Search Tokens: Run Time Controls on Cloud Posture Tab
Use the search tokens below to search for controls being monitored. Looking for help with writing your query? click here
Use a text value ##### to show resources based on the unique account ID.
Example
Show findings with this account ID
aws.accountId: 205767712438
aws.account.statusaws.account.status
Use this is search AWS resources based on their account status.
Example
Show AWS resources with ACTIVE account status
aws.account.status: ACTIVE
aws.account.aliasaws.account.alias
Use a text value ##### to show resources based on the account alias.
Example
Show resources with this account alias
aws.account.alias: Example_resource
azure.subscriptionNameazure.subscriptionName
Use a text value ##### to find Azure connectors based on the subscription name associated with the connector at the time of creation.
Example
Show connectors with this subscription name
azure.subscriptionName: Sample Cloud Subscription
Use a text value ##### to show controls based on the unique control ID associated with the control at the time of creation.
Example
Show controls with this ID
control.id: 205767712438
control.criticalitycontrol.criticality
Select the control criticality (HIGH, MEDIUM, LOW) you're interested in.
Example
Show controls with High criticality
control.criticality: HIGH
Use values within quotes to help you find controls with a certain name.
Examples
Show findings with this name
control.name: Avoid the use of the root account
Show any findings that contain parts of name
control.name: "Avoid the use of the root account"
Select the control result you're interested in: PASS or FAIL.
Examples
Show controls that passed
control.result:PASS
Show controls that failed
control.result:FAIL
Use values within quotes to find a CIS or AWS policy by name.
Examples
Show findings with this name
policy.name: CIS Amazon Web Services Foundations Benchmark
Show any findings that contain parts of name
policy.name: "CIS Amazon Web Services Foundations Benchmark"
control.providercontrol.provider
Filter controls based on the cloud provider that defined the control.
Example
Show controls provided by AWS
control.provider:AWS
cloud.resource.lastFixedDatecloud.resource.lastFixedDate
Use a date range or specific date to find when the misconfigured or vulnerable resources were last fixed.
Examples
Show the misconfigured or vulnerable resources last fixed within certain dates
cloud.resource.lastFixedDate: [2023-10-01 .. 2023-12-01]
Show the misconfigured or vulnerable resources last fixed starting 2023-01-01, ending 1 month ago
cloud.resource.lastFixedDate: [2023-01-01 .. now-1m]
Show the misconfigured or vulnerable resources last fixed starting 2 weeks ago, ending 1 second ago
cloud.resource.lastFixedDate: [now-2w .. now-1s]
Show the misconfigured or vulnerable resources last fixed on specific date
cloud.resource.lastFixedDate: 2023-01-08
cloud.resource.lastReopenedDatecloud.resource.lastReopenedDate
Use a date range or specific date to find when the misconfigured or vulnerable resources were last reopened.
Examples
Show the misconfigured or vulnerable resources last reopened within certain dates
cloud.resource.lastReopenedDate: [2023-10-01 .. 2023-12-01]
Show the misconfigured or vulnerable resources last reopened starting 2023-01-01, ending 1 month ago
cloud.resource.lastReopenedDate: [2023-01-01 .. now-1m]
Show the misconfigured or vulnerable resources last reopened starting 2 weeks ago, ending 1 second ago
cloud.resource.lastReopenedDate: [now-2w .. now-1s]
Show the misconfigured or vulnerable resources last reopened on specific date
cloud.resource.lastReopenedDate: 2023-01-08
aws.account.tag.keyaws.account.tag.key
Use values within quotes or backticks to find the list control evaluation of AWS connectors with the specified tag key.
Examples
Show control evaluations of AWS connectors with the specified tag key.
aws.account.tag.key: "Department"
Show control evaluations of AWS connectors that match the exact specified tag key.
aws.account.tag.key: `S3 Department`
aws.account.tag.valueaws.account.tag.value
Use values within quotes or backticks to find the list control evaluation of AWS connectors with the specified tag value.
Examples
Show control evaluations of AWS connectors with the specified tag value.
aws.account.tag.value: "Finance"
Show control evaluations of AWS connectors that match the exact specified tag value.
aws.account.tag.value: `B1 Finance`
Select the name of the region you're interested in. Select from names in the drop-down menu.
Example
Find resources in the Singapore region
cloud.region: Singapore, Singapore
cloud.resource.idcloud.resource.id
Use a text value ##### to find resources by the unique ID assigned to the resource.
Example
Show resources with ID acl-8e5198f5
cloud.resource.id: acl-8e5198f5
Use a text value ##### to show OCI resources based on the unique tenant ID.
