Supported AWS search field names
Tables of valid search field names and types for AWS environments.
AWS: Hosts
| Field name | Field type |
| instanceId | String |
| imageId | String |
| runningState | String |
| instanceType | String |
| region | String |
| availabilityZone | String |
| startTime | Date |
| launchedBy | String |
| subnetId | String |
| vpcId | String |
| isPublic | Boolean |
| isVulnerable | Boolean |
| hasContainerNodes | Boolean |
| tags.<tag-name> | String |
| patchStatus | String |
| outGoingIp | String |
| outGoingPort | String |
| roleName | String |
| platformOS | String |
| isIAMRoleAssigned | Boolean |
| lastModifiedBy | String |
| _exists_:serverAgent | Not applicable |
| not _exists_:serverAgent | Not applicable |
| serverAgent.agentId | String |
| serverAgent.hostname | String |
| serverAgent.health:<value> | String |
| serverAgent.osName | String |
| serverAgent.lastSeenAt | Date |
Note
Allowed values for serverAgent.health are good, suspicious, bad, or unavailable. For example serverAgent.health:good.
AWS: Clusters
| Field name | Field type |
| instanceId | String |
| name | String |
| region | String |
| roleArn | String |
| version | String |
| createdAt | Date |
| status | String |
| vpcId | String |
| endpointPublicAccess | Boolean |
| endpointPrivateAccess | Boolean |
| isPublic | Boolean |
| isVulnerable | Boolean |
| tags.<tag-name> | String |
AWS: Node Groups
| Field name | Field type |
| instanceId | String |
| name | String |
| region | String |
| createdTime | Date |
| desiredCapacity | Numeric |
| placementGroup | String |
| serviceLinkedRoleARN | String |
| status | String |
| subnets | String |
| launchConfiguration | String |
| tags.<tag-name> | String |
| clusterId | String |
AWS: Nodes
| Field name | Field type |
| instanceId | String |
| name | String |
| namespace | String |
| publicIp | String |
| vmId | String |
| podCIDR | String |
| startTime | Date |
| tags.<tag-name> | String |
AWS: Pods
| Field name | Field type |
| instanceId | String |
| name | String |
| namespace | String |
| nodeName | String |
| status | String |
| startTime | Date |
| hostIP | String |
| isPublic | Boolean |
| isPrivileged | Boolean |
| tags.<tag-name> | String |
| launchType | String |
AWS: Containers
| Field name | Field type |
| instanceId | String |
| name | String |
| image | String |
| imagePullPolicy | String |
| status | String |
| startedTime | Date |
| privileged | Boolean |
| kubeHost.nodeName | String |
| kubeHost.namespace | String |
| tags.<tag-name> | String |
| isRogueContainer | Boolean |
| isSecured | Boolean |
AWS: Services
| Field name | Field type |
| instanceId | String |
| name | String |
| namespace | String |
| image | String |
| imagePullPolicy | String |
| status | String |
| startTime | Date |
| privileged | Boolean |
| kubeHost.nodeName | String |
| kubeHost.namespace | String |
| tags.<tag-name> | String |
| clusterIP | String |
| loadBalancerIP | String |
| type | String |
AWS: Ingress
| Field name | Field type |
| instanceId | String |
| name | String |
| namespace | String |
| startTime | Date |
| tags.<tag-name> | String |
AWS: Network Policy
| Field name | Field type |
| instanceId | String |
| name | String |
| namespace | String |
| startTime | Date |
| tags.<tag-name> | String |
AWS: RBAC Roles
| Field name | Field type |
| instanceId | String |
| roleType | String |
| name | String |
| namespace | String |
| creationTime | Date |
| tags.<tag-name> | String |
AWS: VPCs
| Field name | Field type |
| vpcId | String |
| region | String |
| cidrBlock | String |
| lastModifiedBy | String |
| evoNetworkACLS.aclId | String |
| tags.<tag-name> | String |
AWS: Security Groups
| Field name | Field type |
| secgrpId | String |
| name | String |
| vpcId | String |
| region | String |
| isOpenGroup | Boolean |
| lastModifiedBy | String |
| isUnusedGroup | Boolean |
| isNestedGroup | Boolean |
| isOverlappedGroup | Boolean |
| _ingressRules.protocol | String |
| _ingressRules.toPort | Numeric |
| _ingressRules.fromPort | Numeric |
| _ingressRules.ipRange | String |
| _ingressRules.groupIdName | String |
| _egressRules.protocol | String |
| _egressRules.toPort | Numeric |
| _egressRules.fromPort | Numeric |
| _egressRules.ipRange | String |
| _egressRules.groupIdName | String |
| tags.<tag-name> | String |
AWS: S3 buckets
| Field name | Field type |
| name | String |
| owner | String |
| region | String |
| creationDate | Date |
| isRestricted | Boolean |
| lastModifiedBy | String |
| policy | String |
| defaultEncryption | String |
| isPublic | Boolean |
| tags.<tag-name> | String |
| isLoggingEnabled | Boolean |
| isClosed | Boolean |
| isMfaDeleteEnabled | Boolean |
| versioningStatus | String |
AWS: RDS
| Field name | Field type |
| name | String |
| region | String |
| identifierId | String |
