Skip to content
Guides
/
Connectors
/
/
SIEM Query Filters

SIEM Query Filters

This document provides details on the filters supported by each provider for each API operation. Filters can be used to restrict the results of an API operation, such as filtering by a specific field or value. If a provider or operation does not support filters, it will not be listed here.

They are used in conjunction with the filter query parameter in the API request.

Rapid7 InsightIDR filters for query_alerts

FieldOperatorsSupported Values
disposition_ideq, in, ne0, 10, 15, 99
finding_info.created_timegte, ltedatetime
finding_info.first_seen_timegte, ltedatetime
finding_info.titleeq, like, nestring
finding_info.typeseq, like, nestring
finding_info.uideqstring
severityeq, in, neInformational, Low, Medium, High, Critical
statuseq, in, neUnknown, New, InProgress, OnHold, Resolved, Closed, Other

CrowdStrike Next-Gen SIEM filters for query_events

FieldOperatorsSupported Values
metadata.uideq, ne, in, not_in, like, not_likestring
timegte, ltedatetime

Elastic SIEM filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
timegte, ltedatetime

Google Security Operations filters for query_events

FieldOperatorsSupported Values
messageeq, ne, in, not_instring
metadata.event_codeeq, ne, gt, gte, lt, ltenumber
metadata.log_nameeq, ne, in, not_instring
metadata.log_providereq, ne, in, not_instring
metadata.log_versioneq, ne, in, not_instring
metadata.processed_timegt, gte, lt, ltedatetime
metadata.uideq, ne, in, not_instring
raw_data.*eq, ne, gt, lt, gte, lte, in, not_instring
timegte, ltedatetime

Google Security Operations (Chronicle Compatibility) filters for query_events

FieldOperatorsSupported Values
messageeq, ne, in, not_instring
metadata.event_codeeq, ne, gt, gte, lt, ltenumber
metadata.log_nameeq, ne, in, not_instring
metadata.log_providereq, ne, in, not_instring
metadata.log_versioneq, ne, in, not_instring
metadata.processed_timegt, gte, lt, ltedatetime
metadata.uideq, ne, in, not_instring
raw_data.*eq, ne, gt, lt, gte, lte, in, not_instring
timegte, ltedatetime

