EDR Query Filters

This document provides details on the filters supported by each provider for each API operation. Filters can be used to restrict the results of an API operation, such as filtering by a specific field or value.

They are used in conjunction with the filter query parameter in the API request.

CrowdStrike EDR filters for `query_alerts`

Field	Operators	Supported Values
attacks.tactic.name	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
attacks.tactic.uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
attacks.technique.name	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
attacks.technique.uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
comment	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
confidence_score	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.os.type	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.uid_alt	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
finding_info.created_time	gt, gte, lt, lte	datetime
finding_info.created_time_dt	gt, gte, lt, lte	datetime
finding_info.title	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
finding_info.types	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
finding_info.uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
metadata.feature.name	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
metadata.loggers.logged_time	gt, gte, lt, lte	datetime
metadata.tenant_uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
resources.name	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
resources.uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
risk_score	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
start_time	gt, gte, lt, lte	datetime
start_time_dt	gt, gte, lt, lte	datetime
time	gt, gte, lt, lte	datetime
time_dt	gt, gte, lt, lte	datetime
vulnerabilities.desc	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
vulnerabilities.title	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string

Defender EDR filters for `query_alerts`

Field	Operators	Supported Values
actor.user.name	eq, in, ne	string
analytic.category	eq, in, ne	string
finding_info.created_time	gt, gte, lt, lte	datetime
finding_info.created_time_dt	gt, gte, lt, lte	datetime
finding_info.last_seen_time	gt, gte, lt, lte	datetime
finding_info.last_seen_time_dt	gt, gte, lt, lte	datetime
finding_info.modified_time	gt, gte, lt, lte	datetime
finding_info.modified_time_dt	gt, gte, lt, lte	datetime
finding_info.uid	eq, in, ne	string
metadata.uid	eq, in, ne	string
severity	eq, in, ne	string
status	eq, in, ne	string

Malwarebytes EDR filters for `query_alerts`

Field	Operators	Supported Values
finding_info.created_time	gt, gte, lt, lte	datetime
finding_info.created_time_dt	gt, gte, lt, lte	datetime
finding_info.modified_time	gt, gte, lt, lte	datetime
finding_info.modified_time_dt	gt, gte, lt, lte	datetime
finding_info.uid	eq	string
metadata.uid	eq	string
severity	eq	string
status	eq	string

SentinelOne EDR filters for `query_alerts`

Field	Operators	Supported Values
actor.process.file.path	like	string
confidence	eq	string
device.container.image	like	string
device.container.name	like	string
device.container.tag	like	string
device.hostname	eq, like	string
device.last_seen_time	gt, gte, lt, lte	datetime
device.modified_time	gt, gte, lt, lte	datetime
device.org.uid	eq	string
device.os.type	eq	string
finding_info.created_time	gt, gte, lt, lte	datetime
finding_info.first_seen_time	gt, gte, lt, lte	datetime
metadata.product.version	eq	string
time	gt, gte, lt, lte	datetime

Sophos EDR filters for `query_alerts`

Field	Operators	Supported Values
finding_info.created_time	lt, gt	datetime
finding_info.last_seen_time	lt, gt	datetime
finding_info.title	lt, gt, eq, in	string
metadata.product.name	lt, gt, eq, in	string
metadata.uid	lt, gt, eq, in	string

CrowdStrike EDR filters for `query_applications`

Field	Operators	Supported Values
metadata.modified_time	gt, gte, lt, lte	datetime
metadata.modified_time_dt	gt, gte, lt, lte	datetime
product.name	eq, ne, in, not_in	string
product.path	eq, ne, in, not_in	string
product.uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
product.vendor_name	eq, ne, in, not_in	string
product.version	eq, ne, in, not_in	string
start_time	gt, gte, lt, lte	datetime
start_time_dt	gt, gte, lt, lte	datetime
time	gt, gte, lt, lte	datetime
time_dt	gt, gte, lt, lte	datetime

Defender EDR filters for `query_applications`

Field	Operators	Supported Values
product.name	like	string
product.uid	eq, like	string
product.vendor_name	like	string
product.version	eq, like	string

Malwarebytes EDR filters for `query_applications`

Field	Operators	Supported Values
device.uid	eq	string
product.name	eq	string
product.uid	eq	string
product.vendor_name	eq	string
product.version	eq, gt, gte, lt, lte	string

