Query Parameters and Attributes
A complete list of query parameters and attributes
Query Parameters
The Query Builder has four main parameters that can be used to assemble a query.
Source Attributes
The Attribute parameters allow you to select the what data attribute(s) you would like to build your query around. Select the Attribute field to begin defining this parameter.
The attributes menu is broken down into several areas:
-
At the top of the menu, there are Devices and User tabs. The tab corresponding to the Live Inventory page you are in is selected by default. These tabs are primarily used for cross-asset searches, which will be covered in a later section.
-
The left-panel contains a list Sources. If needed, use this section to specify if you would only like to include assets from a specific Source in your rule's condition.
-
The right-panel is where you will select what data Attribute(s) you would like to build your query around.
Condition
The Condition parameter is used to define the condition an attribute must meet to meet a rule's requirements. Only assets and telemetry events that satisfy your conditions will be displayed in your results.
Value
Once you've selected an attribute and condition, you will need to define the Value you will be using to determine if a condition is satisfied. Please note that this field will not display when the Exists or Does not exist condition is selected, as the value is already defined in the condition itself.
In some instances, you may be asked to select a value from a pre-defined list of values. This is dependent on the attribute you have chosen.
Source Attributes
This Attributes list excludes Source-specific attributes. For questions about these attributes, please contact our Support team.
Please review the tables below for a list of Source attributes for each query builder in the Sevco platform. You will also find every possible condition and value that can be applied to an attribute.
Live Inventory
Devices
| Attribute | Definition | Example |
|---|---|---|
|
The specific Active Directory domain name assigned to a Device or User asset. |
|
|
The Agent Version a Source integration is currently running on for a particular Device asset |
|
|
Any usernames associated with a Device asset |
|
|
The Category that a Source integration falls under |
|
|
The City corresponding to a Device asset's External IP address |
|
|
The Enterprise Endpoint subcategory that identifies the type of source control present for an asset |
|
|
||
|
The name typically associated with or issued by Directory Service Source integrations. |
|
|
The specific domain name assigned to a Device asset. In this context, domain names are most often assigned using a domain controller such as Microsoft Active Directory. |
|
|
The External IP Address associated with any network a Device asset has connected to |
|
|
When a Device or User asset was first collected by Sevco |
|
|
The first time a Device or User asset was identified as present in your environment by a Source integration |
|
|
The fully qualified domain name associated with a Device asset |
|
|
||
|
Any device name associated with a Device asset. Unlike an |
|
|
||
|
The Internal IP Address associated with any network a Device asset has connected to. |
|
|
The IP Address of the Device asset on a network. |
|
|
The last time an Device or User asset identified as active on a network |
|
|
The last time a Device or User asset was identified as present in your environment by a Source integration |
|
|
The latitude corresponding to a Device asset's External IP address |
|
|
The longitude corresponding to a Device asset's External IP address |
|
|
Any MAC address associated with a Device asset |
|
|
The MAC manufacturer who manufactured a piece of network hardware on a Device asset |
|
|
The Network type a Device asset is associated with: On Premise, Cloud, or Unknown (typically listed as a location if available) |
|
|
The total number of Sources associated with a Device or User asset |
|
|
A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. |
|
|
The operating system of a Device asset |
|
|
The date and time that a Device asset's operating system enters an end-of-life state (is no longer supported by its vendor). |
|
|
The operating system platform of a Device asset |
|
|
The specific identity of a Device asset's operating system (if available) |
|
|
The specific version of a Device asset's operating system. |
_ |
|
The world region corresponding to a Device asset's External IP address |
|
|
The serial number corresponding to a Device asset |
|
|
Any Source integration that you have configured for your Sevco Organization |
|
|
Any Source integration configuration associated with an asset |
|
|
Any Tag that has been assigned to an asset |
|
Users
| Attribute | Definition | Value |
|---|---|---|
Active Directory Domains | The specific Active Directory domain name assigned to a Device or User asset. | Active Directory Domains equals company.com |
Agent Version | The Agent Version a Source is currently running on for a particular asset | Okta Agent Version does not exist |
Correlation ID | ||
Domain | The specific domain name assigned to a Device asset. In this context, domain names are most often assigned using a domain controller such as Microsoft Active Directory. | Domain equals company.com |