IBM QRadar SIEM filters for query_events

FieldOperatorsSupported Values
actor.app_nameeq, ne, in, not_in, like, not_likestring
actor.app_uideq, ne, in, not_in, like, not_likestring
actor.user.account.nameeq, ne, in, not_in, like, not_likestring
actor.user.account.uideq, ne, in, not_in, like, not_likestring
actor.user.domaineq, ne, in, not_in, like, not_likestring
actor.user.nameeq, ne, in, not_in, like, not_likestring
actor.user.uideq, ne, in, not_in, like, not_likestring
counteq, ne, gt, gte, lt, lte, in, not_innumber
device.hostnameeq, ne, in, not_in, like, not_likestring
device.ipeq, ne, in, not_in, like, not_likestring
device.last_seen_timeeq, ne, gt, gte, lt, ltedatetime
device.location.descriptioneq, ne, in, not_in, like, not_likestring
device.maceq, ne, in, not_in, like, not_likestring
device.os.nameeq, ne, in, not_in, like, not_likestring
device.uideq, ne, in, not_in, like, not_likestring
device.zoneeq, ne, in, not_in, like, not_likestring
dst_endpoint.domaineq, ne, in, not_in, like, not_likestring
dst_endpoint.hostnameeq, ne, in, not_in, like, not_likestring
dst_endpoint.ipeq, ne, in, not_in, like, not_likestring
dst_endpoint.location.descriptioneq, ne, in, not_in, like, not_likestring
dst_endpoint.maceq, ne, in, not_in, like, not_likestring
dst_endpoint.nameeq, ne, in, not_in, like, not_likestring
durationeq, ne, gt, gte, lt, lte, in, not_innumber
end_timeeq, ne, gt, gte, lt, ltedatetime
group.nameeq, ne, in, not_in, like, not_likestring
group.uideq, ne, in, not_in, like, not_likestring
http_request.url.hosteq, ne, in, not_in, like, not_likestring
http_request.url.patheq, ne, in, not_in, like, not_likestring
http_request.url.porteq, ne, in, not_in, like, not_likestring
http_request.url.url_stringeq, ne, in, not_in, like, not_likestring
logon_process.file.exteq, ne, in, not_in, like, not_likestring
logon_process.file.nameeq, ne, in, not_in, like, not_likestring
logon_process.file.parent_foldereq, ne, in, not_in, like, not_likestring
logon_process.file.patheq, ne, in, not_in, like, not_likestring
logon_process.file.uideq, ne, in, not_in, like, not_likestring
logon_process.group.nameeq, ne, in, not_in, like, not_likestring
logon_process.group.uideq, ne, in, not_in, like, not_likestring
logon_process.nameeq, ne, in, not_in, like, not_likestring
logon_process.parent_process.file.patheq, ne, in, not_in, like, not_likestring
logon_process.parent_process.nameeq, ne, in, not_in, like, not_likestring
logon_process.parent_process.pideq, ne, in, not_in, like, not_likestring
logon_process.pideq, ne, in, not_in, like, not_likestring
messageeq, ne, in, not_in, like, not_likestring
metadata.log_nameeq, ne, in, not_in, like, not_likestring
metadata.log_providereqstring
process.file.exteq, ne, in, not_in, like, not_likestring
process.file.nameeq, ne, in, not_in, like, not_likestring
process.file.parent_foldereq, ne, in, not_in, like, not_likestring
process.file.patheq, ne, in, not_in, like, not_likestring
process.file.uideq, ne, in, not_in, like, not_likestring
process.group.nameeq, ne, in, not_in, like, not_likestring
process.group.uideq, ne, in, not_in, like, not_likestring
process.nameeq, ne, in, not_in, like, not_likestring
process.parent_process.file.patheq, ne, in, not_in, like, not_likestring
process.parent_process.nameeq, ne, in, not_in, like, not_likestring
process.parent_process.pideq, ne, in, not_in, like, not_likestring
process.pideq, ne, in, not_in, like, not_likestring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
src_endpoint.domaineq, ne, in, not_in, like, not_likestring
src_endpoint.ipeq, ne, in, not_in, like, not_likestring
src_endpoint.location.descriptioneq, ne, in, not_in, like, not_likestring
src_endpoint.maceq, ne, in, not_in, like, not_likestring
src_endpoint.os.nameeq, ne, in, not_in, like, not_likestring
src_endpoint.owner.nameeq, ne, in, not_in, like, not_likestring
src_endpoint.zoneeq, ne, in, not_in, like, not_likestring
start_timeeq, ne, gt, gte, lt, ltedatetime
timegte, ltedatetime
user.account.nameeq, ne, in, not_in, like, not_likestring
user.account.uideq, ne, in, not_in, like, not_likestring
user.domaineq, ne, in, not_in, like, not_likestring
user.nameeq, ne, in, not_in, like, not_likestring
user.uideq, ne, in, not_in, like, not_likestring

Microsoft Sentinel filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring
timegte, ltedatetime

OpenSearch filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
timegte, ltedatetime

Rapid7 InsightIDR filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
timegte, ltedatetime