SentinelOne EDR filters for `query_applications`

Field	Operators	Supported Values
product.name	like	string
product.uid	eq, like	string
product.vendor_name	like	string
product.version	eq, like	string

Sophos EDR filters for `query_applications`

Field	Operators	Supported Values
product.name	lt, gt, eq, in	string
product.path	lt, gt, eq, in	string

CrowdStrike EDR filters for `query_endpoints`

Field	Operators	Supported Values
device.first_seen_time	gt, gte, lt, lte	datetime
device.hostname	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.hw_info.bios_manufacturer	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.hw_info.bios_ver	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.hw_info.chassis	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.hw_info.serial_number	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.instance_uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.ip	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.last_seen_time	gt, gte, lt, lte	datetime
device.mac	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.modified_time	gt, gte, lt, lte	datetime
device.name	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.org.name	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.org.uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.os.name	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.os.type	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.os.type_id	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.os.version	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.type	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.type_id	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.zone	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
status	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
time	gt, gte, lt, lte	datetime

Defender EDR filters for `query_endpoints`

Field	Operators	Supported Values
cloud.account.uid	eq, ne, like, not_like	string
device.hostname	eq, ne, like, not_like	string
device.ip	eq, ne, like, not_like	string
device.last_time_seen	eq, ne, like, not_like	string
device.os.name	eq, ne, like, not_like	string
device.risk_level	eq, ne, like, not_like	string
device.uid	eq, ne, like, not_like	string
enrichments.reputation.score	eq, ne, like, not_like	string
metadata.labels	eq, ne, like, not_like	string
metadata.product.version	eq, ne, like, not_like	string
risk_level_id	eq, ne, like, not_like	string
status	eq, ne, like, not_like	string
status_code	eq, ne, like, not_like	string
status_detail	eq, ne, like, not_like	string

Malwarebytes EDR filters for `query_endpoints`

Field	Operators	Supported Values
created_at	gt, gte, lt, lte	datetime
deleted_at	gt, gte, lt, lte	datetime
device.domain	eq	string
device.group_id	eq	string
device.group_name	eq	string
device.hw_info.serial_number	eq	string
device.ip	eq	string
device.last_seen_time	gt, gte, lt, lte	datetime
device.mac	eq	string
device.name	eq	string
device.os.cpu_bits	eq	string
device.os.name	eq	string
device.os.type	eq	string
device.os.version	eq	string
device.protection_status	eq	string
device.uid	eq	string
metadata.product.version	eq, gt, gte, lt, lte	string
time	gt, gte, lt, lte	datetime

SentinelOne EDR filters for `query_endpoints`

Field	Operators	Supported Values
device.domain	eq, like	string
device.hostname	eq, like	string
device.hw_info.serial_number	like	string
device.instance_uid	eq	string
device.ip	like	string
device.mac	like	string
device.name	eq, like	string
device.os.name	like	string
device.os.type	eq, like	string
device.os.version	like	string
device.type	eq, like	string
device.uid	eq, like	string
status	eq, like	string

Sophos EDR filters for `query_endpoints`

Field	Operators	Supported Values
device.type	ne, lte, gte, lt, gt, eq, in	string
device.uid	ne, lte, gte, lt, gt, eq, in	string
first_seen_time	eq	datetime
last_seen_time	eq	datetime
status	ne, lte, gte, lt, gt, eq, in	string
status_detail	ne, lte, gte, lt, gt, eq, in	string
time	eq	datetime

CrowdStrike EDR filters for `query_iocs`

Field	Operators	Supported Values
created	gt, gte, lt, lte	datetime
created_by_ref.id	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
extensions.action	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
extensions.expired	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
extensions.host_groups	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
extensions.mobile_action	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
extensions.modified_by	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
extensions.platforms	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
extensions.severity	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
labels	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
modified	gt, gte, lt, lte	datetime
pattern	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
pattern_type	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
valid_until	gt, gte, lt, lte	datetime

Defender EDR filters for `query_iocs`

Field	Operators	Supported Values
created	eq, in	string
created_by_ref.Id	eq, in	string
created_by_ref.name	eq, in	string
extensions.action	eq, in	string
extensions.alert	eq, in	string
extensions.application	eq, in	string
extensions.rbacGroupIds	eq, in	string
extensions.rbacGroupNames	eq, in	string
extensions.severity	eq, in	string
name	eq, in	string
pattern	eq, in	string
pattern_type	eq, in	string
valid_until	eq, in	string