Emails | Any Emails associated with a User asset | Email equals [email protected] |
First Observed Timestamp | The first time a Device or User asset was identified as present in your environment by a Source integration | First Observed Timestamp is before 05/17/23 12:00 AM |
First Name | The first name associated with a User asset | First Name equals John |
ID | ||
Last Activity Timestamp | The last time an Device or User asset identified as active on a network | Last Activity is after 05/18/23 12:00 AM |
Last Name | The last name associated with a User asset | Last Name equals Smith |
Last Observed Timestamp | The last time a Device or User asset was identified as present in your environment by a Source integration | Last Observed is before 3 days ago |
Last Updated | When information about an asset was last updated by a in a Source | Last Updated is before 30 days ago |
Number of Sources | The total number of Sources associated with a Device or User asset | Number of Sources equals 3 |
Source | Any Source integration that you have configured for your Sevco Organization | Source equals Crowdstrike |
Source Configuration | Any Source integration configuration associated with an asset | Source Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab) |
Tag | Any Tag that has been applied to an asset. | Tag equals Password Expired |
Telemetry
Devices
| Attribute | Definition | Example Query |
|---|---|---|
|
A piece of information that corresponds to a Device or User asset |
|
|
Any device name associated with a Device asset. Unlike an |
|
|
The date and time that a telemetry event took place |
|
|
The type of telemetry event that has taken place. This includes changes to attributes as well as observation times by Sources. |
|
|
A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. |
|
|
Any Source integration that you have configured for your Sevco Organization |
|
|
Any Source integration configuration associated with an asset |
|
|
For |
|
|
An attribute Value that has changed during a telemetry event. For example: a Device asset's MAC Address changing. |
|
Users
| Attribute | Definition | Example Query |
|---|---|---|
|
A piece of information that corresponds to a Device or User asset |
|
|
The date and time that a telemetry event took place |
|
|
The type of telemetry event that has taken place. This includes changes to attributes as well as observation times by Sources. |
|
|
A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. |
|
|
Any Source integration that you have configured for your Sevco Organization |
|
|
Any Source integration configuration associated with an asset |
|
|
For |
|
|
An attribute Value that has changed during a telemetry event. For example: a User asset's corresponding email being updated. |
|
Source Inventory
Devices
| Attribute | Definition | Example |
|---|---|---|
|
When a Device or User asset was first collected by a specific Source integration |
|
|
The fully qualified domain name associated with a Device asset |
|
|
Any device name associated with a Device asset. Unlike an |
|
|
The IP Address of the Device asset on a network. |
|
|
The last time an Device or User asset identified as active on a network |
|
|
The last time a Device or User asset was identified as present in your environment by a Source integration |
|
|
Any MAC Address associated with a Device asset |
|
|
A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. |
|
|
The operating system platform of a Device asset |
|
|
The specific identity of a Device asset's operating system (if available) |
|
|
The serial number corresponding to a Device asset |
|
Users
| Attribute | Definition | Example |
|---|---|---|
|
The username associated with a User asset for a specific Source integration |
|
|
When a Device or User asset was first collected by a specific Source integration |
|
|
The first name associated with a User asset |
|
|
The last name associated with a User asset |
|
|
When information about an asset was last updated by a in a Source |
|
|
The last time an Device or User asset identified as active on a network |
|
|
The last time a Device or User asset was identified as present in your environment by a Source integration |
|
|
A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. |
|
|
When a Source integration last identified a password change by a user |
|
Software
| Attribute | Definition | Example |
|---|---|---|
Software Name | The name of a piece of software that has been installed on a Device asset | Software Name equals 1Password |
Version | The version of a piece of software that has been installed on a Device asset | Software Name equals 1Password, and Software Version is like 7.* |
Vendor | The vendor of a piece of software that has been installed on a Device asset | Software Vendor equals WindowsUpdate |
Hostname | Any device name associated with a Device asset. Unlike an Object ID this attribute can change. | Hostname equals victorias-macbook-pro |
Vulnerabilities
| Attribute | Definition | Example |
|---|---|---|
Vulnerability | Potential security threats that a software vendor has identified on a Device asset | Vulnerability is like Adobe Flash* |
CVE | Any Common Vulnerabilities and Exposures (CVE) codes associated with a Vulnerability. Please note that some vulnerabilities may contain multiple CVEs or none at all. | CVE equals CVE-2018-17456 |
