Guides
/
Connectors
/
siem
/
SIEM Query Filters

SIEM Query Filters

This document provides details on the filters supported by each provider for each API operation. Filters can be used to restrict the results of an API operation, such as filtering by a specific field or value.

They are used in conjunction with the filter query parameter in the API request.

CrowdStrike Next-Gen SIEM filters for query_events

FieldOperatorsSupported Values
metadata.uideq, ne, in, not_in, like, not_likestring
timegte, ltedatetime

Elastic SIEM filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
timegte, ltedatetime

Google Security Operations filters for query_events

FieldOperatorsSupported Values
messageeq, ne, in, not_instring
metadata.event_codeeq, ne, gt, gte, lt, lteinteger
metadata.log_nameeq, ne, in, not_instring
metadata.log_providereq, ne, in, not_instring
metadata.log_versioneq, ne, in, not_instring
metadata.processed_timegt, gte, lt, ltedatetime
metadata.uideq, ne, in, not_instring
raw_data.*eq, ne, gt, lt, gte, lte, in, not_instring
timegte, ltedatetime

Google Security Operations (Chronicle Compatibility) filters for query_events

FieldOperatorsSupported Values
messageeq, ne, in, not_instring
metadata.event_codeeq, ne, gt, gte, lt, lteinteger
metadata.log_nameeq, ne, in, not_instring
metadata.log_providereq, ne, in, not_instring
metadata.log_versioneq, ne, in, not_instring
metadata.processed_timegt, gte, lt, ltedatetime
metadata.uideq, ne, in, not_instring
raw_data.*eq, ne, gt, lt, gte, lte, in, not_instring
timegte, ltedatetime

IBM QRadar SIEM filters for query_events

FieldOperatorsSupported Values
actor.app_nameeq, ne, in, not_in, like, not_likestring
actor.app_uideq, ne, in, not_in, like, not_likestring
actor.user.account.nameeq, ne, in, not_in, like, not_likestring
actor.user.account.uideq, ne, in, not_in, like, not_likestring
actor.user.domaineq, ne, in, not_in, like, not_likestring
actor.user.nameeq, ne, in, not_in, like, not_likestring
actor.user.uideq, ne, in, not_in, like, not_likestring
counteq, ne, gt, gte, lt, lte, in, not_ininteger
device.hostnameeq, ne, in, not_in, like, not_likestring
device.ipeq, ne, in, not_in, like, not_likestring
device.last_seen_timeeq, ne, gt, gte, lt, ltedatetime
device.location.descriptioneq, ne, in, not_in, like, not_likestring
device.maceq, ne, in, not_in, like, not_likestring
device.os.nameeq, ne, in, not_in, like, not_likestring
device.uideq, ne, in, not_in, like, not_likestring
device.zoneeq, ne, in, not_in, like, not_likestring
dst_endpoint.domaineq, ne, in, not_in, like, not_likestring
dst_endpoint.hostnameeq, ne, in, not_in, like, not_likestring
dst_endpoint.ipeq, ne, in, not_in, like, not_likestring
dst_endpoint.location.descriptioneq, ne, in, not_in, like, not_likestring
dst_endpoint.maceq, ne, in, not_in, like, not_likestring
dst_endpoint.nameeq, ne, in, not_in, like, not_likestring
