Cloud Security Query Filters
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude

This document provides details on the filters supported by each provider for each API operation. Filters can be used to restrict the results of an API operation, such as filtering by a specific field or value. If a provider or operation does not support filters, it will not be listed here.

They are used in conjunction with the filter query parameter in the API request.

CrowdStrike Cloud Security filters for `query_cloud_resource_inventory`

Field	Operators	Supported Values
cloud.account.name	eq, ne, like, not_like, in, not_in	string
cloud.account.type	eq, ne, like, not_like, in, not_in	string
cloud.account.uid	eq, ne, like, not_like, in, not_in	string
cloud.provider	eq, ne, like, not_like, in, not_in	string
cloud.region	eq, ne, like, not_like, in, not_in	string
cloud.service	eq, ne, like, not_like, in, not_in	string
controls.benchmarks.framework	eq, ne, like, not_like, in, not_in	string
controls.benchmarks.name	eq, ne, like, not_like, in, not_in	string
controls.benchmarks.version	eq, ne, like, not_like, in, not_in	string
device.created_time	gt, gte, lt, lte	datetime
device.created_time_at	gt, gte, lt, lte	datetime
device.first_seen_time	gt, gte, lt, lte	datetime
device.first_seen_time_dt	gt, gte, lt, lte	datetime
device.modified_time	gt, gte, lt, lte	datetime
device.modified_time_dt	gt, gte, lt, lte	datetime
device.name	eq, ne, like, not_like, in, not_in	string
metadata.tenant_uid	eq, ne, like, not_like, in, not_in	string
resource.name	eq, ne, like, not_like, in, not_in	string
resource.type	eq, ne, like, not_like, in, not_in	string
resource.uid	eq, ne, like, not_like, in, not_in	string

Microsoft Defender for Cloud filters for `query_cloud_resource_inventory`

Field	Operators	Supported Values
cloud.account.name	eq, ne, like, not_like, in, not_in	string
cloud.account.uid	eq, ne, like, not_like, in, not_in	string
cloud.provider	eq, ne, like, not_like, in, not_in	string
cloud.region	eq, ne, like, not_like, in, not_in	string
device.created_time	eq, ne, gt, gte, lt, lte	datetime
device.modified_time	eq, ne, gt, gte, lt, lte	datetime
resource.name	eq, ne, like, not_like, in, not_in	string
resource.type	eq, ne, like, not_like, in, not_in	string
resource.uid	eq, ne, like, not_like, in, not_in	string

Palo Alto Networks Cortex Cloud Security filters for `query_cloud_resource_inventory`

Field	Operators	Supported Values
cloud.account.name	eq, ne, in, not_in, like	string
cloud.account.uid	eq, ne, in, not_in, like	string
cloud.provider	eq, ne, in, not_in	string
cloud.region	eq, ne, in, not_in, like	string
device.first_seen_time	eq, ne, gt, gte, lt, lte	datetime
device.ip	eq, ne, in, not_in, like	string
device.last_seen_time	eq, ne, gt, gte, lt, lte	datetime
device.mac	eq, ne, in, not_in, like	string
device.name	eq, ne, in, not_in, like	string
device.region	eq, ne, in, not_in, like	string
device.type	eq, ne, in, not_in, like	string
device.uid	eq, ne, in, not_in, like	string
resource.name	eq, ne, in, not_in, like	string
resource.region	eq, ne, in, not_in, like	string
resource.type	eq, ne, in, not_in, like	string
resource.uid	eq, ne, in, not_in, like	string

