Skip to content

Supported AWS search field names

Tables of valid search field names and types for AWS environments.

AWS: Hosts

Field name Field type
instanceId String
imageId String
runningState String
instanceType String
region String
availabilityZone String
startTime Date
launchedBy String
subnetId String
vpcId String
isPublic Boolean
isVulnerable Boolean
hasContainerNodes Boolean
tags.<tag-name> String
patchStatus String
outGoingIp String
outGoingPort String
roleName String
platformOS String
isIAMRoleAssigned Boolean
lastModifiedBy String
_exists_:serverAgent Not applicable
not _exists_:serverAgent Not applicable
serverAgent.agentId String
serverAgent.hostname String
serverAgent.health:<value> String
serverAgent.osName String
serverAgent.lastSeenAt Date

Note

Allowed values for serverAgent.health are good, suspicious, bad, or unavailable. For example serverAgent.health:good.

AWS: Clusters

Field name Field type
instanceId String
name String
region String
roleArn String
version String
createdAt Date
status String
vpcId String
endpointPublicAccess Boolean
endpointPrivateAccess Boolean
isPublic Boolean
isVulnerable Boolean
tags.<tag-name> String

AWS: Node Groups

Field name Field type
instanceId String
name String
region String
createdTime Date
desiredCapacity Numeric
placementGroup String
serviceLinkedRoleARN String
status String
subnets String
launchConfiguration String
tags.<tag-name> String
clusterId String

AWS: Nodes

Field name Field type
instanceId String
name String
namespace String
publicIp String
vmId String
podCIDR String
startTime Date
tags.<tag-name> String

AWS: Pods

Field name Field type
instanceId String
name String
namespace String
nodeName String
status String
startTime Date
hostIP String
isPublic Boolean
isPrivileged Boolean
tags.<tag-name> String
launchType String

AWS: Containers

Field name Field type
instanceId String
name String
image String
imagePullPolicy String
status String
startedTime Date
privileged Boolean
kubeHost.nodeName String
kubeHost.namespace String
tags.<tag-name> String
isRogueContainer Boolean
isSecured Boolean

AWS: Services

Field name Field type
instanceId String
name String
namespace String
image String
imagePullPolicy String
status String
startTime Date
privileged Boolean
kubeHost.nodeName String
kubeHost.namespace String
tags.<tag-name> String
clusterIP String
loadBalancerIP String
type String

AWS: Ingress

Field name Field type
instanceId String
name String
namespace String
startTime Date
tags.<tag-name> String

AWS: Network Policy

Field name Field type
instanceId String
name String
namespace String
startTime Date
tags.<tag-name> String

AWS: RBAC Roles

Field name Field type
instanceId String
roleType String
name String
namespace String
creationTime Date
tags.<tag-name> String

AWS: VPCs

Field name Field type
vpcId String
region String
cidrBlock String
lastModifiedBy String
evoNetworkACLS.aclId String
tags.<tag-name> String

AWS: Security Groups

Field name Field type
secgrpId String
name String
vpcId String
region String
isOpenGroup Boolean
lastModifiedBy String
isUnusedGroup Boolean
isNestedGroup Boolean
isOverlappedGroup Boolean
_ingressRules.protocol String
_ingressRules.toPort Numeric
_ingressRules.fromPort Numeric
_ingressRules.ipRange String
_ingressRules.groupIdName String
_egressRules.protocol String
_egressRules.toPort Numeric
_egressRules.fromPort Numeric
_egressRules.ipRange String
_egressRules.groupIdName String
tags.<tag-name> String

AWS: S3 buckets

Field name Field type
name String
owner String
region String
creationDate Date
isRestricted Boolean
lastModifiedBy String
policy String
defaultEncryption String
isPublic Boolean
tags.<tag-name> String
isLoggingEnabled Boolean
isClosed Boolean
isMfaDeleteEnabled Boolean
versioningStatus String