durationeq, ne, gt, gte, lt, lte, in, not_ininteger
end_timeeq, ne, gt, gte, lt, ltedatetime
group.nameeq, ne, in, not_in, like, not_likestring
group.uideq, ne, in, not_in, like, not_likestring
http_request.url.hosteq, ne, in, not_in, like, not_likestring
http_request.url.patheq, ne, in, not_in, like, not_likestring
http_request.url.porteq, ne, in, not_in, like, not_likestring
http_request.url.url_stringeq, ne, in, not_in, like, not_likestring
logon_process.file.exteq, ne, in, not_in, like, not_likestring
logon_process.file.nameeq, ne, in, not_in, like, not_likestring
logon_process.file.parent_foldereq, ne, in, not_in, like, not_likestring
logon_process.file.patheq, ne, in, not_in, like, not_likestring
logon_process.file.uideq, ne, in, not_in, like, not_likestring
logon_process.group.nameeq, ne, in, not_in, like, not_likestring
logon_process.group.uideq, ne, in, not_in, like, not_likestring
logon_process.nameeq, ne, in, not_in, like, not_likestring
logon_process.parent_process.file.patheq, ne, in, not_in, like, not_likestring
logon_process.parent_process.nameeq, ne, in, not_in, like, not_likestring
logon_process.parent_process.pideq, ne, in, not_in, like, not_likestring
logon_process.pideq, ne, in, not_in, like, not_likestring
messageeq, ne, in, not_in, like, not_likestring
metadata.log_nameeq, ne, in, not_in, like, not_likestring
metadata.log_providereqstring
process.file.exteq, ne, in, not_in, like, not_likestring
process.file.nameeq, ne, in, not_in, like, not_likestring
process.file.parent_foldereq, ne, in, not_in, like, not_likestring
process.file.patheq, ne, in, not_in, like, not_likestring
process.file.uideq, ne, in, not_in, like, not_likestring
process.group.nameeq, ne, in, not_in, like, not_likestring
process.group.uideq, ne, in, not_in, like, not_likestring
process.nameeq, ne, in, not_in, like, not_likestring
process.parent_process.file.patheq, ne, in, not_in, like, not_likestring
process.parent_process.nameeq, ne, in, not_in, like, not_likestring
process.parent_process.pideq, ne, in, not_in, like, not_likestring
process.pideq, ne, in, not_in, like, not_likestring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
src_endpoint.domaineq, ne, in, not_in, like, not_likestring
src_endpoint.ipeq, ne, in, not_in, like, not_likestring
src_endpoint.location.descriptioneq, ne, in, not_in, like, not_likestring
src_endpoint.maceq, ne, in, not_in, like, not_likestring
src_endpoint.os.nameeq, ne, in, not_in, like, not_likestring
src_endpoint.owner.nameeq, ne, in, not_in, like, not_likestring
src_endpoint.zoneeq, ne, in, not_in, like, not_likestring
start_timeeq, ne, gt, gte, lt, ltedatetime
timegte, ltedatetime
user.account.nameeq, ne, in, not_in, like, not_likestring
user.account.uideq, ne, in, not_in, like, not_likestring
user.domaineq, ne, in, not_in, like, not_likestring
user.nameeq, ne, in, not_in, like, not_likestring
user.uideq, ne, in, not_in, like, not_likestring