AWS Cloud Security filters for `query_compliance_findings`

Field	Operators	Supported Values
cloud.account.uid	eq, ne, like, not_like, in, not_in	string
cloud.provider	eq, ne, like, not_like, in, not_in	string
cloud.region	eq, ne, like, not_like, in, not_in	string
compliance.assessments.category	eq, ne, like, not_like, in, not_in	string
compliance.assessments.name	eq, ne, like, not_like, in, not_in	string
compliance.control	eq, ne, like, not_like, in, not_in	string
compliance.standards	eq, ne, like, not_like, in, not_in	string
compliance.status	eq, ne, like, not_like, in, not_in	string
finding_info.created_time	gt, gte, lt, lte	datetime
finding_info.created_time_dt	gt, gte, lt, lte	datetime
finding_info.desc	eq, ne, like, not_like, in, not_in	string
finding_info.first_seen_time	gt, gte, lt, lte	datetime
finding_info.first_seen_time_dt	gt, gte, lt, lte	datetime
finding_info.last_seen_time	gt, gte, lt, lte	datetime
finding_info.last_seen_time_dt	gt, gte, lt, lte	datetime
finding_info.modified_time	gt, gte, lt, lte	datetime
finding_info.modified_time_dt	gt, gte, lt, lte	datetime
finding_info.title	eq, ne, like, not_like, in, not_in	string
finding_info.types	eq, ne, like, not_like, in, not_in	string
finding_info.uid	eq, ne, like, not_like, in, not_in	string
metadata.product.name	eq, ne, like, not_like, in, not_in	string
metadata.product.vendor_name	eq, ne, like, not_like, in, not_in	string
resources.type	eq, ne, like, not_like, in, not_in	string
resources.uid	eq, ne, like, not_like, in, not_in	string
severity	eq, ne, like, not_like, in, not_in	string
severity_id	eq, ne, like, not_like, in, not_in, gt, gte, lt, lte	number
status	eq, ne, like, not_like, in, not_in	string
status_id	eq, ne, like, not_like, in, not_in, gt, gte, lt, lte	number

CrowdStrike Cloud Security filters for `query_compliance_findings`

Field	Operators	Supported Values
actor.authorizations.policy.is_applied	eq, ne, like, not_like, in, not_in	string
actor.authorizations.policy.name	eq, ne, like, not_like, in, not_in	string
actor.authorizations.policy.uid	eq, ne, like, not_like, in, not_in	string
cloud.account.name	eq, ne, like, not_like, in, not_in	string
cloud.account.uid	eq, ne, like, not_like, in, not_in	string
cloud.provider	eq, ne, like, not_like, in, not_in	string
cloud.region	eq, ne, like, not_like, in, not_in	string
compliance.standards	eq, ne, like, not_like, in, not_in	string
compliance.status	eq, ne, like, not_like, in, not_in	string
finding_info.title	eq, ne, like, not_like, in, not_in	string
finding_info.uid	eq, ne, like, not_like, in, not_in	string
resource.name	eq, ne, like, not_like, in, not_in	string
resource.type	eq, ne, like, not_like, in, not_in	string
resource.uid	eq, ne, like, not_like, in, not_in	string
severity	eq, ne, like, not_like, in, not_in	string
severity_id	eq, ne, like, not_like, in, not_in	string
time	gt, gte, lt, lte	datetime

Microsoft Defender for Cloud filters for `query_compliance_findings`

Field	Operators	Supported Values
compliance.control	eq	string
compliance.requirements	eq	string
compliance.standards	eq	string

Palo Alto Networks Cortex Cloud Security filters for `query_compliance_findings`

Field	Operators	Supported Values
compliance.status	in	string
finding_info.created_time	gte, lte	datetime
finding_info.uid	in	string
resource.type	in	string
severity	in	string
time	gte, lte	datetime

Microsoft Defender for Cloud filters for `query_events`

Field	Operators	Supported Values
device.ip	eq, ne	string
src_endpoint.ip	eq, ne	string
time	gte, lte	datetime
unmapped.appId	eq, ne	number
unmapped.device.clientIP	eq, ne	string

CrowdStrike Cloud Security filters for `query_ioms`

Field	Operators	Supported Values
actor.authorizations.policy.name	eq, ne, like, not_like, in, not_in	string
actor.authorizations.policy.uid	eq, ne, like, not_like, in, not_in	string
cloud.account.name	eq, ne, like, not_like, in, not_in	string
cloud.account.uid	eq, ne, like, not_like, in, not_in	string
cloud.provider	eq, ne, like, not_like, in, not_in	string
cloud.region	eq, ne, like, not_like, in, not_in	string
device.agent_list.uid	eq, ne, like, not_like, in, not_in	string
device.managed_by	eq, ne, like, not_like, in, not_in	string
finding_info.created_time	gt, gte, lt, lte	datetime
finding_info.created_time_dt	gt, gte, lt, lte	datetime
finding_info.types	eq, ne, like, not_like, in, not_in	string
metadata.tenant_uid	eq, ne, like, not_like, in, not_in	string
resources.owner.uid	eq, ne, like, not_like, in, not_in	string
severity	eq, ne, like, not_like, in, not_in	string
severity_id	eq, ne, like, not_like, in, not_in	string