Splunk Enterprise Security filters for query_events

FieldOperatorsSupported Values
actor.app_nameeq, ne, gt, gte, lt, ltestring
actor.user.domaineq, ne, gt, gte, lt, ltestring
actor.user.nameeq, ne, gt, gte, lt, ltestring
actor.user.org.nameeq, ne, gt, gte, lt, ltestring
actor.user.typeeq, ne, gt, gte, lt, ltestring
actor.user.uideq, ne, gt, gte, lt, ltestring
auth_protocoleq, ne, gt, gte, lt, ltestring
device.domaineq, ne, gt, gte, lt, ltestring
device.hostnameeq, ne, gt, gte, lt, ltestring
device.ipeq, ne, gt, gte, lt, ltestring
device.maceq, ne, gt, gte, lt, ltestring
device.nameeq, ne, gt, gte, lt, ltestring
device.os.nameeq, ne, gt, gte, lt, ltestring
device.owner.org.nameeq, ne, gt, gte, lt, ltestring
device.porteq, ne, gt, gte, lt, ltenumber
device.svc_nameeq, ne, gt, gte, lt, ltestring
device.zoneeq, ne, gt, gte, lt, ltestring
dst_endpoint.domaineq, ne, gt, gte, lt, ltestring
dst_endpoint.hostnameeq, ne, gt, gte, lt, ltestring
dst_endpoint.ipeq, ne, gt, gte, lt, ltestring
dst_endpoint.maceq, ne, gt, gte, lt, ltestring
dst_endpoint.nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.os.nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.owner.org.nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.porteq, ne, gt, gte, lt, ltenumber
dst_endpoint.svc_nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.typeeq, ne, gt, gte, lt, ltestring
dst_endpoint.zoneeq, ne, gt, gte, lt, ltestring
durationeq, ne, gt, gte, lt, ltenumber
http_request.user_agenteq, ne, gt, gte, lt, ltestring
logon_process.file.parent_foldereq, ne, gt, gte, lt, ltestring
logon_process.file.patheq, ne, gt, gte, lt, ltestring
logon_process.file.uideq, ne, gt, gte, lt, ltestring
logon_process.nameeq, ne, gt, gte, lt, ltestring
logon_process.parent_process.file.patheq, ne, gt, gte, lt, ltestring
logon_process.parent_process.nameeq, ne, gt, gte, lt, ltestring
logon_process.parent_process.pideq, ne, gt, gte, lt, ltestring
logon_process.pideq, ne, gt, gte, lt, ltestring
metadata.event_codeeq, ne, gt, gte, lt, ltestring
metadata.log_nameeq, ne, gt, gte, lt, ltestring
metadata.log_providereq, instring
metadata.processed_timeeq, ne, gt, gte, lt, ltedatetime
metadata.uideq, ne, gt, gte, lt, ltestring
process.cmd_lineeq, ne, gt, gte, lt, ltestring
process.file.nameeq, ne, gt, gte, lt, ltestring
process.file.parent_foldereq, ne, gt, gte, lt, ltestring
process.file.patheq, ne, gt, gte, lt, ltestring
process.file.uideq, ne, gt, gte, lt, ltestring
process.nameeq, ne, gt, gte, lt, ltestring
process.parent_process.cmd_lineeq, ne, gt, gte, lt, ltestring
process.parent_process.file.patheq, ne, gt, gte, lt, ltestring
process.parent_process.file.uideq, ne, gt, gte, lt, ltestring
process.parent_process.nameeq, ne, gt, gte, lt, ltestring
process.parent_process.pideq, ne, gt, gte, lt, ltestring
process.pideq, ne, gt, gte, lt, ltestring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
session.uideq, ne, gt, gte, lt, ltestring
src_endpoint.hostnameeq, ne, gt, gte, lt, ltestring
src_endpoint.ipeq, ne, gt, gte, lt, ltestring
src_endpoint.maceq, ne, gt, gte, lt, ltestring
src_endpoint.nameeq, ne, gt, gte, lt, ltestring
src_endpoint.owner.org.nameeq, ne, gt, gte, lt, ltestring
src_endpoint.porteq, ne, gt, gte, lt, ltenumber
src_endpoint.typeeq, ne, gt, gte, lt, ltestring
src_endpoint.zoneeq, ne, gt, gte, lt, ltestring
start_timeeq, ne, gt, gte, lt, ltedatetime
timegte, ltedatetime
user.domaineq, ne, gt, gte, lt, ltestring
user.nameeq, ne, gt, gte, lt, ltestring
user.org.nameeq, ne, gt, gte, lt, ltestring
user.typeeq, ne, gt, gte, lt, ltestring
user.uideq, ne, gt, gte, lt, ltestring

Sumo Logic Cloud SIEM filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring
timegte, ltedatetime

Google Security Operations (Chronicle Compatibility) filters for query_investigations

FieldOperatorsSupported Values
raw_data.createdTimegt, gte, lt, ltedatetime
raw_data.detection.0.alertStateeqstring
raw_data.detection.0.ruleIdeqstring
raw_data.detection.0.ruleVersioneqstring

IBM QRadar SIEM filters for query_investigations

FieldOperatorsSupported Values
raw_data.*eq, gt, lt, instring

Microsoft Sentinel filters for query_investigations

FieldOperatorsSupported Values
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring

Rapid7 InsightIDR filters for query_investigations

FieldOperatorsSupported Values
end_timeltedatetime
ideqstring
priorityeqstring
raw_data.*eq, likestring
start_timegtedatetime
statuseqstring
timegte, ltedatetime

Sumo Logic Cloud SIEM filters for query_investigations

FieldOperatorsSupported Values
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring
Previous page
Next page