Supported AWS search field names
Tables of valid search field names and types for AWS environments.
AWS: Hosts
Field name | Field type |
instanceId | String |
imageId | String |
runningState | String |
instanceType | String |
region | String |
availabilityZone | String |
startTime | Date |
launchedBy | String |
subnetId | String |
vpcId | String |
isPublic | Boolean |
isVulnerable | Boolean |
hasContainerNodes | Boolean |
tags.<tag-name> | String |
patchStatus | String |
outGoingIp | String |
outGoingPort | String |
roleName | String |
platformOS | String |
isIAMRoleAssigned | Boolean |
lastModifiedBy | String |
_exists_:serverAgent | Not applicable |
not _exists_:serverAgent | Not applicable |
serverAgent.agentId | String |
serverAgent.hostname | String |
serverAgent.health:<value> | String |
serverAgent.osName | String |
serverAgent.lastSeenAt | Date |
Note
Allowed values for serverAgent.health are good
, suspicious
, bad
, or unavailable
. For example serverAgent.health:good
.
AWS: Clusters
Field name | Field type |
instanceId | String |
name | String |
region | String |
roleArn | String |
version | String |
createdAt | Date |
status | String |
vpcId | String |
endpointPublicAccess | Boolean |
endpointPrivateAccess | Boolean |
isPublic | Boolean |
isVulnerable | Boolean |
tags.<tag-name> | String |
AWS: Node Groups
Field name | Field type |
instanceId | String |
name | String |
region | String |
createdTime | Date |
desiredCapacity | Numeric |
placementGroup | String |
serviceLinkedRoleARN | String |
status | String |
subnets | String |
launchConfiguration | String |
tags.<tag-name> | String |
clusterId | String |
AWS: Nodes
Field name | Field type |
instanceId | String |
name | String |
namespace | String |
publicIp | String |
vmId | String |
podCIDR | String |
startTime | Date |
tags.<tag-name> | String |
AWS: Pods
Field name | Field type |
instanceId | String |
name | String |
namespace | String |
nodeName | String |
status | String |
startTime | Date |
hostIP | String |
isPublic | Boolean |
isPrivileged | Boolean |
tags.<tag-name> | String |
launchType | String |
AWS: Containers
Field name | Field type |
instanceId | String |
name | String |
image | String |
imagePullPolicy | String |
status | String |
startedTime | Date |
privileged | Boolean |
kubeHost.nodeName | String |
kubeHost.namespace | String |
tags.<tag-name> | String |
isRogueContainer | Boolean |
isSecured | Boolean |
AWS: Services
Field name | Field type |
instanceId | String |
name | String |
namespace | String |
image | String |
imagePullPolicy | String |
status | String |
startTime | Date |
privileged | Boolean |
kubeHost.nodeName | String |
kubeHost.namespace | String |
tags.<tag-name> | String |
clusterIP | String |
loadBalancerIP | String |
type | String |
AWS: Ingress
Field name | Field type |
instanceId | String |
name | String |
namespace | String |
startTime | Date |
tags.<tag-name> | String |
AWS: Network Policy
Field name | Field type |
instanceId | String |
name | String |
namespace | String |
startTime | Date |
tags.<tag-name> | String |
AWS: RBAC Roles
Field name | Field type |
instanceId | String |
roleType | String |
name | String |
namespace | String |
creationTime | Date |
tags.<tag-name> | String |
AWS: VPCs
Field name | Field type |
vpcId | String |
region | String |
cidrBlock | String |
lastModifiedBy | String |
evoNetworkACLS.aclId | String |
tags.<tag-name> | String |
AWS: Security Groups
Field name | Field type |
secgrpId | String |
name | String |
vpcId | String |
region | String |
isOpenGroup | Boolean |
lastModifiedBy | String |
isUnusedGroup | Boolean |
isNestedGroup | Boolean |
isOverlappedGroup | Boolean |
_ingressRules.protocol | String |
_ingressRules.toPort | Numeric |
_ingressRules.fromPort | Numeric |
_ingressRules.ipRange | String |
_ingressRules.groupIdName | String |
_egressRules.protocol | String |
_egressRules.toPort | Numeric |
_egressRules.fromPort | Numeric |
_egressRules.ipRange | String |
_egressRules.groupIdName | String |
tags.<tag-name> | String |
AWS: S3 buckets
Field name | Field type |
name | String |
owner | String |
region | String |
creationDate | Date |
isRestricted | Boolean |
lastModifiedBy | String |
policy | String |
defaultEncryption | String |
isPublic | Boolean |
tags.<tag-name> | String |
isLoggingEnabled | Boolean |
isClosed | Boolean |
isMfaDeleteEnabled | Boolean |
versioningStatus | String |
AWS: RDS
Field name | Field type |
name | String |
region | String |
identifierId | String |