AWS Cloud Security filters for `query_threats`

Field	Operators	Supported Values
activity_id	eq, ne, gt, gte, lt, lte, in, not_in	number
activity_name	eq, ne, in, not_in, like	string
class_name	eq, ne, in, not_in, like	string
cloud.account.uid	eq, ne, in, not_in, like	string
cloud.provider	eq, ne, in, not_in, like	string
cloud.region	eq, ne, in, not_in, like	string
comment	eq, ne, in, not_in, like	string
confidence_score	eq, ne, gt, gte, lt, lte, in, not_in	number
finding_info.created_time	gt, gte, lt, lte	datetime
finding_info.created_time_dt	gt, gte, lt, lte	datetime
finding_info.desc	eq, ne, in, not_in, like	string
finding_info.first_seen_time	gt, gte, lt, lte	datetime
finding_info.first_seen_time_dt	gt, gte, lt, lte	datetime
finding_info.last_seen_time	gt, gte, lt, lte	datetime
finding_info.last_seen_time_dt	gt, gte, lt, lte	datetime
finding_info.modified_time	gt, gte, lt, lte	datetime
finding_info.modified_time_dt	gt, gte, lt, lte	datetime
finding_info.related_events.title	eq, ne, in, not_in, like	string
finding_info.related_events.uid	eq, ne, in, not_in, like	string
finding_info.related_events_count	eq, ne, gt, gte, lt, lte, in, not_in	number
finding_info.src_url	eq, ne, in, not_in, like	string
finding_info.title	eq, ne, in, not_in, like	string
finding_info.types	eq, ne, in, not_in, like	string
finding_info.uid	eq, ne, in, not_in, like	string
malware.name	eq, ne, in, not_in, like	string
metadata.product.name	eq, ne, in, not_in, like, not_like	string
metadata.product.uid	eq, ne, in, not_in, like, not_like	string
metadata.product.vendor_name	eq, ne, in, not_in, like, not_like	string
metadata.uid	eq, ne, in, not_in, like, not_like	string
remediation.desc	eq, ne, in, not_in, like	string
remediation.references	eq, ne, in, not_in, like	string
resources.cloud_partition	eq, ne, in, not_in, like	string
resources.region	eq, ne, in, not_in, like	string
resources.type	eq, ne, in, not_in, like	string
resources.uid	eq, ne, in, not_in, like	string
severity	eq, ne, in, not_in, like	string
severity_id	eq, ne, gt, gte, lt, lte, in, not_in	number
status	eq, ne, in, not_in, like	string
status_id	eq, ne, gt, gte, lt, lte, in, not_in	number
vulnerabilities.cve.uid	eq, ne, in, not_in, like	string
vulnerabilities.is_exploit_available	eq, ne	boolean
vulnerabilities.is_fix_available	eq, ne	boolean

Microsoft Defender for Cloud filters for `query_threats`

Field	Operators	Supported Values
cloud.provider	eq, ne, in, not_in, like, not_like	string
device.hostname	eq, ne, in, not_in, like, not_like	string
finding_info.created_time	gt, gte, lt, lte	datetime
finding_info.created_time_dt	gt, gte, lt, lte	datetime
finding_info.desc	eq, ne, in, not_in, like, not_like	string
finding_info.modified_time	gt, gte, lt, lte	datetime
finding_info.modified_time_dt	gt, gte, lt, lte	datetime
finding_info.title	eq, ne, in, not_in, like, not_like	string
finding_info.types	eq, ne, in, not_in, like, not_like	string
metadata.product.vendor_name	eq, ne, in, not_in, like, not_like	string
remediation.desc	eq, ne, in, not_in, like, not_like	string
resources.uid	eq, ne, in, not_in, like, not_like	string
severity	eq, ne, in, not_in, like, not_like	string
status	eq, ne, in, not_in, like, not_like	string
time	gt, gte, lt, lte	datetime
time_dt	gt, gte, lt, lte	datetime

Cloud Security Query FiltersCopyCopy for LLMCopy page as Markdown for LLMsView as MarkdownOpen this page as MarkdownOpen in ChatGPTGet insights from ChatGPTOpen in ClaudeGet insights from Claude

CrowdStrike Cloud Security filters for query_cloud_resource_inventory

Microsoft Defender for Cloud filters for query_cloud_resource_inventory

Palo Alto Networks Cortex Cloud Security filters for query_cloud_resource_inventory

AWS Cloud Security filters for query_compliance_findings

CrowdStrike Cloud Security filters for query_compliance_findings

Microsoft Defender for Cloud filters for query_compliance_findings

Palo Alto Networks Cortex Cloud Security filters for query_compliance_findings

Microsoft Defender for Cloud filters for query_events

CrowdStrike Cloud Security filters for query_ioms

AWS Cloud Security filters for query_threats

Microsoft Defender for Cloud filters for query_threats

Was this helpful?