OS Platform | The operating system platform associated with a Device asset | OS Platform equals Windows |
OS Release | The specific operating system release installed on a Device asset | OS Release equals Windows 10 Enterprise |
Severity | The severity of a Vulnerability on a Device asset. Sevco determines severity of a vulnerability using the CVSS3 and CVSS2 scores assigned to it by your software vendor. | Severity equals High |
Categories | The category a Vulnerability falls under | Categories equals MacOS X Local Security Checks |
First Found | When a Vulnerability was first identified on a Device asset by your software vendor | First Found is on or before 06/07/23 12:00 AM |
Last Found | The last time a Vulnerability was identified on a Device asset by your software vendor | Last Found is on or after 06/10/23 12:00 AM |
CVSS3 Base | A severity score assigned by your software vendor using the most recent version of the Common Vulnerability Scoring System (CVSS). This score is determined when a Vulnerability is first discovered. Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more | CVSS3 Base is greater than 6.9 |
CVSS3 Temporal | A severity score assigned by your software vendor using the most recent version of the Common Vulnerability Scoring System (CVSS). This score may change depending on factors such as the time a Vulnerability has been present on a Device Asset. Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more | CVSS3 Temporal is greater than 8.9 |
CVSS2 Base | A severity score assigned by your software vendor using an older version of the Common Vulnerability Scoring System (CVSS). This score is determined when a Vulnerability is first discovered. Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more | CVSS2 Base is greater than 6.9 |
CVSS2 Temporal | A severity score assigned by your software vendor using an older version of the Common Vulnerability Scoring System (CVSS). This score may change depending on factors such as the time a Vulnerability has been present on a Device Asset. Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more | CVSS3 Temporal is greater than or equal to 7.0 |
Control Attributes
Control State Awareness and Tracking is Sevco’s ability to normalize control attributes to a common field in order to monitor and provide context about a critical control states that affects its ability to deliver the function of the control.
| Attribute | Definition | Example |
|---|---|---|
Encryption Status | The current status and level of encryption being provided by a Control | Encryption Status equals [status] |
Management State | The state or condition of a specific Control that indicates whether a device can be managed or how it is currently being managed | Rapid7 InsightVM``Management State equals Agent |
Protection State | The state or condition of a Control that indicates the level of or how a device is being controlled | Microsoft Defender for Endpoints``Protection State equals Prevention |
Status | The state or condition of a specific Control that indicates whether a device is online, active, or able to be controlled | Microsoft Defender for Endpoints``Status equals Active |
Query Conditions
Qualitative
| Condition | Definition | Query Example |
|---|---|---|
|
An attribute exists for an asset, regardless of its value |
|
|
An attribute value does not exist for an asset |
|
|
Specifies that an attribute value must begin with certain combination of alphanumeric characters |
|
|
Specifies that an attribute value must not start with certain combination of alphanumeric characters |
|
Quantitative
| Condition | Definition | Query Example |
|---|---|---|
between | An attribute value is between two specified numerical values | IP Address between 192.158.1.10 (and) 192.158.1.40 |
equals | An attribute value is equal (identical) to a specified value | First Name equals John |
does not equal | An attribute value is not equal (identical) to a specified value | Last Name does not equal Smith |
is greater than | An attribute value is greater than a numerical value specified by the user | CVSS3 Base is greater than 9.1 |
is greater than or equal to | An attribute value is greater than or equal to a numerical value | CVSS3 Base is greater than or equal to 9.1 |
is less than | An attribute value is less than a numerical value | CVSS3 Temporal is less than 8.8 |
is less than or equal to | An attribute value is less than or equal to a numerical value | CVSS3 Base is less than or equal to 8.8 |
Time
| Condition | Definition | Query Example |
|---|---|---|
is after | An event has taken place after a specified time | Last Activity is after 3 days ago |
is on or after | An event took place at or after a specified time. We recommend using this if you are trying to identify an event that may have taken place at a specific time of day. | Last Activity is on or after 05/18/23 12:00 AM |
is before | An event took place before a specified time | Last Observed is before 3 days ago |
is on or before | An event took place at or before a specified time. We recommend using this if you are trying to identify an event that may have taken place at a specific time of day. | Last Observed is on or before 05/18/23 12:00 AM |
Updated about 1 month ago