arn | String |
availabilityZone | String |
secondaryAvailabilityZone | String |
instanceClass | String |
status | String |
engine | String |
engineVersion | String |
multiAZ | Boolean |
storageType | String |
vpcId | String |
networkInterface | String |
creationDate | Date |
isPubliclyAccessible | Boolean |
isStorageEncrypted | Boolean |
tags.<tag-name> | String |
allocatedStorage | Numeric |
AWS: IAM Users
Field name | Field type |
name | String |
userId | String |
createDate | Date |
isMfaActive | Boolean |
isOverPrivileged | Boolean |
accessKeyAge | Date |
groupList | String |
isActive | Boolean |
passwordLastChanged | Date |
passwordLastUsed | Date |
lastActivity | Date |
arn | String |
AWS: IAM Groups
Field name | Field type |
roleName | String |
createDate | Boolean |
isOverPrivileged | Boolean |
isUnusedGroup | Boolean |
AWS: IAM Roles
Field name | Field type |
isOverPrivileged | Boolean |
roleName | String |
lastUsedDate | Date |
isUnusedRole | Boolean |
AWS: IAM External Access
Field name | Field type |
region | String |
accessLevels | String |
findingId | String |
resource | String |
resourceType | String |
status | String |
updatedAt | Date |
AWS: AWS Lambda
Field name | Field type |
region | String |
functionName | String |
runtime | String |
role | String |
memorySIze | Numeric |
lastModified | String |
vpcId | String |
lastModifiedBy | String |
AWS: Outbound Traffic
Field Name | Field Type |
srcAddr | String |
dstAddr | String |
dstPort | Numeric |
protocol | Numeric |
time | Date |
AWS: Inbound Traffic
Field Name | Field Type |
dstAddr | String |
dstPort | Numeric |
protocol | Numeric |
time | Date |
AWS Activity Log
Field Name | Field Type |
eventVersion | String |
userIdentity.<key> | String |
eventTime | Date |
eventSource | String |
eventName | String |
awsRegion | String |
sourceIPAddress | String |
userAgent | String |
requestID | String |
eventID | String |
eventType | String |
recipientAccountId | String |
riskReason | String |
requestParameters.<key> | String |
responseElements.<key> | String |
AWS EC2 AMI
Field Name | Field Type |
description | String |
architecture | String |
imageId | String |
imageLocation | String |
imageOwnerAlias | String |
imageType | String |
name | String |
ownerId | String |
platform | String |
state | String |
isPublic | Boolean |
region | String |
lastModifiedBy | String |
ownerType | String |
AWS Fargate Container
Field Name | Field Type |
name | String |
clusterNames | String |
image | String |
launchType | String |
region | String |
taskDefinitionArn | String |
entryPoint | String |
command | String |
workingDirectory | String |
isRogueContainer | Boolean |
isSecured | Boolean |
AWS EBS Volume
Field Name | Field Type |
volumeId | String |
volumeType | String |
region | String |
isAttached | Boolean |
isEncrypted | Boolean |
mappedInstanceIds | String |
lastModifiedBy | String |
createTime | Date |
size | Numeric |
iops | Numeric |
tags.<tag-name> | String |
AWS Elasticsearch
Field Name | Field Type |
region | String |
domainName | String |
elasticsearchVersion | String |
instanceType | String |
instanceCount | Int |
dedicatedMasterEnabled | Boolean |
dedicatedMasterType | String |
dedicatedMasterCount | Int |
zoneAwarenessEnabled | Boolean |
eBSEnabled | Boolean |
eBSVolumeType | String |
eBSVolumeSize | Int |
vpcId | String |
lastModifiedBy | String |
automatedSnapshotHour | Int |
isPubliclyAccessible | Boolean |
AWS Anomalies
Field Name | Field Type |
anomalyId | String |
accountId | String |
userName | String |
userType | String |
anomalyConfidence | String |
topReason | String |
activityTimingsStart | Date |
activityTimingsEnd | Date |
wasThisHelpful | String |
alertId | String |
Note
Allowed values for anomalyConfidence
are High
, Medium
, or Low
. For example anomalyConfidence:High
. Allowed values for wasThisHelpful
are Yes
, No
, or None
. For example wasThisHelpful:Yes
.
AWS RedShift Cluster
Field Name | Field Type |
region | String |
identifier | String |
vpcId | String |
automatedSnapshotRetentionPeriod | Numeric |
isEncrypted | Boolean |
isPublic | Boolean |
lastModifiedBy | String |
endpoint | String |
AWS SSO User
Field Name | Field Type |
arn | String |
ssoUser | String |
lastEventName | String |
lastEventTime | Date |
samlProviderArn | String |
AWS Fargate Task Definition
Field Name | Field Type |
taskDefinitionArn | String |
clusterNames | String |
region | String |
taskRoleArn | String |
executionRoleArn | String |
noOfRunningTasks | Numeric |