SIEM Query Filters
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude

This document provides details on the filters supported by each provider for each API operation. Filters can be used to restrict the results of an API operation, such as filtering by a specific field or value.

They are used in conjunction with the filter query parameter in the API request.

CrowdStrike Next-Gen SIEM filters for `query_events`

Field	Operators	Supported Values
metadata.uid	eq, ne, in, not_in, like, not_like	string
time	gte, lte	datetime

Elastic SIEM filters for `query_events`

Field	Operators	Supported Values
metadata.log_provider	eq, in	string
raw_data.*	eq, ne, gt, lt, gte, lte, like, not_like, in, not_in	string
time	gte, lte	datetime

Google Security Operations filters for `query_events`

Field	Operators	Supported Values
message	eq, ne, in, not_in	string
metadata.event_code	eq, ne, gt, gte, lt, lte	number
metadata.log_name	eq, ne, in, not_in	string
metadata.log_provider	eq, ne, in, not_in	string
metadata.log_version	eq, ne, in, not_in	string
metadata.processed_time	gt, gte, lt, lte	datetime
metadata.uid	eq, ne, in, not_in	string
raw_data.*	eq, ne, gt, lt, gte, lte, in, not_in	string
time	gte, lte	datetime

Google Security Operations (Chronicle Compatibility) filters for `query_events`

Field	Operators	Supported Values
message	eq, ne, in, not_in	string
metadata.event_code	eq, ne, gt, gte, lt, lte	number
metadata.log_name	eq, ne, in, not_in	string
metadata.log_provider	eq, ne, in, not_in	string
metadata.log_version	eq, ne, in, not_in	string
metadata.processed_time	gt, gte, lt, lte	datetime
metadata.uid	eq, ne, in, not_in	string
raw_data.*	eq, ne, gt, lt, gte, lte, in, not_in	string
time	gte, lte	datetime

