Guides
/
Connectors
/
siem
/
SIEM Query Filters

SIEM Query Filters

This document provides details on the filters supported by each provider for each API operation. Filters can be used to restrict the results of an API operation, such as filtering by a specific field or value.

They are used in conjunction with the filter query parameter in the API request.

CrowdStrike SIEM filters for query_events

FieldOperatorsSupported Values
metadata.uideq, ne, in, not_in, like, not_likestring
timegte, ltedatetime

Elasticsearch filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
timegte, ltedatetime

Google Security Operations filters for query_events

FieldOperatorsSupported Values
messageeq, ne, in, not_instring
metadata.event_codeeq, ne, gt, gte, lt, lteinteger
metadata.log_nameeq, ne, in, not_instring
metadata.log_providereq, ne, in, not_instring
metadata.log_versioneq, ne, in, not_instring
metadata.processed_timegt, gte, lt, ltedatetime
metadata.uideq, ne, in, not_instring
raw_data.*eq, ne, gt, lt, gte, lte, in, not_instring
timegte, ltedatetime

IBM QRadar filters for query_events

FieldOperatorsSupported Values
actor.app_nameeq, ne, in, not_in, like, not_likestring
actor.app_uideq, ne, in, not_in, like, not_likestring
actor.user.account.nameeq, ne, in, not_in, like, not_likestring
actor.user.account.uideq, ne, in, not_in, like, not_likestring
actor.user.domaineq, ne, in, not_in, like, not_likestring
actor.user.nameeq, ne, in, not_in, like, not_likestring
actor.user.uideq, ne, in, not_in, like, not_likestring
counteq, ne, gt, gte, lt, lte, in, not_ininteger
device.hostnameeq, ne, in, not_in, like, not_likestring
device.ipeq, ne, in, not_in, like, not_likestring
device.last_seen_timeeq, ne, gt, gte, lt, ltedatetime
device.location.descriptioneq, ne, in, not_in, like, not_likestring
device.maceq, ne, in, not_in, like, not_likestring
device.os.nameeq, ne, in, not_in, like, not_likestring
device.uideq, ne, in, not_in, like, not_likestring
device.zoneeq, ne, in, not_in, like, not_likestring
dst_endpoint.domaineq, ne, in, not_in, like, not_likestring
dst_endpoint.hostnameeq, ne, in, not_in, like, not_likestring
dst_endpoint.ipeq, ne, in, not_in, like, not_likestring
dst_endpoint.location.descriptioneq, ne, in, not_in, like, not_likestring
dst_endpoint.maceq, ne, in, not_in, like, not_likestring
dst_endpoint.nameeq, ne, in, not_in, like, not_likestring
durationeq, ne, gt, gte, lt, lte, in, not_ininteger
end_timeeq, ne, gt, gte, lt, ltedatetime
group.nameeq, ne, in, not_in, like, not_likestring
group.uideq, ne, in, not_in, like, not_likestring
http_request.url.hosteq, ne, in, not_in, like, not_likestring
http_request.url.patheq, ne, in, not_in, like, not_likestring
http_request.url.porteq, ne, in, not_in, like, not_likestring
http_request.url.url_stringeq, ne, in, not_in, like, not_likestring
logon_process.file.exteq, ne, in, not_in, like, not_likestring
logon_process.file.nameeq, ne, in, not_in, like, not_likestring
logon_process.file.parent_foldereq, ne, in, not_in, like, not_likestring
logon_process.file.patheq, ne, in, not_in, like, not_likestring
logon_process.file.uideq, ne, in, not_in, like, not_likestring
logon_process.group.nameeq, ne, in, not_in, like, not_likestring
logon_process.group.uideq, ne, in, not_in, like, not_likestring
logon_process.nameeq, ne, in, not_in, like, not_likestring
logon_process.parent_process.file.patheq, ne, in, not_in, like, not_likestring
logon_process.parent_process.nameeq, ne, in, not_in, like, not_likestring
logon_process.parent_process.pideq, ne, in, not_in, like, not_likestring
logon_process.pideq, ne, in, not_in, like, not_likestring
messageeq, ne, in, not_in, like, not_likestring
metadata.log_nameeq, ne, in, not_in, like, not_likestring
metadata.log_providereqstring
process.file.exteq, ne, in, not_in, like, not_likestring
process.file.nameeq, ne, in, not_in, like, not_likestring
process.file.parent_foldereq, ne, in, not_in, like, not_likestring
process.file.patheq, ne, in, not_in, like, not_likestring
process.file.uideq, ne, in, not_in, like, not_likestring
process.group.nameeq, ne, in, not_in, like, not_likestring
process.group.uideq, ne, in, not_in, like, not_likestring
process.nameeq, ne, in, not_in, like, not_likestring
process.parent_process.file.patheq, ne, in, not_in, like, not_likestring
process.parent_process.nameeq, ne, in, not_in, like, not_likestring
process.parent_process.pideq, ne, in, not_in, like, not_likestring
process.pideq, ne, in, not_in, like, not_likestring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
src_endpoint.domaineq, ne, in, not_in, like, not_likestring
src_endpoint.ipeq, ne, in, not_in, like, not_likestring
src_endpoint.location.descriptioneq, ne, in, not_in, like, not_likestring
src_endpoint.maceq, ne, in, not_in, like, not_likestring
src_endpoint.os.nameeq, ne, in, not_in, like, not_likestring
src_endpoint.owner.nameeq, ne, in, not_in, like, not_likestring
src_endpoint.zoneeq, ne, in, not_in, like, not_likestring
start_timeeq, ne, gt, gte, lt, ltedatetime
timegte, ltedatetime
user.account.nameeq, ne, in, not_in, like, not_likestring
user.account.uideq, ne, in, not_in, like, not_likestring
user.domaineq, ne, in, not_in, like, not_likestring
user.nameeq, ne, in, not_in, like, not_likestring
user.uideq, ne, in, not_in, like, not_likestring

