Search examples
You can combine different terms to create complex searches.
The table lists examples of searches combining different terms and techniques.
| Search objective | Query |
|---|---|
| Find alerts seen in the last 2 days that are related to GDPR policy checks. | Alert AND lastSeen:[now-2d TO *] AND policyTagName:GDPR |
| Find hosts that were started in the last 3 days, are not part of an auto scaling group, and have a public interface. | Host AND startTime:[now-3d TO *] AND isPublic:true AND NOT "Auto Scaling" |
| Find public, unencrypted S3 buckets created in the last year. | creationDate:[now/y TO *] AND isPublic:true AND not _exists_:defaultEncryption |
| Find S3 buckets created in the last 6 months, by aws-pcg in the us-west-2 region. | creationDate:[now-6M TO *] AND isPublic:true AND owner:aws-pcg* AND region:us-west-2 |
| Find over-privileged IAM users created over a month ago that have been inactive. | User AND isOverPrivileged:true AND createDate:[* TO now-1M] AND not _exists_:lastActivity |
| Find security groups that allow inbound traffic from any port and from any IP address. | _ingressRules.toPort:"-1" and _ingressRules.fromPort:"-1" and _ingressRules.ipRange:"0.0.0.0/0" |
| Find hosts with outbound traffic to specific IP addresses and ports. | outGoingIp:("IP1" "IP2" "IP3") and outGoingPort:("PORT1" "PORT2" "PORT3") |
| Find hosts with the Sophos server protection agent installed, and the agent reports bad security health. | Host AND serverAgent.health:bad |