# EDR Query Filters This document provides details on the filters supported by each provider for each API operation. Filters can be used to restrict the results of an API operation, such as filtering by a specific field or value. They are used in conjunction with the `filter` query parameter in the API request. ### CrowdStrike Insight EDR filters for `query_alerts` | Field | Operators | Supported Values | | --- | --- | --- | | attacks.tactic.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | attacks.tactic.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | attacks.technique.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | attacks.technique.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | comment | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | confidence_score | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.uid_alt | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | finding_info.created_time | gt, gte, lt, lte | datetime | | finding_info.created_time_dt | gt, gte, lt, lte | datetime | | finding_info.title | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | finding_info.types | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | finding_info.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | metadata.feature.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | metadata.loggers.logged_time | gt, gte, lt, lte | datetime | | metadata.tenant_uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | resources.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | resources.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | risk_score | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | start_time | gt, gte, lt, lte | datetime | | start_time_dt | gt, gte, lt, lte | datetime | | time | gt, gte, lt, lte | datetime | | time_dt | gt, gte, lt, lte | datetime | | vulnerabilities.desc | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | vulnerabilities.title | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | ### Microsoft Defender filters for `query_alerts` | Field | Operators | Supported Values | | --- | --- | --- | | actor.user.name | eq, in, ne | string | | analytic.category | eq, in, ne | string | | finding_info.created_time | gt, gte, lt, lte | datetime | | finding_info.created_time_dt | gt, gte, lt, lte | datetime | | finding_info.last_seen_time | gt, gte, lt, lte | datetime | | finding_info.last_seen_time_dt | gt, gte, lt, lte | datetime | | finding_info.modified_time | gt, gte, lt, lte | datetime | | finding_info.modified_time_dt | gt, gte, lt, lte | datetime | | finding_info.uid | eq, in, ne | string | | metadata.uid | eq, in, ne | string | | severity | eq, in, ne | string | | status | eq, in, ne | string | ### SentinelOne Endpoint filters for `query_alerts` | Field | Operators | Supported Values | | --- | --- | --- | | actor.process.file.path | like | string | | confidence | eq | string | | device.container.image | like | string | | device.container.name | like | string | | device.container.tag | like | string | | device.hostname | eq, like | string | | device.last_seen_time | gt, gte, lt, lte | datetime | | device.modified_time | gt, gte, lt, lte | datetime | | device.org.uid | eq | string | | device.os.type | eq | string | | finding_info.created_time | gt, gte, lt, lte | datetime | | finding_info.first_seen_time | gt, gte, lt, lte | datetime | | metadata.product.version | eq | string | | time | gt, gte, lt, lte | datetime | ### Sophos Endpoint filters for `query_alerts` | Field | Operators | Supported Values | | --- | --- | --- | | finding_info.created_time | lt, gt | datetime | | finding_info.created_time_dt | lt, gt | datetime | | finding_info.last_seen_time | lt, gt | datetime | | finding_info.last_seen_time_dt | lt, gt | datetime | | finding_info.title | lt, gt, eq, in | string | | metadata.product.name | lt, gt, eq, in | string | | metadata.uid | lt, gt, eq, in | string | ### Tanium EDR filters for `query_alerts` | Field | Operators | Supported Values | | --- | --- | --- | | device.hostname | like | string | | device.ip | like | string | | finding_info.created_time | gt, gte, lt | datetime | | finding_info.created_time_dt | gte, lt | datetime | | finding_info.uid | eq | string | | status | eq | string | ### ThreatDown EDR filters for `query_alerts` | Field | Operators | Supported Values | | --- | --- | --- | | finding_info.created_time | gt, gte, lt, lte | datetime | | finding_info.created_time_dt | gt, gte, lt, lte | datetime | | finding_info.modified_time | gt, gte, lt, lte | datetime | | finding_info.modified_time_dt | gt, gte, lt, lte | datetime | | finding_info.uid | eq | string | | metadata.uid | eq | string | | severity | eq | string | | status | eq | string | ### [MOCK] CrowdStrike Insight EDR filters for `query_alerts` | Field | Operators | Supported Values | | --- | --- | --- | | attacks.tactic.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | attacks.tactic.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | attacks.technique.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | attacks.technique.