Microsoft Sentinel filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring
timegte, ltedatetime

Rapid7 InsightIDR filters for query_events

FieldOperatorsSupported Values
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring

SIEM Test filters for query_events

FieldOperatorsSupported Values

Splunk filters for query_events

FieldOperatorsSupported Values
actor.app_nameeq, ne, gt, gte, lt, ltestring
actor.user.domaineq, ne, gt, gte, lt, ltestring
actor.user.nameeq, ne, gt, gte, lt, ltestring
actor.user.org.nameeq, ne, gt, gte, lt, ltestring
actor.user.typeeq, ne, gt, gte, lt, ltestring
actor.user.uideq, ne, gt, gte, lt, ltestring
auth_protocoleq, ne, gt, gte, lt, ltestring
device.domaineq, ne, gt, gte, lt, ltestring
device.hostnameeq, ne, gt, gte, lt, ltestring
device.ipeq, ne, gt, gte, lt, ltestring
device.maceq, ne, gt, gte, lt, ltestring
device.nameeq, ne, gt, gte, lt, ltestring
device.os.nameeq, ne, gt, gte, lt, ltestring
device.owner.org.nameeq, ne, gt, gte, lt, ltestring
device.porteq, ne, gt, gte, lt, lteinteger
device.svc_nameeq, ne, gt, gte, lt, ltestring
device.zoneeq, ne, gt, gte, lt, ltestring
dst_endpoint.domaineq, ne, gt, gte, lt, ltestring
dst_endpoint.hostnameeq, ne, gt, gte, lt, ltestring
dst_endpoint.ipeq, ne, gt, gte, lt, ltestring
dst_endpoint.maceq, ne, gt, gte, lt, ltestring
dst_endpoint.nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.os.nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.owner.org.nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.porteq, ne, gt, gte, lt, lteinteger
dst_endpoint.svc_nameeq, ne, gt, gte, lt, ltestring
dst_endpoint.typeeq, ne, gt, gte, lt, ltestring
dst_endpoint.zoneeq, ne, gt, gte, lt, ltestring
durationeq, ne, gt, gte, lt, lteinteger
http_request.user_agenteq, ne, gt, gte, lt, ltestring
logon_process.file.parent_foldereq, ne, gt, gte, lt, ltestring
logon_process.file.patheq, ne, gt, gte, lt, ltestring
logon_process.file.uideq, ne, gt, gte, lt, ltestring
logon_process.nameeq, ne, gt, gte, lt, ltestring
logon_process.parent_process.file.patheq, ne, gt, gte, lt, ltestring
logon_process.parent_process.nameeq, ne, gt, gte, lt, ltestring
logon_process.parent_process.pideq, ne, gt, gte, lt, ltestring
logon_process.pideq, ne, gt, gte, lt, ltestring
metadata.event_codeeq, ne, gt, gte, lt, ltestring
metadata.log_nameeq, ne, gt, gte, lt, ltestring
metadata.log_providereq, instring
metadata.processed_timeeq, ne, gt, gte, lt, ltedatetime
metadata.uideq, ne, gt, gte, lt, ltestring