Example
Show findings with tenant ID
oci.tenantId: ocid1.tenancy.oc1..aaaaaaaax2gwhq3hszjqhte5pgzijgyge6gvlsrqar6kxn7itwhk7keokamq
cloud.resource.typecloud.resource.type
Select the type of resource you're interested in. Select from names in the drop-down menu.
Example
Show resources of type Instance
cloud.resource.type: Instance
resource.resultresource.result
Select the resource result (PASSE, PASS, FAIL) from control evaluation. Select status from the drop-down options.
Example
Show resources that have PASS result from control evaluation.
resource.result: PASS
Select the type of service you're interested in. Select from names in the drop-down menu.
Example
Show service type VPC
service.type: VPC
cloud.resource.evaluatedDatecloud.resource.evaluatedDate
Use a date range or specific date to define when the resource was first discovered.
Examples
Show resources discovered within certain dates
cloud.resource.evaluatedDate: [2018-01-01 .. 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
cloud.resource.evaluatedDate: [2018-01-01 .. now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
cloud.resource.evaluatedDate: [now-2w .. now-1s]
Show resources discovered on specific date
cloud.resource.evaluatedDate: 2018-01-08
cloud.resource.firstEvaluatedDatecloud.resource.firstEvaluatedDate
Use a date range or specific date to find when the resource was first evaluated.
Examples
Show the resources first evaluated within certain dates
cloud.resource.firstEvaluatedDate: [2023-10-01 .. 2023-12-01]
Show the resources first evaluated starting 2023-01-01, ending 1 month ago
cloud.resource.firstEvaluatedDate: [2023-01-01 .. now-1m]
Show the resources first evaluated starting 2 weeks ago, ending 1 second ago
cloud.resource.firstEvaluatedDate: [now-2w .. now-1s]
Show the resources first evaluated on specific date
cloud.resource.firstEvaluatedDate: 2023-01-08
cloud.resource.lastEvaluatedDatecloud.resource.lastEvaluatedDate
Use a date range or specific date to find when the resource was last evaluated.
Examples
Show the resources last evaluated within certain dates
cloud.resource.lastEvaluatedDate: [2023-10-01 .. 2023-12-01]
Show resources last evaluated starting 2018-10-01, ending 1 month ago
cloud.resource.lastEvaluatedDate: [2023-12-01 .. now-1m]
Show resources last evaluated starting 2 weeks ago, ending 1 second ago
cloud.resource.lastEvaluatedDate: [now-2w .. now-1s]
Show resources last evaluated on specific date
cloud.resource.lastEvaluatedDate: 2023-12-08
Use the name of mandate policy to view controls that belong to the specified mandate policy.
Examples
Show all the controls that belong to the Cloud Controls Matrix (CCM) mandate policy
mandate.name: Cloud Controls Matrix (CCM)
mandate.publishermandate.publisher
Use the name of mandate publisher to view controls that belong to the specified mandate policy.
Examples
Show all the controls that belong to the Cloud Security Alliance (CSA) mandate publisher
mandate.publisher: Cloud Security Alliance
requirement.sectionrequirement.section
Use the name of requirement section to view all the controls that belong to the specified requirement section.
Examples
Show all the controls that belong to the AIS requirement section
requirement.section: AIS
control.objective.sectioncontrol.objective.section
Use the name of controlObjective section to view all the controls that belong to the specified section name.
Examples
Show all the controls that belong to the SC-7 control objective section
control.objective.section: SC-7
control.objective.commentscontrol.objective.comments
Use the name of control objective's comments to view all the controls that match the to the specified comment.
Examples
Show all the controls that match the control objective comment saying Boundary Protection
control.objective.comments: Boundary Protection
Search the policy by providing a unique id to identify any policy.
Examples
Show the policy that belong to specified unique ID
policy.uuid:80313390-aa04-11e9-9596-45e2d51410b1
Search the type of policy you want to view. Select the types from the drop-down menu.
Examples
Show all policies that are defined by user
policy.type:User Defined
azure.subscriptionIdazure.subscriptionId
Use a text value ##### to find Azure connectos based on the unique subscription ID associated with the connector at the time of creation.
Example
Show connectors with this subscription ID
azure.subscriptionId: fbb9ea64-abda-452e-adfa-83442409
Use a text value ##### to find GCP connectors based on the unique project ID associated with the connectorat the time of creation.
Show connectors with this projectId
projectId: my-project-1513669048551
control.updatedBy.usernamecontrol.updatedBy.username
Use a text value ##### to find policies or controls modified by a user of interest.
Example
Show policies or controls modified by the specified user
control.updatedBy.username: user_john
Use values within quotes to help you find exceptions with a certain name.
Example
Show exceptions with this name
exception.name: Sample_exception
control.isRemediablecontrol.isRemediable
Use true to view the controls for which remediation is enabled.