IBM QRadar SIEM filters for `query_events`

Field	Operators	Supported Values
actor.app_name	eq, ne, in, not_in, like, not_like	string
actor.app_uid	eq, ne, in, not_in, like, not_like	string
actor.user.account.name	eq, ne, in, not_in, like, not_like	string
actor.user.account.uid	eq, ne, in, not_in, like, not_like	string
actor.user.domain	eq, ne, in, not_in, like, not_like	string
actor.user.name	eq, ne, in, not_in, like, not_like	string
actor.user.uid	eq, ne, in, not_in, like, not_like	string
count	eq, ne, gt, gte, lt, lte, in, not_in	number
device.hostname	eq, ne, in, not_in, like, not_like	string
device.ip	eq, ne, in, not_in, like, not_like	string
device.last_seen_time	eq, ne, gt, gte, lt, lte	datetime
device.location.description	eq, ne, in, not_in, like, not_like	string
device.mac	eq, ne, in, not_in, like, not_like	string
device.os.name	eq, ne, in, not_in, like, not_like	string
device.uid	eq, ne, in, not_in, like, not_like	string
device.zone	eq, ne, in, not_in, like, not_like	string
dst_endpoint.domain	eq, ne, in, not_in, like, not_like	string
dst_endpoint.hostname	eq, ne, in, not_in, like, not_like	string
dst_endpoint.ip	eq, ne, in, not_in, like, not_like	string
dst_endpoint.location.description	eq, ne, in, not_in, like, not_like	string
dst_endpoint.mac	eq, ne, in, not_in, like, not_like	string
dst_endpoint.name	eq, ne, in, not_in, like, not_like	string
duration	eq, ne, gt, gte, lt, lte, in, not_in	number
end_time	eq, ne, gt, gte, lt, lte	datetime
group.name	eq, ne, in, not_in, like, not_like	string
group.uid	eq, ne, in, not_in, like, not_like	string
http_request.url.host	eq, ne, in, not_in, like, not_like	string
http_request.url.path	eq, ne, in, not_in, like, not_like	string
http_request.url.port	eq, ne, in, not_in, like, not_like	string
http_request.url.url_string	eq, ne, in, not_in, like, not_like	string
logon_process.file.ext	eq, ne, in, not_in, like, not_like	string
logon_process.file.name	eq, ne, in, not_in, like, not_like	string
logon_process.file.parent_folder	eq, ne, in, not_in, like, not_like	string
logon_process.file.path	eq, ne, in, not_in, like, not_like	string
logon_process.file.uid	eq, ne, in, not_in, like, not_like	string
logon_process.group.name	eq, ne, in, not_in, like, not_like	string
logon_process.group.uid	eq, ne, in, not_in, like, not_like	string
logon_process.name	eq, ne, in, not_in, like, not_like	string
logon_process.parent_process.file.path	eq, ne, in, not_in, like, not_like	string
logon_process.parent_process.name	eq, ne, in, not_in, like, not_like	string
logon_process.parent_process.pid	eq, ne, in, not_in, like, not_like	string
logon_process.pid	eq, ne, in, not_in, like, not_like	string
message	eq, ne, in, not_in, like, not_like	string
metadata.log_name	eq, ne, in, not_in, like, not_like	string
metadata.log_provider	eq	string
process.file.ext	eq, ne, in, not_in, like, not_like	string
process.file.name	eq, ne, in, not_in, like, not_like	string
process.file.parent_folder	eq, ne, in, not_in, like, not_like	string
process.file.path	eq, ne, in, not_in, like, not_like	string
process.file.uid	eq, ne, in, not_in, like, not_like	string
process.group.name	eq, ne, in, not_in, like, not_like	string
process.group.uid	eq, ne, in, not_in, like, not_like	string
process.name	eq, ne, in, not_in, like, not_like	string
process.parent_process.file.path	eq, ne, in, not_in, like, not_like	string
process.parent_process.name	eq, ne, in, not_in, like, not_like	string
process.parent_process.pid	eq, ne, in, not_in, like, not_like	string
process.pid	eq, ne, in, not_in, like, not_like	string
raw_data.*	eq, ne, gt, lt, gte, lte, like, not_like, in, not_in	string
src_endpoint.domain	eq, ne, in, not_in, like, not_like	string
src_endpoint.ip	eq, ne, in, not_in, like, not_like	string
src_endpoint.location.description	eq, ne, in, not_in, like, not_like	string
src_endpoint.mac	eq, ne, in, not_in, like, not_like	string
src_endpoint.os.name	eq, ne, in, not_in, like, not_like	string
src_endpoint.owner.name	eq, ne, in, not_in, like, not_like	string
src_endpoint.zone	eq, ne, in, not_in, like, not_like	string
start_time	eq, ne, gt, gte, lt, lte	datetime
time	gte, lte	datetime
user.account.name	eq, ne, in, not_in, like, not_like	string
user.account.uid	eq, ne, in, not_in, like, not_like	string
user.domain	eq, ne, in, not_in, like, not_like	string
user.name	eq, ne, in, not_in, like, not_like	string
user.uid	eq, ne, in, not_in, like, not_like	string

Microsoft Sentinel filters for `query_events`

Field	Operators	Supported Values
metadata.log_provider	eq, in	string
raw_data.*	eq, ne, gt, lt, gte, lte, like, in, not_in	string
time	gte, lte	datetime

OpenSearch filters for `query_events`

Field	Operators	Supported Values
metadata.log_provider	eq, in	string
raw_data.*	eq, ne, gt, lt, gte, lte, like, not_like, in, not_in	string
time	gte, lte	datetime

Rapid7 InsightIDR filters for `query_events`

Field	Operators	Supported Values
raw_data.*	eq, ne, gt, lt, gte, lte, like, not_like, in, not_in	string

