sevco.io

Query Parameters and Attributes

A complete list of query parameters and attributes

Query Parameters

The Query Builder has four main parameters that can be used to assemble a query.

Source Attributes

The Attribute parameters allow you to select the what data attribute(s) you would like to build your query around. Select the Attribute field to begin defining this parameter.

The attributes menu is broken down into several areas:

  1. At the top of the menu, there are Devices and User tabs. The tab corresponding to the Live Inventory page you are in is selected by default. These tabs are primarily used for cross-asset searches, which will be covered in a later section.

  2. The left-panel contains a list Sources. If needed, use this section to specify if you would only like to include assets from a specific Source in your rule's condition.

  3. The right-panel is where you will select what data Attribute(s) you would like to build your query around.

Condition

The Condition parameter is used to define the condition an attribute must meet to meet a rule's requirements. Only assets and telemetry events that satisfy your conditions will be displayed in your results.

User selects is after from Condition Dropdown

Value

Once you've selected an attribute and condition, you will need to define the Value you will be using to determine if a condition is satisfied. Please note that this field will not display when the Exists or Does not exist condition is selected, as the value is already defined in the condition itself.

ℹ️

In some instances, you may be asked to select a value from a pre-defined list of values. This is dependent on the attribute you have chosen.

User selects date from Date Picker

Source Attributes

ℹ️

This Attributes list excludes Source-specific attributes. For questions about these attributes, please contact our Support team.

Please review the tables below for a list of Source attributes for each query builder in the Sevco platform. You will also find every possible condition and value that can be applied to an attribute.

Live Inventory

Devices

Attribute Definition Example

Active Directory Domains

The specific Active Directory domain name assigned to a Device or User asset.

Active Directory Domains equals company.com

Agent Version

The Agent Version a Source integration is currently running on for a particular Device asset

Crowdstrike Agent Version is not like 6.42*

Associated Usernames

Any usernames associated with a Device asset

Associated Usernames is like john*

Category

The Category that a Source integration falls under

Category equals Enterprise Endpoint

City

The City corresponding to a Device asset's External IP address

City equals Brooklyn

Controls

The Enterprise Endpoint subcategory that identifies the type of source control present for an asset

Controls equals Configuration Management

Correlation ID

Distinguished Name

The name typically associated with or issued by Directory Service Source integrations.

Distinguished Name equals cn=fcfdlfs,ou=dpnqvufst oz,ou=bluth dpnqvufst,dc=bluth-dp,dc=com

Domain

The specific domain name assigned to a Device asset. In this context, domain names are most often assigned using a domain controller such as Microsoft Active Directory.

Domain equals company.com

External IP Address

The External IP Address associated with any network a Device asset has connected to

IP Address between 192.158.1.10 (and) 192.158.1.40

First Collection Date

When a Device or User asset was first collected by Sevco

First Collection Date is on or before 07/31/22 12:00 AM

First Observed Timestamp

The first time a Device or User asset was identified as present in your environment by a Source integration

First Observed Timestamp is before 05/17/23 12:00 AM

FQDN

The fully qualified domain name associated with a Device asset

FQDN exists

GeoIP Associated IP

Hostname

Any device name associated with a Device asset. Unlike an Object ID this attribute can change

Hostname equals victorias-macbook-pro

ID

Internal IPs

The Internal IP Address associated with any network a Device asset has connected to.

IP Address equals 192.168.1.1

IP Address

The IP Address of the Device asset on a network.

IP Address equals 10.10.4.217

Last Activity Timestamp

The last time an Device or User asset identified as active on a network

Last Activity Timestamp is after 05/18/23 12:00 AM

Last Observed Timestamp

The last time a Device or User asset was identified as present in your environment by a Source integration

Last Observed is before 3 days ago

Latitude

The latitude corresponding to a Device asset's External IP address

Latitude equals 37.4221° N

Longitude

The longitude corresponding to a Device asset's External IP address

Longitude equals 122.0841° W

MAC Address

Any MAC address associated with a Device asset

MAC Address equals 02:FF:00:BA:C0:39

MAC Manufacturer

The MAC manufacturer who manufactured a piece of network hardware on a Device asset

MAC Manufacturer equals Intel Corporate

Network Location

The Network type a Device asset is associated with: On Premise, Cloud, or Unknown (typically listed as a location if available)

Network Location does not equal Cloud

Number of Sources

The total number of Sources associated with a Device or User asset

Number of Sources equals 3

Object ID

A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.

SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210

OS

The operating system of a Device asset

OS Release equals Windows 11 Professional (x64)

OS End of Life Timestamp

The date and time that a Device asset's operating system enters an end-of-life state (is no longer supported by its vendor).

OS End of Life Timestamp is on or before 30 days ago

OS Platform

The operating system platform of a Device asset

OS Platform equals Windows

OS Release

The specific identity of a Device asset's operating system (if available)

OS Release equals Windows 11 Professional

OS Version

The specific version of a Device asset's operating system.

_OS Platform equals MacOS
_OS Version is like 12.6*_

Region

The world region corresponding to a Device asset's External IP address

Region equals Europe

Serial Number

The serial number corresponding to a Device asset

Serial Number equals 3N326311QW-01

Source

Any Source integration that you have configured for your Sevco Organization

Source equals Crowdstrike

Source Configuration

Any Source integration configuration associated with an asset

Source Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab)

Tag

Any Tag that has been assigned to an asset

Tag equals Password Expired

Users

AttributeDefinitionValue
Active Directory DomainsThe specific Active Directory domain name assigned to a Device or User asset.Active Directory Domains equals company.com
Agent VersionThe Agent Version a Source is currently running on for a particular assetOkta Agent Version does not exist
Correlation ID
DomainThe specific domain name assigned to a Device asset. In this context, domain names are most often assigned using a domain controller such as Microsoft Active Directory.Domain equals company.com
EmailsAny Emails associated with a User assetEmail equals [email protected]
First Observed TimestampThe first time a Device or User asset was identified as present in your environment by a Source integrationFirst Observed Timestamp is before 05/17/23 12:00 AM
First NameThe first name associated with a User assetFirst Name equals John
ID
Last Activity TimestampThe last time an Device or User asset identified as active on a networkLast Activity is after 05/18/23 12:00 AM
Last NameThe last name associated with a User assetLast Name equals Smith
Last Observed TimestampThe last time a Device or User asset was identified as present in your environment by a Source integrationLast Observed is before 3 days ago
Last UpdatedWhen information about an asset was last updated by a in a SourceLast Updated is before 30 days ago
Number of SourcesThe total number of Sources associated with a Device or User assetNumber of Sources equals 3
SourceAny Source integration that you have configured for your Sevco OrganizationSource equals Crowdstrike
Source ConfigurationAny Source integration configuration associated with an assetSource Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab)
TagAny Tag that has been applied to an asset.Tag equals Password Expired

Telemetry

Devices

Attribute Definition Example Query

Attribute

A piece of information that corresponds to a Device or User asset

Attribute equals hostnames

Hostname

Any device name associated with a Device asset. Unlike an Object ID this attribute can change.

Hostname equals victorias-macbook-pro

Event Timestamp

The date and time that a telemetry event took place

Event Timestamp is after 05/09/23 12:00 AM

Event Type

The type of telemetry event that has taken place. This includes changes to attributes as well as observation times by Sources.

Event Type equals AttributeValueAdd

Object ID

A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.

SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210

Source

Any Source integration that you have configured for your Sevco Organization

Source equals Crowdstrike

Source Configuration

Any Source integration configuration associated with an asset

Source Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab)

Valid Until Timestamp

For AttributeValueAdd telemetry events, the time when the attribute was removed.

Valid Until Timestamp is after 3 days ago

Value

An attribute Value that has changed during a telemetry event. For example: a Device asset's MAC Address changing.

