Search examples
You can combine different terms to create complex searches.
The table lists examples of searches combining different terms and techniques.
|
Search objective |
Query |
|---|---|
|
Find alerts seen in the last 2 days that are related to GDPR policy checks. |
Alert AND lastSeen:[now-2d TO *] AND policyTagName:GDPR |
|
Find hosts that were started in the last 3 days, are not part of an auto scaling group, and have a public interface. |
Host AND startTime:[now-3d TO *] AND isPublic:true AND NOT "Auto Scaling" |
|
Find public, unencrypted S3 buckets created in the last year. |
creationDate:[now/y TO *] AND isPublic:true AND not _exists_:defaultEncryption |
|
Find S3 buckets created in the last 6 months, by aws-pcg in the us-west-2 region. |
creationDate:[now-6M TO *] AND isPublic:true AND owner:aws-pcg* AND region:us-west-2 |
|
Find over-privileged IAM users created over a month ago that have been inactive. |
User AND isOverPrivileged:true AND createDate:[* TO now-1M] AND not _exists_:lastActivity |
|
Find security groups that allow inbound traffic from any port and from any IP address. |
_ingressRules.toPort:"-1" and _ingressRules.fromPort:"-1" and _ingressRules.ipRange:"0.0.0.0/0" |
|
Find hosts with outbound traffic to specific IP addresses and ports. |
outGoingIp:("IP1" "IP2" "IP3") and outGoingPort:("PORT1" "PORT2" "PORT3") |
|
Find hosts with the Sophos server protection agent installed, and the agent reports bad security health. |
Host AND serverAgent.health:bad |