Splunk Enterprise Security filters for `query_events`

Field	Operators	Supported Values
actor.app_name	eq, ne, gt, gte, lt, lte	string
actor.user.domain	eq, ne, gt, gte, lt, lte	string
actor.user.name	eq, ne, gt, gte, lt, lte	string
actor.user.org.name	eq, ne, gt, gte, lt, lte	string
actor.user.type	eq, ne, gt, gte, lt, lte	string
actor.user.uid	eq, ne, gt, gte, lt, lte	string
auth_protocol	eq, ne, gt, gte, lt, lte	string
device.domain	eq, ne, gt, gte, lt, lte	string
device.hostname	eq, ne, gt, gte, lt, lte	string
device.ip	eq, ne, gt, gte, lt, lte	string
device.mac	eq, ne, gt, gte, lt, lte	string
device.name	eq, ne, gt, gte, lt, lte	string
device.os.name	eq, ne, gt, gte, lt, lte	string
device.owner.org.name	eq, ne, gt, gte, lt, lte	string
device.port	eq, ne, gt, gte, lt, lte	number
device.svc_name	eq, ne, gt, gte, lt, lte	string
device.zone	eq, ne, gt, gte, lt, lte	string
dst_endpoint.domain	eq, ne, gt, gte, lt, lte	string
dst_endpoint.hostname	eq, ne, gt, gte, lt, lte	string
dst_endpoint.ip	eq, ne, gt, gte, lt, lte	string
dst_endpoint.mac	eq, ne, gt, gte, lt, lte	string
dst_endpoint.name	eq, ne, gt, gte, lt, lte	string
dst_endpoint.os.name	eq, ne, gt, gte, lt, lte	string
dst_endpoint.owner.org.name	eq, ne, gt, gte, lt, lte	string
dst_endpoint.port	eq, ne, gt, gte, lt, lte	number
dst_endpoint.svc_name	eq, ne, gt, gte, lt, lte	string
dst_endpoint.type	eq, ne, gt, gte, lt, lte	string
dst_endpoint.zone	eq, ne, gt, gte, lt, lte	string
duration	eq, ne, gt, gte, lt, lte	number
http_request.user_agent	eq, ne, gt, gte, lt, lte	string
logon_process.file.parent_folder	eq, ne, gt, gte, lt, lte	string
logon_process.file.path	eq, ne, gt, gte, lt, lte	string
logon_process.file.uid	eq, ne, gt, gte, lt, lte	string
logon_process.name	eq, ne, gt, gte, lt, lte	string
logon_process.parent_process.file.path	eq, ne, gt, gte, lt, lte	string
logon_process.parent_process.name	eq, ne, gt, gte, lt, lte	string
logon_process.parent_process.pid	eq, ne, gt, gte, lt, lte	string
logon_process.pid	eq, ne, gt, gte, lt, lte	string
metadata.event_code	eq, ne, gt, gte, lt, lte	string
metadata.log_name	eq, ne, gt, gte, lt, lte	string
metadata.log_provider	eq, in	string
metadata.processed_time	eq, ne, gt, gte, lt, lte	datetime
metadata.uid	eq, ne, gt, gte, lt, lte	string
process.cmd_line	eq, ne, gt, gte, lt, lte	string
process.file.name	eq, ne, gt, gte, lt, lte	string
process.file.parent_folder	eq, ne, gt, gte, lt, lte	string
process.file.path	eq, ne, gt, gte, lt, lte	string
process.file.uid	eq, ne, gt, gte, lt, lte	string
process.name	eq, ne, gt, gte, lt, lte	string
process.parent_process.cmd_line	eq, ne, gt, gte, lt, lte	string
process.parent_process.file.path	eq, ne, gt, gte, lt, lte	string
process.parent_process.file.uid	eq, ne, gt, gte, lt, lte	string
process.parent_process.name	eq, ne, gt, gte, lt, lte	string
process.parent_process.pid	eq, ne, gt, gte, lt, lte	string
process.pid	eq, ne, gt, gte, lt, lte	string
raw_data.*	eq, ne, gt, lt, gte, lte, like, not_like, in, not_in	string
session.uid	eq, ne, gt, gte, lt, lte	string
src_endpoint.hostname	eq, ne, gt, gte, lt, lte	string
src_endpoint.ip	eq, ne, gt, gte, lt, lte	string
src_endpoint.mac	eq, ne, gt, gte, lt, lte	string
src_endpoint.name	eq, ne, gt, gte, lt, lte	string
src_endpoint.owner.org.name	eq, ne, gt, gte, lt, lte	string
src_endpoint.port	eq, ne, gt, gte, lt, lte	number
src_endpoint.type	eq, ne, gt, gte, lt, lte	string
src_endpoint.zone	eq, ne, gt, gte, lt, lte	string
start_time	eq, ne, gt, gte, lt, lte	datetime
time	gte, lte	datetime
user.domain	eq, ne, gt, gte, lt, lte	string
user.name	eq, ne, gt, gte, lt, lte	string
user.org.name	eq, ne, gt, gte, lt, lte	string
user.type	eq, ne, gt, gte, lt, lte	string
user.uid	eq, ne, gt, gte, lt, lte	string