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | comment | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | confidence_score | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.uid_alt | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | finding_info.created_time | gt, gte, lt, lte | datetime | | finding_info.created_time_dt | gt, gte, lt, lte | datetime | | finding_info.title | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | finding_info.types | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | finding_info.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | metadata.feature.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | metadata.loggers.logged_time | gt, gte, lt, lte | datetime | | metadata.tenant_uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | resources.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | resources.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | risk_score | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | start_time | gt, gte, lt, lte | datetime | | start_time_dt | gt, gte, lt, lte | datetime | | time | gt, gte, lt, lte | datetime | | time_dt | gt, gte, lt, lte | datetime | | vulnerabilities.desc | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | vulnerabilities.title | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | ### CrowdStrike Insight EDR filters for `query_applications` | Field | Operators | Supported Values | | --- | --- | --- | | metadata.modified_time | gt, gte, lt, lte | datetime | | metadata.modified_time_dt | gt, gte, lt, lte | datetime | | product.name | eq, ne, in, not_in | string | | product.path | eq, ne, in, not_in | string | | product.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | product.vendor_name | eq, ne, in, not_in | string | | product.version | eq, ne, in, not_in | string | | start_time | gt, gte, lt, lte | datetime | | start_time_dt | gt, gte, lt, lte | datetime | | time | gt, gte, lt, lte | datetime | | time_dt | gt, gte, lt, lte | datetime | ### Microsoft Defender filters for `query_applications` | Field | Operators | Supported Values | | --- | --- | --- | | product.name | like | string | | product.uid | eq, like | string | | product.vendor_name | like | string | | product.version | eq, like | string | ### SentinelOne Endpoint filters for `query_applications` | Field | Operators | Supported Values | | --- | --- | --- | | product.name | like | string | | product.uid | eq, like | string | | product.vendor_name | like | string | | product.version | eq, like | string | ### Sophos Endpoint filters for `query_applications` | Field | Operators | Supported Values | | --- | --- | --- | | product.name | lt, gt, eq, in | string | | product.path | lt, gt, eq, in | string | ### Tanium EDR filters for `query_applications` | Field | Operators | Supported Values | | --- | --- | --- | | device.hostname | eq | string | | device.ip | eq | string | | device.last_seen_time | gte | datetime | | device.mac | eq | string | | product.name | eq, gte, like | string | | product.version | eq, gte, like | string | ### ThreatDown EDR filters for `query_applications` | Field | Operators | Supported Values | | --- | --- | --- | | created_at | gt, lt | datetime | | device.name | eq, ne, like, not_like | string | | device.os.name | eq, ne | string | | device.os.type | eq, ne, like, not_like | string | | device.os.version | eq, ne, like, not_like | string | | device.uid | eq, ne | string | | product.name | eq, ne | string | | product.vendor_name | eq, ne, like, not_like | string | | product.version | eq, ne, like, not_like | string | | sw_info.name | eq, ne, like, not_like | string | | sw_info.vendor | eq, ne, like, not_like | string | | sw_info.version | eq, ne, like, not_like | string | ### [MOCK] CrowdStrike Insight EDR filters for `query_applications` | Field | Operators | Supported Values | | --- | --- | --- | | metadata.modified_time | gt, gte, lt, lte | datetime | | metadata.modified_time_dt | gt, gte, lt, lte | datetime | | product.name | eq, ne, in, not_in | string | | product.path | eq, ne, in, not_in | string | | product.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | product.vendor_name | eq, ne, in, not_in | string | | product.version | eq, ne, in, not_in | string | | start_time | gt, gte, lt, lte | datetime | | start_time_dt | gt, gte, lt, lte | datetime | | time | gt, gte, lt, lte | datetime | | time_dt | gt, gte, lt, lte | datetime | ### CrowdStrike Insight EDR filters for `query_edr_events` | Field | Operators | Supported Values | | --- | --- | --- | | actor.process.file.hashes | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.path | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hostname | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.ip | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.network_status | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | ### Microsoft Defender filters for `query_edr_events` | Field | Operators | Supported Values | | --- | --- | --- | ### SentinelOne Endpoint filters for `query_edr_events` | Field | Operators | Supported Values | | --- | --- | --- | | actor.process.file.hashes | eq, ne, in | string | | actor.process.file.path | eq, ne, like, in | string | | actor.process.name | eq, ne, like, in | string | | device.hostname | eq, ne, like, in | string | | device.ip | eq, ne, like, in | string | | device.network_status | eq, ne, in | string | | device.os.name | eq, ne, like, in | string | | metadata.labels | eq, ne, like, in | string | | query.hostname | eq, ne, like, in | string | | url.url_string | eq, ne, like, in | string | ### Sophos Endpoint filters for `query_edr_events` | Field | Operators | Supported Values | | --- | --- | --- | ### Tanium EDR filters for `query_edr_events` | Field | Operators | Supported Values | | --- | --- | --- | ### ThreatDown EDR filters for `query_edr_events` | Field | Operators | Supported Values | | --- | --- | --- | ### [MOCK] CrowdStrike Insight EDR filters for `query_edr_events` | Field | Operators | Supported Values | | --- | --- | --- | | actor.process.file.hashes | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.path | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hostname | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.ip | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.network_status | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | ### CrowdStrike Insight EDR filters for `query_endpoints` | Field | Operators | Supported Values | | --- | --- | --- | | device.first_seen_time | gt, gte, lt, lte | datetime | | device.hostname | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hw_info.bios_manufacturer | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hw_info.bios_ver | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hw_info.chassis | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hw_info.serial_number | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.instance_uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.ip | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.last_seen_time | gt, gte, lt, lte | datetime | | device.mac | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.modified_time | gt, gte, lt, lte | datetime | | device.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.org.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.org.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.type_id | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.version | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.type_id | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.zone | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | status | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | time | gt, gte, lt, lte | datetime | ### Microsoft Defender filters for `query_endpoints` | Field | Operators | Supported Values | | --- | --- | --- | | cloud.account.uid | eq, ne, like, not_like | string | | device.hostname | eq, ne, like, not_like | string | | device.ip | eq, ne, like, not_like | string | | device.last_seen_time | eq, ne, like, not_like | string | | device.last_seen_time_dt | eq, ne, like, not_like | string | | device.os.name | eq, ne, like, not_like | string | | device.risk_level | eq, ne, like, not_like | string | | device.uid | eq, ne, like, not_like | string | | enrichments.reputation.score | eq, ne, like, not_like | string | | metadata.labels | eq, ne, like, not_like | string | | metadata.product.version | eq, ne, like, not_like | string | | risk_level_id | eq, ne, like, not_like | string | | status | eq, ne, like, not_like | string | | status_code | eq, ne, like, not_like | string | | status_detail | eq, ne, like, not_like | string | ### SentinelOne Endpoint filters for `query_endpoints` | Field | Operators | Supported Values | | --- | --- | --- | | device.domain | eq, like | string | | device.hostname | eq, like | string | | device.hw_info.serial_number | like | string | | device.instance_uid | eq | string | | device.ip | like | string | | device.mac | like | string | | device.name | eq, like | string | | device.os.name | like | string | | device.os.type | eq, like | string | | device.os.version | like | string | | device.type | eq, like | string | | device.uid | eq, like | string | | status | eq, like | string | ### Sophos Endpoint filters for `query_endpoints` | Field | Operators | Supported Values | | --- | --- | --- | | device.type | ne, lte, gte, lt, gt, eq, in | string | | device.uid | ne, lte, gte, lt, gt, eq, in | string | | first_seen_time | eq | datetime | | last_seen_time | eq | datetime | | status | ne, lte, gte, lt, gt, eq, in | string | | status_detail | ne, lte, gte, lt, gt, eq, in | string | | time | eq | datetime | ### Tanium EDR filters for `query_endpoints` | Field | Operators | Supported Values | | --- | --- | --- | | device.hostname | eq | string | | device.ip | eq | string | | device.last_seen_time | gte | datetime | | device.mac | eq | string | ### ThreatDown EDR filters for `query_endpoints` | Field | Operators | Supported Values | | --- | --- | --- | | created_at | gt, gte, lt, lte | datetime | | deleted_at | gt, gte, lt, lte | datetime | | device.domain | eq | string | | device.group_id | eq | string | | device.group_name | eq | string | | device.hw_info.serial_number | eq | string | | device.ip | eq | string | | device.last_seen_time | gt, gte, lt, lte | datetime | | device.mac | eq | string | | device.name | eq | string | | device.os.cpu_bits | eq | string | | device.os.name | eq | string | | device.os.type | eq | string | | device.os.version | eq | string | | device.protection_status | eq | string | | device.uid | eq | string | | metadata.product.version | eq, gt, gte, lt, lte | string | | time | gt, gte, lt, lte | datetime | ### [MOCK] CrowdStrike Insight EDR filters for `query_endpoints` | Field | Operators | Supported Values | | --- | --- | --- | | device.first_seen_time | gt, gte, lt, lte | datetime | | device.hostname | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hw_info.bios_manufacturer | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hw_info.bios_ver | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hw_info.chassis | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.hw_info.serial_number | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.instance_uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.ip | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.last_seen_time | gt, gte, lt, lte | datetime | | device.mac | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.modified_time | gt, gte, lt, lte | datetime | | device.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.org.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.org.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.type_id | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.os.version | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.type_id | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.zone | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | status | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | time | gt, gte, lt, lte | datetime | ### CrowdStrike Insight EDR filters for `query_iocs` | Field | Operators | Supported Values | | --- | --- | --- | | created | gt, gte, lt, lte | datetime | | created_by_ref.id | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.action | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.expired | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.host_groups | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.mobile_action | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.modified_by | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.platforms | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.severity | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | labels | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | modified | gt, gte, lt, lte | datetime | | pattern | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | pattern_type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | valid_until | gt, gte, lt, lte | datetime | ### Microsoft Defender filters for `query_iocs` | Field | Operators | Supported Values | | --- | --- | --- | | created | eq, in | string | | created_by_ref.Id | eq, in | string | | created_by_ref.name | eq, in | string | | extensions.action | eq, in | string | | extensions.alert | eq, in | string | | extensions.application | eq, in | string | | extensions.rbacGroupIds | eq, in | string | | extensions.rbacGroupNames | eq, in | string | | extensions.severity | eq, in | string | | name | eq, in | string | | pattern | eq, in | string | | pattern_type | eq, in | string | | valid_until | eq, in | string | ### SentinelOne Endpoint filters for `query_iocs` | Field | Operators | Supported Values | | --- | --- | --- | | created | gt, gte, lt, lte | datetime | | created_by_ref | like | string | | description | like | string | | extensions.accountIds | eq | string | | extensions.batchId | eq | string | | extensions.category | eq | string | | extensions.externalId | eq | string | | extensions.groupIds | eq | string | | extensions.sideIds | eq | string | | extensions.source | eq | string | | extensions.uploadTime | gt, gte, lt, lte | datetime | | id | eq | string | | modified | gt, gte, lt, lte | datetime | | name | like | string | | pattern | eq | string | | value | eq | string | ### Sophos Endpoint filters for `query_iocs` | Field | Operators | Supported Values | | --- | --- | --- | ### Tanium EDR filters for `query_iocs` | Field | Operators | Supported Values | | --- | --- | --- | ### ThreatDown EDR filters for `query_iocs` | Field | Operators | Supported Values | | --- | --- | --- | ### [MOCK] CrowdStrike Insight EDR filters for `query_iocs` | Field | Operators | Supported Values | | --- | --- | --- | | created | gt, gte, lt, lte | datetime | | created_by_ref.id | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.action | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.expired | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.host_groups | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.mobile_action | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.modified_by | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.platforms | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | extensions.severity | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | labels | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | modified | gt, gte, lt, lte | datetime | | pattern | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | pattern_type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | valid_until | gt, gte, lt, lte | datetime | ### CrowdStrike Insight EDR filters for `query_threatevents` | Field | Operators | Supported Values | | --- | --- | --- | | actor.process.cmd_line | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.md5 | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.path | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.sha256 | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | confidence_score | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.first_seen_time_dt | gt, gte, lt, lte | datetime | | device.hostname | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.ip | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.last_seen_time_dt | gt, gte, lt, lte | datetime | | device.modified_time_dt | gt, gte, lt, lte | datetime | | device.product_uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | severity | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | severity_id | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | status | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | tenant_uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | ### Microsoft Defender filters for `query_threatevents` | Field | Operators | Supported Values | | --- | --- | --- | | actor.user.name | lt, gt, eq, in | string | | finding_info.created_time | lt, gt | datetime | | finding_info.modified_time | lt, gt | datetime | | status | lt, gt, eq, in | string | ### SentinelOne Endpoint filters for `query_threatevents` | Field | Operators | Supported Values | | --- | --- | --- | | actor.process.created_time_dt | gt, gte, lt, lte | datetime | | actor.process.file.path | like | string | | confidence | eq | string | | device.container.image | like | string | | device.container.name | like | string | | device.container.tag | like | string | | device.groups.uid | eq | string | | device.hostname | eq, like | string | | device.id | eq | string | | device.org.uid | eq | string | | device.type | eq | string | | finding_info.created_time | gt, gte, lt, lte | datetime | | finding_info.modified_time | gt, gte, lt, lte | datetime | | malware.classifications | eq | string | | metadata.product.version | eq | string | | severity | eq | string | ### Sophos Endpoint filters for `query_threatevents` | Field | Operators | Supported Values | | --- | --- | --- | | actor.user.name | eq | string | | attacks.tactics.name | eq | string | | device.first_seen_time | eq | datetime | | device.first_seen_time_dt | eq | datetime | | device.last_seen_time | eq | datetime | | device.last_seen_time_dt | eq | datetime | | device.location | eq | string | | device.os.name | eq | string | | device.os.type | eq | string | | device.type | eq | string | | hostname | eq | string | | metadata.product.name | eq | string | | risk_score | eq | string | | severity | eq | string | | type_name | eq | string | | vendor_name | eq | string | | vulnerabilities.title | eq | string | ### Tanium EDR filters for `query_threatevents` | Field | Operators | Supported Values | | --- | --- | --- | | device.hostname | like | string | | device.ip | like | string | | finding_info.created_time | gt, gte, lt | datetime | | finding_info.created_time_dt | gte, lt | datetime | | finding_info.uid | eq | string | | status | eq | string | ### ThreatDown EDR filters for `query_threatevents` | Field | Operators | Supported Values | | --- | --- | --- | | finding_info.created_time | gt, gte, lt, lte | datetime | | finding_info.modified_time | gt, gte, lt, lte | datetime | | finding_info.uid | eq | string | | metadata.uid | eq | string | | severity | eq | string | | status | eq | string | ### [MOCK] CrowdStrike Insight EDR filters for `query_threatevents` | Field | Operators | Supported Values | | --- | --- | --- | | actor.process.cmd_line | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.md5 | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.name | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.path | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.sha256 | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | actor.process.file.type | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | confidence_score | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.first_seen_time_dt | gt, gte, lt, lte | datetime | | device.hostname | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.ip | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | device.last_seen_time_dt | gt, gte, lt, lte | datetime | | device.modified_time_dt | gt, gte, lt, lte | datetime | | device.product_uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | severity | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | severity_id | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | status | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string | | tenant_uid | eq, ne, gt, gte, lt, lte, in, not_in, like, not_like | string |