process.cmd_lineeq, ne, gt, gte, lt, ltestring
process.file.nameeq, ne, gt, gte, lt, ltestring
process.file.parent_foldereq, ne, gt, gte, lt, ltestring
process.file.patheq, ne, gt, gte, lt, ltestring
process.file.uideq, ne, gt, gte, lt, ltestring
process.nameeq, ne, gt, gte, lt, ltestring
process.parent_process.cmd_lineeq, ne, gt, gte, lt, ltestring
process.parent_process.file.patheq, ne, gt, gte, lt, ltestring
process.parent_process.file.uideq, ne, gt, gte, lt, ltestring
process.parent_process.nameeq, ne, gt, gte, lt, ltestring
process.parent_process.pideq, ne, gt, gte, lt, ltestring
process.pideq, ne, gt, gte, lt, ltestring
raw_data.*eq, ne, gt, lt, gte, lte, like, not_like, in, not_instring
session.uideq, ne, gt, gte, lt, ltestring
src_endpoint.hostnameeq, ne, gt, gte, lt, ltestring
src_endpoint.ipeq, ne, gt, gte, lt, ltestring
src_endpoint.maceq, ne, gt, gte, lt, ltestring
src_endpoint.nameeq, ne, gt, gte, lt, ltestring
src_endpoint.owner.org.nameeq, ne, gt, gte, lt, ltestring
src_endpoint.porteq, ne, gt, gte, lt, lteinteger
src_endpoint.typeeq, ne, gt, gte, lt, ltestring
src_endpoint.zoneeq, ne, gt, gte, lt, ltestring
start_timeeq, ne, gt, gte, lt, ltedatetime
timegte, ltedatetime
user.domaineq, ne, gt, gte, lt, ltestring
user.nameeq, ne, gt, gte, lt, ltestring
user.org.nameeq, ne, gt, gte, lt, ltestring
user.typeeq, ne, gt, gte, lt, ltestring
user.uideq, ne, gt, gte, lt, ltestring

Sumo Logic Cloud SIEM filters for query_events

FieldOperatorsSupported Values
metadata.log_providereq, instring
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring
timegte, ltedatetime

CrowdStrike SIEM filters for query_investigations

FieldOperatorsSupported Values

Elasticsearch filters for query_investigations

FieldOperatorsSupported Values

Google Security Operations filters for query_investigations

FieldOperatorsSupported Values

IBM QRadar filters for query_investigations

FieldOperatorsSupported Values
raw_data.*eq, gt, lt, instring

Microsoft Sentinel filters for query_investigations

FieldOperatorsSupported Values

Rapid7 InsightIDR filters for query_investigations

FieldOperatorsSupported Values
investigations

SIEM Test filters for query_investigations

FieldOperatorsSupported Values

Splunk filters for query_investigations

FieldOperatorsSupported Values

Sumo Logic Cloud SIEM filters for query_investigations

FieldOperatorsSupported Values
raw_data.*eq, ne, gt, lt, gte, lte, like, in, not_instring
Previous page
Next page