# SIEM Query Filters This document provides details on the filters supported by each provider for each API operation. Filters can be used to restrict the results of an API operation, such as filtering by a specific field or value. They are used in conjunction with the `filter` query parameter in the API request. ### CrowdStrike Next-Gen SIEM filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | metadata.uid | eq, ne, in, not_in, like, not_like | string | | time | gte, lte | datetime | ### Elastic SIEM filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | metadata.log_provider | eq, in | string | | raw_data.* | eq, ne, gt, lt, gte, lte, like, not_like, in, not_in | string | | time | gte, lte | datetime | ### Google Security Operations filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | message | eq, ne, in, not_in | string | | metadata.event_code | eq, ne, gt, gte, lt, lte | number | | metadata.log_name | eq, ne, in, not_in | string | | metadata.log_provider | eq, ne, in, not_in | string | | metadata.log_version | eq, ne, in, not_in | string | | metadata.processed_time | gt, gte, lt, lte | datetime | | metadata.uid | eq, ne, in, not_in | string | | raw_data.* | eq, ne, gt, lt, gte, lte, in, not_in | string | | time | gte, lte | datetime | ### Google Security Operations (Chronicle Compatibility) filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | message | eq, ne, in, not_in | string | | metadata.event_code | eq, ne, gt, gte, lt, lte | number | | metadata.log_name | eq, ne, in, not_in | string | | metadata.log_provider | eq, ne, in, not_in | string | | metadata.log_version | eq, ne, in, not_in | string | | metadata.processed_time | gt, gte, lt, lte | datetime | | metadata.uid | eq, ne, in, not_in | string | | raw_data.* | eq, ne, gt, lt, gte, lte, in, not_in | string | | time | gte, lte | datetime | ### IBM QRadar SIEM filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | actor.app_name | eq, ne, in, not_in, like, not_like | string | | actor.app_uid | eq, ne, in, not_in, like, not_like | string | | actor.user.account.name | eq, ne, in, not_in, like, not_like | string | | actor.user.account.uid | eq, ne, in, not_in, like, not_like | string | | actor.user.domain | eq, ne, in, not_in, like, not_like | string | | actor.user.name | eq, ne, in, not_in, like, not_like | string | | actor.user.uid | eq, ne, in, not_in, like, not_like | string | | count | eq, ne, gt, gte, lt, lte, in, not_in | number | | device.hostname | eq, ne, in, not_in, like, not_like | string | | device.ip | eq, ne, in, not_in, like, not_like | string | | device.last_seen_time | eq, ne, gt, gte, lt, lte | datetime | | device.location.description | eq, ne, in, not_in, like, not_like | string | | device.mac | eq, ne, in, not_in, like, not_like | string | | device.os.name | eq, ne, in, not_in, like, not_like | string | | device.uid | eq, ne, in, not_in, like, not_like | string | | device.zone | eq, ne, in, not_in, like, not_like | string | | dst_endpoint.domain | eq, ne, in, not_in, like, not_like | string | | dst_endpoint.hostname | eq, ne, in, not_in, like, not_like | string | | dst_endpoint.ip | eq, ne, in, not_in, like, not_like | string | | dst_endpoint.location.description | eq, ne, in, not_in, like, not_like | string | | dst_endpoint.mac | eq, ne, in, not_in, like, not_like | string | | dst_endpoint.name | eq, ne, in, not_in, like, not_like | string | | duration | eq, ne, gt, gte, lt, lte, in, not_in | number | | end_time | eq, ne, gt, gte, lt, lte | datetime | | group.name | eq, ne, in, not_in, like, not_like | string | | group.uid | eq, ne, in, not_in, like, not_like | string | | http_request.url.host | eq, ne, in, not_in, like, not_like | string | | http_request.url.path | eq, ne, in, not_in, like, not_like | string | | http_request.url.port | eq, ne, in, not_in, like, not_like | string | | http_request.url.url_string | eq, ne, in, not_in, like, not_like | string | | logon_process.file.ext | eq, ne, in, not_in, like, not_like | string | | logon_process.file.name | eq, ne, in, not_in, like, not_like | string | | logon_process.file.parent_folder | eq, ne, in, not_in, like, not_like | string | | logon_process.file.path | eq, ne, in, not_in, like, not_like | string | | logon_process.file.uid | eq, ne, in, not_in, like, not_like | string | | logon_process.group.name | eq, ne, in, not_in, like, not_like | string | | logon_process.group.uid | eq, ne, in, not_in, like, not_like | string | | logon_process.name | eq, ne, in, not_in, like, not_like | string | | logon_process.parent_process.file.path | eq, ne, in, not_in, like, not_like | string | | logon_process.parent_process.name | eq, ne, in, not_in, like, not_like | string | | logon_process.parent_process.pid | eq, ne, in, not_in, like, not_like | string | | logon_process.pid | eq, ne, in, not_in, like, not_like | string | | message | eq, ne, in, not_in, like, not_like | string | | metadata.log_name | eq, ne, in, not_in, like, not_like | string | | metadata.log_provider | eq | string | | process.file.ext | eq, ne, in, not_in, like, not_like | string | | process.file.name | eq, ne, in, not_in, like, not_like | string | | process.file.parent_folder | eq, ne, in, not_in, like, not_like | string | | process.file.path | eq, ne, in, not_in, like, not_like | string | | process.file.uid | eq, ne, in, not_in, like, not_like | string | | process.group.name | eq, ne, in, not_in, like, not_like | string | | process.group.uid | eq, ne, in, not_in, like, not_like | string | | process.name | eq, ne, in, not_in, like, not_like | string | | process.parent_process.file.path | eq, ne, in, not_in, like, not_like | string | | process.parent_process.name | eq, ne, in, not_in, like, not_like | string | | process.parent_process.pid | eq, ne, in, not_in, like, not_like | string | | process.pid | eq, ne, in, not_in, like, not_like | string | | raw_data.* | eq, ne, gt, lt, gte, lte, like, not_like, in, not_in | string | | src_endpoint.domain | eq, ne, in, not_in, like, not_like | string | | src_endpoint.ip | eq, ne, in, not_in, like, not_like | string | | src_endpoint.location.description | eq, ne, in, not_in, like, not_like | string | | src_endpoint.mac | eq, ne, in, not_in, like, not_like | string | | src_endpoint.os.name | eq, ne, in, not_in, like, not_like | string | | src_endpoint.owner.name | eq, ne, in, not_in, like, not_like | string | | src_endpoint.zone | eq, ne, in, not_in, like, not_like | string | | start_time | eq, ne, gt, gte, lt, lte | datetime | | time | gte, lte | datetime | | user.account.name | eq, ne, in, not_in, like, not_like | string | | user.account.uid | eq, ne, in, not_in, like, not_like | string | | user.domain | eq, ne, in, not_in, like, not_like | string | | user.name | eq, ne, in, not_in, like, not_like | string | | user.uid | eq, ne, in, not_in, like, not_like | string | ### Microsoft Sentinel filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | metadata.log_provider | eq, in | string | | raw_data.* | eq, ne, gt, lt, gte, lte, like, in, not_in | string | | time | gte, lte | datetime | ### OpenSearch filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | metadata.log_provider | eq, in | string | | raw_data.* | eq, ne, gt, lt, gte, lte, like, not_like, in, not_in | string | | time | gte, lte | datetime | ### Rapid7 InsightIDR filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | raw_data.* | eq, ne, gt, lt, gte, lte, like, not_like, in, not_in | string | ### Splunk Enterprise Security filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | actor.app_name | eq, ne, gt, gte, lt, lte | string | | actor.user.domain | eq, ne, gt, gte, lt, lte | string | | actor.user.name | eq, ne, gt, gte, lt, lte | string | | actor.user.org.name | eq, ne, gt, gte, lt, lte | string | | actor.user.type | eq, ne, gt, gte, lt, lte | string | | actor.user.uid | eq, ne, gt, gte, lt, lte | string | | auth_protocol | eq, ne, gt, gte, lt, lte | string | | device.domain | eq, ne, gt, gte, lt, lte | string | | device.hostname | eq, ne, gt, gte, lt, lte | string | | device.ip | eq, ne, gt, gte, lt, lte | string | | device.mac | eq, ne, gt, gte, lt, lte | string | | device.name | eq, ne, gt, gte, lt, lte | string | | device.os.name | eq, ne, gt, gte, lt, lte | string | | device.owner.org.name | eq, ne, gt, gte, lt, lte | string | | device.port | eq, ne, gt, gte, lt, lte | number | | device.svc_name | eq, ne, gt, gte, lt, lte | string | | device.zone | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.domain | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.hostname | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.ip | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.mac | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.name | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.os.name | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.owner.org.name | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.port | eq, ne, gt, gte, lt, lte | number | | dst_endpoint.svc_name | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.type | eq, ne, gt, gte, lt, lte | string | | dst_endpoint.zone | eq, ne, gt, gte, lt, lte | string | | duration | eq, ne, gt, gte, lt, lte | number | | http_request.user_agent | eq, ne, gt, gte, lt, lte | string | | logon_process.file.parent_folder | eq, ne, gt, gte, lt, lte | string | | logon_process.file.path | eq, ne, gt, gte, lt, lte | string | | logon_process.file.uid | eq, ne, gt, gte, lt, lte | string | | logon_process.name | eq, ne, gt, gte, lt, lte | string | | logon_process.parent_process.file.path | eq, ne, gt, gte, lt, lte | string | | logon_process.parent_process.name | eq, ne, gt, gte, lt, lte | string | | logon_process.parent_process.pid | eq, ne, gt, gte, lt, lte | string | | logon_process.pid | eq, ne, gt, gte, lt, lte | string | | metadata.event_code | eq, ne, gt, gte, lt, lte | string | | metadata.log_name | eq, ne, gt, gte, lt, lte | string | | metadata.log_provider | eq, in | string | | metadata.processed_time | eq, ne, gt, gte, lt, lte | datetime | | metadata.uid | eq, ne, gt, gte, lt, lte | string | | process.cmd_line | eq, ne, gt, gte, lt, lte | string | | process.file.name | eq, ne, gt, gte, lt, lte | string | | process.file.parent_folder | eq, ne, gt, gte, lt, lte | string | | process.file.path | eq, ne, gt, gte, lt, lte | string | | process.file.uid | eq, ne, gt, gte, lt, lte | string | | process.name | eq, ne, gt, gte, lt, lte | string | | process.parent_process.cmd_line | eq, ne, gt, gte, lt, lte | string | | process.parent_process.file.path | eq, ne, gt, gte, lt, lte | string | | process.parent_process.file.uid | eq, ne, gt, gte, lt, lte | string | | process.parent_process.name | eq, ne, gt, gte, lt, lte | string | | process.parent_process.pid | eq, ne, gt, gte, lt, lte | string | | process.pid | eq, ne, gt, gte, lt, lte | string | | raw_data.* | eq, ne, gt, lt, gte, lte, like, not_like, in, not_in | string | | session.uid | eq, ne, gt, gte, lt, lte | string | | src_endpoint.hostname | eq, ne, gt, gte, lt, lte | string | | src_endpoint.ip | eq, ne, gt, gte, lt, lte | string | | src_endpoint.mac | eq, ne, gt, gte, lt, lte | string | | src_endpoint.name | eq, ne, gt, gte, lt, lte | string | | src_endpoint.owner.org.name | eq, ne, gt, gte, lt, lte | string | | src_endpoint.port | eq, ne, gt, gte, lt, lte | number | | src_endpoint.type | eq, ne, gt, gte, lt, lte | string | | src_endpoint.zone | eq, ne, gt, gte, lt, lte | string | | start_time | eq, ne, gt, gte, lt, lte | datetime | | time | gte, lte | datetime | | user.domain | eq, ne, gt, gte, lt, lte | string | | user.name | eq, ne, gt, gte, lt, lte | string | | user.org.name | eq, ne, gt, gte, lt, lte | string | | user.type | eq, ne, gt, gte, lt, lte | string | | user.uid | eq, ne, gt, gte, lt, lte | string | ### Sumo Logic Cloud SIEM filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | | metadata.log_provider | eq, in | string | | raw_data.* | eq, ne, gt, lt, gte, lte, like, in, not_in | string | | time | gte, lte | datetime | ### Test Provider filters for `query_events` | Field | Operators | Supported Values | | --- | --- | --- | ### CrowdStrike Next-Gen SIEM filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | ### Elastic SIEM filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | ### Google Security Operations filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | ### Google Security Operations (Chronicle Compatibility) filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | ### IBM QRadar SIEM filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | | raw_data.* | eq, gt, lt, in | string | ### Microsoft Sentinel filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | ### OpenSearch filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | ### Rapid7 InsightIDR filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | | investigations.end_time | lte | datetime | | investigations.id | eq | string | | investigations.priority | eq | Unknown, Low, Medium, High, Critical | | investigations.start_time | gte | datetime | | investigations.status | eq | Open, Closed, Investigating, Waiting | ### Splunk Enterprise Security filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | ### Sumo Logic Cloud SIEM filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- | | raw_data.* | eq, ne, gt, lt, gte, lte, like, in, not_in | string | ### Test Provider filters for `query_investigations` | Field | Operators | Supported Values | | --- | --- | --- |