Microsoft Sentinel filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring
timegte, ltedatetime

OpenSearch filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
timegte, ltedatetime

Rapid7 InsightIDR filters for query_events

FieldOperatorsSupported Values
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring

Splunk Enterprise Security filters for query_events

FieldOperatorsSupported Values
actor.app_nameeq, ne, gt, gte, lt, ltestring
actor.user.domaineq, ne, gt, gte, lt, ltestring
actor.user.nameeq, ne, gt, gte, lt, ltestring
actor.user.org.nameeq, ne, gt, gte, lt, ltestring
actor.user.typeeq, ne, gt, gte, lt, ltestring
actor.user.uideq, ne, gt, gte, lt, ltestring
auth_protocoleq, ne, gt, gte, lt, ltestring
device.domaineq, ne, gt, gte, lt, ltestring
device.hostnameeq, ne, gt, gte, lt, ltestring
device.ipeq, ne, gt, gte, lt, ltestring
device.maceq, ne, gt, gte, lt, ltestring
device.nameeq, ne, gt, gte, lt, ltestring
device.os.nameeq, ne, gt, gte, lt, ltestring
device.owner.org.nameeq, ne, gt, gte, lt, ltestring
device.porteq, ne, gt, gte, lt, lteinteger
device.svc_nameeq, ne, gt, gte, lt, ltestring
device.zoneeq, ne, gt, gte, lt, ltestring
dst_endpoint.domaineq, ne, gt, gte, lt, ltestring
dst_endpoint.hostnameeq, ne, gt, gte, lt, ltestring
dst_endpoint.ipeq, ne, gt, gte, lt, ltestring
dst_endpoint.maceq, ne, gt, gte, lt, ltestring
dst_endpoint.nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.os.nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.owner.org.nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.porteq, ne, gt, gte, lt, lteinteger
dst_endpoint.svc_nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.typeeq, ne, gt, gte, lt, ltestring
dst_endpoint.zoneeq, ne, gt, gte, lt, ltestring
durationeq, ne, gt, gte, lt, lteinteger
http_request.user_agenteq, ne, gt, gte, lt, ltestring
logon_process.file.parent_foldereq, ne, gt, gte, lt, ltestring
logon_process.file.patheq, ne, gt, gte, lt, ltestring
logon_process.file.uideq, ne, gt, gte, lt, ltestring
logon_process.nameeq, ne, gt, gte, lt, ltestring
logon_process.parent_process.file.patheq, ne, gt, gte, lt, ltestring
logon_process.parent_process.nameeq, ne, gt, gte, lt, ltestring
logon_process.parent_process.pideq, ne, gt, gte, lt, ltestring
logon_process.pideq, ne, gt, gte, lt, ltestring
metadata.event_codeeq, ne, gt, gte, lt, ltestring
metadata.log_nameeq, ne, gt, gte, lt, ltestring
metadata.log_providereq, instring
metadata.processed_timeeq, ne, gt, gte, lt, ltedatetime
metadata.uideq, ne, gt, gte, lt, ltestring
process.cmd_lineeq, ne, gt, gte, lt, ltestring
process.file.nameeq, ne, gt, gte, lt, ltestring
process.file.parent_foldereq, ne, gt, gte, lt, ltestring
process.file.patheq, ne, gt, gte, lt, ltestring
process.file.uideq, ne, gt, gte, lt, ltestring
process.nameeq, ne, gt, gte, lt, ltestring
process.parent_process.cmd_lineeq, ne, gt, gte, lt, ltestring
process.parent_process.file.patheq, ne, gt, gte, lt, ltestring
process.parent_process.file.uideq, ne, gt, gte, lt, ltestring
process.parent_process.nameeq, ne, gt, gte, lt, ltestring
process.parent_process.pideq, ne, gt, gte, lt, ltestring
process.pideq, ne, gt, gte, lt, ltestring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
session.uideq, ne, gt, gte, lt, ltestring
src_endpoint.hostnameeq, ne, gt, gte, lt, ltestring
src_endpoint.ipeq, ne, gt, gte, lt, ltestring
src_endpoint.maceq, ne, gt, gte, lt, ltestring
src_endpoint.nameeq, ne, gt, gte, lt, ltestring
src_endpoint.owner.org.nameeq, ne, gt, gte, lt, ltestring
src_endpoint.porteq, ne, gt, gte, lt, lteinteger
src_endpoint.typeeq, ne, gt, gte, lt, ltestring
src_endpoint.zoneeq, ne, gt, gte, lt, ltestring
start_timeeq, ne, gt, gte, lt, ltedatetime
timegte, ltedatetime
user.domaineq, ne, gt, gte, lt, ltestring
user.nameeq, ne, gt, gte, lt, ltestring
user.org.nameeq, ne, gt, gte, lt, ltestring
user.typeeq, ne, gt, gte, lt, ltestring
user.uideq, ne, gt, gte, lt, ltestring

Sumo Logic Cloud SIEM filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring
timegte, ltedatetime

Test Provider filters for query_events

FieldOperatorsSupported Values

CrowdStrike Next-Gen SIEM filters for query_investigations

FieldOperatorsSupported Values

Elastic SIEM filters for query_investigations

FieldOperatorsSupported Values

Google Security Operations filters for query_investigations

FieldOperatorsSupported Values

Google Security Operations (Chronicle Compatibility) filters for query_investigations

FieldOperatorsSupported Values

IBM QRadar SIEM filters for query_investigations

FieldOperatorsSupported Values
raw_data.*eq, gt, lt, instring

Microsoft Sentinel filters for query_investigations

FieldOperatorsSupported Values

OpenSearch filters for query_investigations

FieldOperatorsSupported Values

Rapid7 InsightIDR filters for query_investigations

FieldOperatorsSupported Values
investigations.end_timeltedatetime
investigations.ideqstring
investigations.priorityeqUnknown, Low, Medium, High, Critical
investigations.start_timegtedatetime
investigations.statuseqOpen, Closed, Investigating, Waiting

Splunk Enterprise Security filters for query_investigations

FieldOperatorsSupported Values

Sumo Logic Cloud SIEM filters for query_investigations

FieldOperatorsSupported Values
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring

Test Provider filters for query_investigations

FieldOperatorsSupported Values
Previous page
Next page