Sumo Logic Cloud SIEM filters for `query_events`

Field	Operators	Supported Values
metadata.log_provider	eq, in	string
raw_data.*	eq, ne, gt, lt, gte, lte, like, in, not_in	string
time	gte, lte	datetime

Test Provider filters for `query_events`

Field	Operators	Supported Values

CrowdStrike Next-Gen SIEM filters for `query_investigations`

Field	Operators	Supported Values

Elastic SIEM filters for `query_investigations`

Field	Operators	Supported Values

Google Security Operations filters for `query_investigations`

Field	Operators	Supported Values

Google Security Operations (Chronicle Compatibility) filters for `query_investigations`

Field	Operators	Supported Values

IBM QRadar SIEM filters for `query_investigations`

Field	Operators	Supported Values
raw_data.*	eq, gt, lt, in	string

Microsoft Sentinel filters for `query_investigations`

Field	Operators	Supported Values

OpenSearch filters for `query_investigations`

Field	Operators	Supported Values

Rapid7 InsightIDR filters for `query_investigations`

Field	Operators	Supported Values
investigations.end_time	lte	datetime
investigations.id	eq	string
investigations.priority	eq	Unknown, Low, Medium, High, Critical
investigations.start_time	gte	datetime
investigations.status	eq	Open, Closed, Investigating, Waiting

Splunk Enterprise Security filters for `query_investigations`

Field	Operators	Supported Values

Sumo Logic Cloud SIEM filters for `query_investigations`

Field	Operators	Supported Values
raw_data.*	eq, ne, gt, lt, gte, lte, like, in, not_in	string

Test Provider filters for `query_investigations`

Field	Operators	Supported Values

SIEM Query FiltersCopyCopy for LLMCopy page as Markdown for LLMsView as MarkdownOpen this page as MarkdownOpen in ChatGPTGet insights from ChatGPTOpen in ClaudeGet insights from Claude

CrowdStrike Next-Gen SIEM filters for query_events

Elastic SIEM filters for query_events

Google Security Operations filters for query_events

Google Security Operations (Chronicle Compatibility) filters for query_events

IBM QRadar SIEM filters for query_events

Microsoft Sentinel filters for query_events

OpenSearch filters for query_events

Rapid7 InsightIDR filters for query_events

Splunk Enterprise Security filters for query_events

Sumo Logic Cloud SIEM filters for query_events

Test Provider filters for query_events

CrowdStrike Next-Gen SIEM filters for query_investigations

Elastic SIEM filters for query_investigations

Google Security Operations filters for query_investigations

Google Security Operations (Chronicle Compatibility) filters for query_investigations

IBM QRadar SIEM filters for query_investigations

Microsoft Sentinel filters for query_investigations

OpenSearch filters for query_investigations

Rapid7 InsightIDR filters for query_investigations

Splunk Enterprise Security filters for query_investigations

Sumo Logic Cloud SIEM filters for query_investigations

Test Provider filters for query_investigations

Was this helpful?