Value equals 00:50:56:8A:69:73

Users

Attribute Definition Example Query

Attribute

A piece of information that corresponds to a Device or User asset

Attribute equals emails

Event Timestamp

The date and time that a telemetry event took place

Event Timestamp is after 05/09/23 12:00 AM

Event Type

The type of telemetry event that has taken place. This includes changes to attributes as well as observation times by Sources.

Event Type equals AttributeValueAdd

Object ID

A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.

SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210

Source

Any Source integration that you have configured for your Sevco Organization

Source equals Crowdstrike

Source Configuration

Any Source integration configuration associated with an asset

Source Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab)

Valid Until Timestamp

For AttributeValueAdd events, the time when the attribute was removed.

Valid Until Timestamp is after 3 days ago

Value

An attribute Value that has changed during a telemetry event. For example: a User asset's corresponding email being updated.

Value equals [email protected]


Source Inventory

Devices

Attribute Definition Example

First Collected

When a Device or User asset was first collected by a specific Source integration

First Collected is on or before 07/31/22 12:00 AM

FQDN

The fully qualified domain name associated with a Device asset

FQDN exists

Hostname

Any device name associated with a Device asset. Unlike an Object ID this attribute can change.

Hostname equals victorias-macbook-pro

IP Address

The IP Address of the Device asset on a network.

IP Address equals 10.10.4.217

Last Activity

The last time an Device or User asset identified as active on a network

Last Activity is after 05/18/23 12:00 AM

Last Observed

The last time a Device or User asset was identified as present in your environment by a Source integration

Last Observed is before 3 days ago

MAC Address

Any MAC Address associated with a Device asset

MAC Address equals 02:FF:00:BA:C0:39

Object ID

A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.

SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210

OS Platform

The operating system platform of a Device asset

OS Platform equals Windows

OS Release

The specific identity of a Device asset's operating system (if available)

OS Release equals Windows 10 Enterprise

Serial Number

The serial number corresponding to a Device asset

Serial Number equals 3N326311QW-01

Users

Attribute Definition Example

Username

The username associated with a User asset for a specific Source integration

Username equals janesmith

First Collected

When a Device or User asset was first collected by a specific Source integration

First Collected is on or before 07/31/22 12:00 AM

First Name

The first name associated with a User asset

First Name equals John

Last Name

The last name associated with a User asset

Last Name equals Smith

Last Updated

When information about an asset was last updated by a in a Source

Last Updated is before 30 days ago

Last Activity

The last time an Device or User asset identified as active on a network

Last Activity is after 05/18/23 12:00 AM

Last Observed

The last time a Device or User asset was identified as present in your environment by a Source integration

Last Observed is before 3 days ago

Object ID

A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.

SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210

Password Changed

When a Source integration last identified a password change by a user

Password Change is less than 30 days ago

Software

AttributeDefinitionExample
Software NameThe name of a piece of software that has been installed on a Device assetSoftware Name equals 1Password
VersionThe version of a piece of software that has been installed on a Device assetSoftware Name equals 1Password, and
Software Version is like 7.*
VendorThe vendor of a piece of software that has been installed on a Device assetSoftware Vendor equals WindowsUpdate
HostnameAny device name associated with a Device asset. Unlike an Object ID this attribute can change.Hostname equals victorias-macbook-pro

