view the connection event by total data transfered (upload + download)s.
Examples
View events with total data transfered > 2000 bytes.
event.traffic.total: > 2000