AWS: RDS

Field name Field type
name String
region String
identifierId String
arn String
availabilityZone String
secondaryAvailabilityZone String
instanceClass String
status String
engine String
engineVersion String
multiAZ Boolean
storageType String
vpcId String
networkInterface String
creationDate Date
isPubliclyAccessible Boolean
isStorageEncrypted Boolean
tags.<tag-name> String
allocatedStorage Numeric

AWS: IAM Users

Field name Field type
name String
userId String
createDate Date
isMfaActive Boolean
isOverPrivileged Boolean
accessKeyAge Date
groupList String
isActive Boolean
passwordLastChanged Date
passwordLastUsed Date
lastActivity Date
arn String

AWS: IAM Groups

Field name Field type
roleName String
createDate Boolean
isOverPrivileged Boolean
isUnusedGroup Boolean

AWS: IAM Roles

Field name Field type
isOverPrivileged Boolean
roleName String
lastUsedDate Date
isUnusedRole Boolean

AWS: IAM External Access

Field name Field type
region String
accessLevels String
findingId String
resource String
resourceType String
status String
updatedAt Date

AWS: AWS Lambda

Field name Field type
region String
functionName String
runtime String
role String
memorySIze Numeric
lastModified String
vpcId String
lastModifiedBy String

AWS: Outbound Traffic

Field Name Field Type
srcAddr String
dstAddr String
dstPort Numeric
protocol Numeric
time Date

AWS: Inbound Traffic

Field Name Field Type
dstAddr String
dstPort Numeric
protocol Numeric
time Date

AWS Activity Log

Field Name Field Type
eventVersion String
userIdentity.<key> String
eventTime Date
eventSource String
eventName String
awsRegion String
sourceIPAddress String
userAgent String
requestID String
eventID String
eventType String
recipientAccountId String
riskReason String
requestParameters.<key> String
responseElements.<key> String

AWS EC2 AMI

Field Name Field Type
description String
architecture String
imageId String
imageLocation String
imageOwnerAlias String
imageType String
name String
ownerId String
platform String
state String
isPublic Boolean
region String
lastModifiedBy String
ownerType String

AWS Fargate Container

Field Name Field Type
name String
clusterNames String
image String
launchType String
region String
taskDefinitionArn String
entryPoint String
command String
workingDirectory String
isRogueContainer Boolean
isSecured Boolean

AWS EBS Volume

Field Name Field Type
volumeId String
volumeType String
region String
isAttached Boolean
isEncrypted Boolean
mappedInstanceIds String
lastModifiedBy String
createTime Date
size Numeric
iops Numeric
tags. String

AWS Elasticsearch

Field Name Field Type
region String
domainName String
elasticsearchVersion String
instanceType String
instanceCount Int
dedicatedMasterEnabled Boolean
dedicatedMasterType String
dedicatedMasterCount Int
zoneAwarenessEnabled Boolean
eBSEnabled Boolean
eBSVolumeType String
eBSVolumeSize Int
vpcId String
lastModifiedBy String
automatedSnapshotHour Int
isPubliclyAccessible Boolean

AWS Anomalies

Field Name Field Type
anomalyId String
accountId String
userName String
userType String
anomalyConfidence String
topReason String
activityTimingsStart Date
activityTimingsEnd Date
wasThisHelpful String
alertId String

Note

Allowed values for anomalyConfidence are High, Medium, or Low. For example anomalyConfidence:High. Allowed values for wasThisHelpful are Yes, No, or None. For example wasThisHelpful:Yes.

AWS RedShift Cluster

Field Name Field Type
region String
identifier String
vpcId String
automatedSnapshotRetentionPeriod Numeric
isEncrypted Boolean
isPublic Boolean
lastModifiedBy String
endpoint String

AWS SSO User

Field Name Field Type
arn String
ssoUser String
lastEventName String
lastEventTime Date
samlProviderArn String

AWS Fargate Task Definition

Field Name Field Type
taskDefinitionArn String
clusterNames String
region String
taskRoleArn String
executionRoleArn String
noOfRunningTasks Numeric
Back to top