Vulnerabilities

AttributeDefinitionExample
VulnerabilityPotential security threats that a software vendor has identified on a Device assetVulnerability is like Adobe Flash*
CVEAny Common Vulnerabilities and Exposures (CVE) codes associated with a Vulnerability. Please note that some vulnerabilities may contain multiple CVEs or none at all.CVE equals CVE-2018-17456
OS PlatformThe operating system platform associated with a Device assetOS Platform equals Windows
OS ReleaseThe specific operating system release installed on a Device assetOS Release equals Windows 10 Enterprise
SeverityThe severity of a Vulnerability on a Device asset. Sevco determines severity of a vulnerability using the CVSS3 and CVSS2 scores assigned to it by your software vendor.Severity equals High
CategoriesThe category a Vulnerability falls underCategories equals MacOS X Local Security Checks
First FoundWhen a Vulnerability was first identified on a Device asset by your software vendorFirst Found is on or before 06/07/23 12:00 AM
Last FoundThe last time a Vulnerability was identified on a Device asset by your software vendorLast Found is on or after 06/10/23 12:00 AM
CVSS3 BaseA severity score assigned by your software vendor using the most recent version of the Common Vulnerability Scoring System (CVSS). This score is determined when a Vulnerability is first discovered.
Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more
CVSS3 Base is greater than 6.9
CVSS3 TemporalA severity score assigned by your software vendor using the most recent version of the Common Vulnerability Scoring System (CVSS). This score may change depending on factors such as the time a Vulnerability has been present on a Device Asset.
Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more
CVSS3 Temporal is greater than 8.9
CVSS2 BaseA severity score assigned by your software vendor using an older version of the Common Vulnerability Scoring System (CVSS). This score is determined when a Vulnerability is first discovered.
Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more
CVSS2 Base is greater than 6.9
CVSS2 TemporalA severity score assigned by your software vendor using an older version of the Common Vulnerability Scoring System (CVSS). This score may change depending on factors such as the time a Vulnerability has been present on a Device Asset.
Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more
CVSS3 Temporal is greater than or equal to 7.0

Control Attributes

Control State Awareness and Tracking is Sevco’s ability to normalize control attributes to a common field in order to monitor and provide context about a critical control states that affects its ability to deliver the function of the control.

AttributeDefinitionExample
Encryption StatusThe current status and level of encryption being provided by a ControlEncryption Status equals [status]
Management StateThe state or condition of a specific Control that indicates whether a device can be managed or how it is currently being managedRapid7 InsightVM``Management State equals Agent
Protection StateThe state or condition of a Control that indicates the level of or how a device is being controlledMicrosoft Defender for Endpoints``Protection State equals Prevention
StatusThe state or condition of a specific Control that indicates whether a device is online, active, or able to be controlledMicrosoft Defender for Endpoints``Status equals Active

Query Conditions

Qualitative

Condition Definition Query Example

exists

An attribute exists for an asset, regardless of its value

MAC Address exists

does not exist

An attribute value does not exist for an asset

Hostname does not exist

is like

Specifies that an attribute value must begin with certain combination of alphanumeric characters

Crowdstrike Agent Version is like 6.4*

**Note:**This field requires the use of at least one wildcard (*)

is not like

Specifies that an attribute value must not start with certain combination of alphanumeric characters

Crowdstrike Agent Version is not like 6.42*

**Note:**This field requires the use of at least one wildcard (*)

Quantitative

ConditionDefinitionQuery Example
betweenAn attribute value is between two specified numerical valuesIP Address between 192.158.1.10 (and) 192.158.1.40
equalsAn attribute value is equal (identical) to a specified valueFirst Name equals John
does not equalAn attribute value is not equal (identical) to a specified valueLast Name does not equal Smith
is greater thanAn attribute value is greater than a numerical value specified by the userCVSS3 Base is greater than 9.1
is greater than or equal toAn attribute value is greater than or equal to a numerical valueCVSS3 Base is greater than or equal to 9.1
is less thanAn attribute value is less than a numerical valueCVSS3 Temporal is less than 8.8
is less than or equal toAn attribute value is less than or equal to a numerical valueCVSS3 Base is less than or equal to 8.8

Time

ConditionDefinitionQuery Example
is afterAn event has taken place after a specified timeLast Activity is after 3 days ago
is on or afterAn event took place at or after a specified time. We recommend using this if you are trying to identify an event that may have taken place at a specific time of day.Last Activity is on or after 05/18/23 12:00 AM
is beforeAn event took place before a specified timeLast Observed is before 3 days ago
is on or beforeAn event took place at or before a specified time. We recommend using this if you are trying to identify an event that may have taken place at a specific time of day.Last Observed is on or before 05/18/23 12:00 AM