| arn | String |
| availabilityZone | String |
| secondaryAvailabilityZone | String |
| instanceClass | String |
| status | String |
| engine | String |
| engineVersion | String |
| multiAZ | Boolean |
| storageType | String |
| vpcId | String |
| networkInterface | String |
| creationDate | Date |
| isPubliclyAccessible | Boolean |
| isStorageEncrypted | Boolean |
| tags.<tag-name> | String |
| allocatedStorage | Numeric |
AWS: IAM Users
| Field name | Field type |
| name | String |
| userId | String |
| createDate | Date |
| isMfaActive | Boolean |
| isOverPrivileged | Boolean |
| accessKeyAge | Date |
| groupList | String |
| isActive | Boolean |
| passwordLastChanged | Date |
| passwordLastUsed | Date |
| lastActivity | Date |
| arn | String |
AWS: IAM Groups
| Field name | Field type |
| roleName | String |
| createDate | Boolean |
| isOverPrivileged | Boolean |
| isUnusedGroup | Boolean |
AWS: IAM Roles
| Field name | Field type |
| isOverPrivileged | Boolean |
| roleName | String |
| lastUsedDate | Date |
| isUnusedRole | Boolean |
AWS: IAM External Access
| Field name | Field type |
| region | String |
| accessLevels | String |
| findingId | String |
| resource | String |
| resourceType | String |
| status | String |
| updatedAt | Date |
AWS: AWS Lambda
| Field name | Field type |
| region | String |
| functionName | String |
| runtime | String |
| role | String |
| memorySIze | Numeric |
| lastModified | String |
| vpcId | String |
| lastModifiedBy | String |
AWS: Outbound Traffic
| Field Name | Field Type |
| srcAddr | String |
| dstAddr | String |
| dstPort | Numeric |
| protocol | Numeric |
| time | Date |
AWS: Inbound Traffic
| Field Name | Field Type |
| dstAddr | String |
| dstPort | Numeric |
| protocol | Numeric |
| time | Date |
AWS Activity Log
| Field Name | Field Type |
| eventVersion | String |
| userIdentity.<key> | String |
| eventTime | Date |
| eventSource | String |
| eventName | String |
| awsRegion | String |
| sourceIPAddress | String |
| userAgent | String |
| requestID | String |
| eventID | String |
| eventType | String |
| recipientAccountId | String |
| riskReason | String |
| requestParameters.<key> | String |
| responseElements.<key> | String |
AWS EC2 AMI
| Field Name | Field Type |
| description | String |
| architecture | String |
| imageId | String |
| imageLocation | String |
| imageOwnerAlias | String |
| imageType | String |
| name | String |
| ownerId | String |
| platform | String |
| state | String |
| isPublic | Boolean |
| region | String |
| lastModifiedBy | String |
| ownerType | String |
AWS Fargate Container
| Field Name | Field Type |
| name | String |
| clusterNames | String |
| image | String |
| launchType | String |
| region | String |
| taskDefinitionArn | String |
| entryPoint | String |
| command | String |
| workingDirectory | String |
| isRogueContainer | Boolean |
| isSecured | Boolean |
AWS EBS Volume
| Field Name | Field Type |
| volumeId | String |
| volumeType | String |
| region | String |
| isAttached | Boolean |
| isEncrypted | Boolean |
| mappedInstanceIds | String |
| lastModifiedBy | String |
| createTime | Date |
| size | Numeric |
| iops | Numeric |
| tags.<tag-name> | String |
AWS Elasticsearch
| Field Name | Field Type |
| region | String |
| domainName | String |
| elasticsearchVersion | String |
| instanceType | String |
| instanceCount | Int |
| dedicatedMasterEnabled | Boolean |
| dedicatedMasterType | String |
| dedicatedMasterCount | Int |
| zoneAwarenessEnabled | Boolean |
| eBSEnabled | Boolean |
| eBSVolumeType | String |
| eBSVolumeSize | Int |
| vpcId | String |
| lastModifiedBy | String |
| automatedSnapshotHour | Int |
| isPubliclyAccessible | Boolean |
AWS Anomalies
| Field Name | Field Type |
| anomalyId | String |
| accountId | String |
| userName | String |
| userType | String |
| anomalyConfidence | String |
| topReason | String |
| activityTimingsStart | Date |
| activityTimingsEnd | Date |
| wasThisHelpful | String |
| alertId | String |
Note
Allowed values for anomalyConfidence are High, Medium, or Low. For example anomalyConfidence:High. Allowed values for wasThisHelpful are Yes, No, or None. For example wasThisHelpful:Yes.
AWS RedShift Cluster
| Field Name | Field Type |
| region | String |
| identifier | String |
| vpcId | String |
| automatedSnapshotRetentionPeriod | Numeric |
| isEncrypted | Boolean |
| isPublic | Boolean |
| lastModifiedBy | String |
| endpoint | String |
AWS SSO User
| Field Name | Field Type |
| arn | String |
| ssoUser | String |
| lastEventName | String |
| lastEventTime | Date |
| samlProviderArn | String |
AWS Fargate Task Definition
| Field Name | Field Type |
| taskDefinitionArn | String |
| clusterNames | String |
| region | String |
| taskRoleArn | String |
| executionRoleArn | String |
| noOfRunningTasks | Numeric |