Malwarebytes EDR filters for `query_iocs`

Field	Operators	Supported Values

SentinelOne EDR filters for `query_iocs`

Field	Operators	Supported Values
created	gt, gte, lt, lte	datetime
created_by_ref	like	string
description	like	string
extensions.accountIds	eq	string
extensions.batchId	eq	string
extensions.category	eq	string
extensions.externalId	eq	string
extensions.groupIds	eq	string
extensions.sideIds	eq	string
extensions.source	eq	string
extensions.uploadTime	gt, gte, lt, lte	datetime
id	eq	string
modified	gt, gte, lt, lte	datetime
name	like	string
pattern	eq	string
value	eq	string

Sophos EDR filters for `query_iocs`

Field	Operators	Supported Values

CrowdStrike EDR filters for `query_threatevents`

Field	Operators	Supported Values
actor.process.cmd_line	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
actor.process.file.md5	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
actor.process.file.name	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
actor.process.file.path	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
actor.process.file.sha256	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
actor.process.file.type	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
confidence_score	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.first_seen_time_dt	gt, gte, lt, lte	datetime
device.hostname	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.ip	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
device.last_seen_time_dt	gt, gte, lt, lte	datetime
device.modified_time_dt	gt, gte, lt, lte	datetime
device.product_uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
severity	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
severity_id	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
status	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string
tenant_uid	eq, ne, gt, gte, lt, lte, in, not_in, like, not_like	string

Defender EDR filters for `query_threatevents`

Field	Operators	Supported Values
actor.user.name	lt, gt, eq, in	string
finding_info.created_time	lt, gt	datetime
finding_info.modified_time	lt, gt	datetime
status	lt, gt, eq, in	string

Malwarebytes EDR filters for `query_threatevents`

Field	Operators	Supported Values
finding_info.created_time	gt, gte, lt, lte	datetime
finding_info.modified_time	gt, gte, lt, lte	datetime
finding_info.uid	eq	string
metadata.uid	eq	string
severity	eq	string
status	eq	string

SentinelOne EDR filters for `query_threatevents`

Field	Operators	Supported Values
actor.process.created_time_dt	gt, gte, lt, lte	datetime
actor.process.file.path	like	string
confidence	eq	string
device.container.image	like	string
device.container.name	like	string
device.container.tag	like	string
device.groups.uid	eq	string
device.hostname	eq, like	string
device.id	eq	string
device.last_seen_time	gt, gte, lt, lte	datetime
device.modified_time	gt, gte, lt, lte	datetime
device.org.uid	eq	string
device.os.type	eq	string
malware.classifications	eq	string
metadata.product.version	eq	string

Sophos EDR filters for `query_threatevents`

Field	Operators	Supported Values
actor.user.name	eq	string
attacks.tactics.name	eq	string
device.first_seen_time	eq	datetime
device.first_seen_time_dt	eq	datetime
device.last_seen_time	eq	datetime
device.last_seen_time_dt	eq	datetime
device.location	eq	string
device.os.name	eq	string
device.os.type	eq	string
device.type	eq	string
hostname	eq	string
metadata.product.name	eq	string
risk_score	eq	string
severity	eq	string
type_name	eq	string
vendor_name	eq	string
vulnerabilities.title	eq	string

EDR Query Filters

CrowdStrike EDR filters for query_alerts

Defender EDR filters for query_alerts

Malwarebytes EDR filters for query_alerts

SentinelOne EDR filters for query_alerts

Sophos EDR filters for query_alerts

CrowdStrike EDR filters for query_applications

Defender EDR filters for query_applications

Malwarebytes EDR filters for query_applications

SentinelOne EDR filters for query_applications

Sophos EDR filters for query_applications

CrowdStrike EDR filters for query_endpoints

Defender EDR filters for query_endpoints

Malwarebytes EDR filters for query_endpoints

SentinelOne EDR filters for query_endpoints

Sophos EDR filters for query_endpoints

CrowdStrike EDR filters for query_iocs

Defender EDR filters for query_iocs

Malwarebytes EDR filters for query_iocs

SentinelOne EDR filters for query_iocs

Sophos EDR filters for query_iocs

CrowdStrike EDR filters for query_threatevents

Defender EDR filters for query_threatevents

Malwarebytes EDR filters for query_threatevents

SentinelOne EDR filters for query_threatevents

Sophos EDR filters for query_threatevents

Was this helpful?