Search examples

You can combine different terms to create complex searches.

The table lists examples of searches combining different terms and techniques.

Table 1. Examples

Search objective

Query

Find alerts seen in the last 2 days that are related to GDPR policy checks.

Alert AND lastSeen:[now-2d TO *] AND policyTagName:GDPR

Find hosts that were started in the last 3 days, are not part of an auto scaling group, and have a public interface.

Host AND startTime:[now-3d TO *] AND isPublic:true AND NOT "Auto Scaling"

Find public, unencrypted S3 buckets created in the last year.

creationDate:[now/y TO *] AND isPublic:true AND not _exists_:defaultEncryption

Find S3 buckets created in the last 6 months, by aws-pcg in the us-west-2 region.

creationDate:[now-6M TO *] AND isPublic:true AND owner:aws-pcg* AND region:us-west-2

Find over-privileged IAM users created over a month ago that have been inactive.

User AND isOverPrivileged:true AND createDate:[* TO now-1M] AND not _exists_:lastActivity

Find security groups that allow inbound traffic from any port and from any IP address.

_ingressRules.toPort:"-1" and _ingressRules.fromPort:"-1" and _ingressRules.ipRange:"0.0.0.0/0"

Find hosts with outbound traffic to specific IP addresses and ports.

outGoingIp:("IP1" "IP2" "IP3") and outGoingPort:("PORT1" "PORT2" "PORT3")

Find hosts with the Sophos server protection agent installed, and the agent reports bad security health.

Host AND serverAgent.health:bad