Example
Show controls that are remediable
control.isRemediable: TRUE
cloud.resource.remediationStatuscloud.resource.remediationStatus
Select the remediation status ("Success", "Queued", "Error") to view controls with selected status. Select from names in the drop-down menu.
Example
Show controls with success as the remediation status
cloud.resource.remediationStatus: Success
control.isCustomizablecontrol.isCustomizable
Use the values true | false to find controls that are customizable or not.
Example
Show controls that are customizable
control.isCustomizable: true
Use a text value ##### to show controls created from QFlow with specified QFlow id.
Example
Show controls with specific qflow id
qflow.id: 80313390-aa04-11e9-9596-45e2d51410b1
Use values within quotes or back-ticks to find controls created from QFlow with the specified name.
Examples
Show controls that are created from QFlow with a name that partially matches the specified QFlow name.
qflow.name: "Publicly accessible S3 buckets"
Show controls that are created from QFlow with a name that exactly matches the specified QFlow name.
qflow.name: `S3 buckets`
connector.tag.nameconnector.tag.name
Use values within quotes or backticks to help you find the resources with the specified connector tag you're looking for.
Example
Show any findings that contain "network" and "blue" in name
connector.tag.name: "network blue"
Show any findings that contain "network" or "blue" in name (another method)
connector.tag.name: "network" OR tags.name: "blue"
Show any findings that match exact value "Cloud Agent"
connector.tag.name: "Cloud Agent"
Use a boolean query to express your query using AND logic.
Example
Show findings with account ID 205767712438 and type Subnet
account.id: 205767712438 and resource.type: Subnet
Use a boolean query to express your query using NOT logic.
Example
Show findings that are not resource type Instance
not resource.type: Instance
Use a boolean query to express your query using OR logic.
Example
Show findings with one of these tag values
tag.value: Finance or tag.value: Accounting
cloud.resource.prevResult.valuecloud.resource.prevResult.value
Use a boolean query to filter resources according to their prior control evaluation results.
Example
Show findings with prior control evaluation results as "FAIL"
cloud.resource.prevResult.value: FAIL
cloud.resource.currentResult.startDatecloud.resource.currentResult.startDate
Specify a timeframe find the most recent time when the resource evaluation status was updated to its current state.
Example
Show findings with evaluation results changed within the last 24 hours.
cloud.resource.currentResult.startDate:
[now-24h..now]
cloud.resource.firstPassedDatecloud.resource.firstPassedDate
Specify a timeframe to filter resources based on the time frame of their first passed evaluation.
Example
Show findings that passed their first evaluation within the last 24 hours.
cloud.resource.firstPassedDate:
[now-24h..now]
cloud.resource.lastPassedDatecloud.resource.lastPassedDate
Specify a timeframe to filter resources based on the time frame of their last passed evaluation.
Example
Show findings that passed their last evaluation within the last 24 hours.
cloud.resource.lastPassedDate:
[now-24h..now]
cloud.resource.firstFailedDatecloud.resource.firstFailedDate
Specify a timeframe to filter resources based on the time frame of their first failed evaluation.
Example
Show findings that failed their first evaluation within the last 24 hours.
cloud.resource.firstFailedDate:
[now-24h..now]
cloud.resource.lastFailedDatecloud.resource.lastFailedDate
Specify a timeframe to filter resources based on the time frame of their last failed evaluation.
Example
Show findings that failed their last evaluation within the last 24 hours.
cloud.resource.lastFailedDate:
[now-24h..now]
cloud.resource.prevResult.startDatecloud.resource.prevResult.startDate
Specify a timeframe within which the evaluation status changed from pass to fail, or from fail to pass.
Example
Show resources for which the evaluation status changed from pass to fail, or from fail to pass within the last 30 hours.
cloud.resource.prevResult.startDate:
[now-30h..now]
Specify the geographical region or data center location where a particular Azure resource is deployed.
Example
Show resources deployed in 'eastus' region.
azure.location:eastus
control.evaluatedDatecontrol.evaluatedDate
Search for controls based on the date when the control was last evaluated. You can enter an exact date or use comparative operators such as >, <, >=, <=.
Example
Show controls evaluated on or after 1st October 2024
control.evaluatedDate: >= 2024-10-01
control.controlObjective.sectioncontrol.controlObjective.section
Search for controls based on the section of the control objective to which they belong. Select the section name or identifier from the drop-down.
Example
Show controls mapped to Section 5.1 of a control objective
control.controlObjective.section: 5.1
requirement.commentsrequirement.comments
Use the name of requirement section to view all the controls that belong to the specified requirement section.
Examples
Show all the controls that belong to the Application & Interface Security requirement comment
requirement.comments: Application & Interface Security