sevco.io

Query Parameters and Attributes

A complete list of query parameters and attributes

Query Parameters

The Query Builder has four main parameters that can be used to assemble a query.

Source Attributes

The Attribute parameters allow you to select the what data attribute(s) you would like to build your query around. Select the Attribute field to begin defining this parameter.

The attributes menu is broken down into several areas:

  1. At the top of the menu, there are Devices and User tabs. The tab corresponding to the Live Inventory page you are in is selected by default. These tabs are primarily used for cross-asset searches, which will be covered in a later section.

  2. The left-panel contains a list Sources. If needed, use this section to specify if you would only like to include assets from a specific Source in your rule's condition.

  3. The right-panel is where you will select what data Attribute(s) you would like to build your query around.

Condition

The Condition parameter is used to define the condition an attribute must meet to meet a rule's requirements. Only assets and telemetry events that satisfy your conditions will be displayed in your results.

User selects is after from Condition Dropdown

Value

Once you've selected an attribute and condition, you will need to define the Value you will be using to determine if a condition is satisfied. Please note that this field will not display when the Exists or Does not exist condition is selected, as the value is already defined in the condition itself.

ℹ️

In some instances, you may be asked to select a value from a pre-defined list of values. This is dependent on the attribute you have chosen.

User selects date from Date Picker


Source Attributes

ℹ️

This Attributes list excludes Source-specific attributes. For questions about these attributes, please contact our Support team.

Please review the tables below for a list of Source attributes for each query builder in the Sevco platform. You will also find every possible condition and value that can be applied to an attribute.

Live Inventory

Devices

Attribute DefinitionExample
Active Directory DomainsThe specific Active Directory domain name assigned to a Device or User asset.Active Directory Domains equals company.com
Agent VersionThe Agent Version a Source integration is currently running on for a particular Device assetCrowdstrike Agent Version is not like 6.42*
Associated Usernames Any usernames associated with a Device assetAssociated Usernames is like john*
CategoryThe Category that a Source integration falls underCategory equals Enterprise Endpoint
CityThe City corresponding to a Device asset's External IP addressCity equals Brooklyn
ControlsThe Enterprise Endpoint subcategory that identifies the type of source control present for an assetControls equals Configuration Management
Correlation ID
Distinguished NameThe name typically associated with or issued by Directory Service Source integrations.Distinguished Name equals cn=fcfdlfs,ou=dpnqvufst oz,ou=bluth dpnqvufst,dc=bluth-dp,dc=com
DomainThe specific domain name assigned to a Device asset. In this context, domain names are most often assigned using a domain controller such as Microsoft Active Directory.Domain equals company.com
External IP AddressThe External IP Address associated with any network a Device asset has connected toIP Address between 192.158.1.10 (and) 192.158.1.40
First Collection DateWhen a Device or User asset was first collected by SevcoFirst Collection Date is on or before 07/31/22 12:00 AM
First Observed TimestampThe first time a Device or User asset was identified as present in your environment by a Source integrationFirst Observed Timestamp is before 05/17/23 12:00 AM
FQDNThe fully qualified domain name associated with a Device assetFQDN exists
GeoIP Associated IP
HostnameAny device name associated with a Device asset. Unlike an Object ID this attribute can changeHostname equals victorias-macbook-pro
ID
Internal IPsThe Internal IP Address associated with any network a Device asset has connected to.IP Address equals 192.168.1.1
IP AddressThe IP Address of the Device asset on a network.IP Address equals 10.10.4.217
Last Activity TimestampThe last time an Device or User asset identified as active on a networkLast Activity Timestamp is after 05/18/23 12:00 AM
Last Observed Timestamp The last time a Device or User asset was identified as present in your environment by a Source integrationLast Observed is before 3 days ago
LatitudeThe latitude corresponding to a Device asset's External IP addressLatitude equals 37.4221° N
LongitudeThe longitude corresponding to a Device asset's External IP addressLongitude equals 122.0841° W
MAC AddressAny MAC address associated with a Device assetMAC Address equals 02:FF:00:BA:C0:39
MAC ManufacturerThe MAC manufacturer who manufactured a piece of network hardware on a Device assetMAC Manufacturer equals Intel Corporate
Network LocationThe Network type a Device asset is associated with: On Premise, Cloud, or Unknown (typically listed as a location if available)Network Location does not equal Cloud
Number of SourcesThe total number of Sources associated with a Device or User assetNumber of Sources equals 3
Object IDA permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210
OSThe operating system of a Device assetOS Release equals Windows 11 Professional (x64)
OS End of Life TimestampThe date and time that a Device asset's operating system enters an end-of-life state (is no longer supported by its vendor).OS End of Life Timestamp is on or before 30 days ago
OS PlatformThe operating system platform of a Device assetOS Platform equals Windows
OS ReleaseThe specific identity of a Device asset's operating system (if available)OS Release equals Windows 11 Professional
OS VersionThe specific version of a Device asset's operating system.OS Platform equals MacOS
OS Version is like 12.6*_
RegionThe world region corresponding to a Device asset's External IP addressRegion equals Europe
Serial NumberThe serial number corresponding to a Device assetSerial Number equals 3N326311QW-01
SourceAny Source integration that you have configured for your Sevco OrganizationSource equals Crowdstrike
Source ConfigurationAny Source integration configuration associated with an assetSource Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab)
TagAny Tag that has been assigned to an assetTag equals Password Expired

Users

AttributeDefinitionValue
Active Directory DomainsThe specific Active Directory domain name assigned to a Device or User asset.Active Directory Domains equals company.com
Agent VersionThe Agent Version a Source is currently running on for a particular assetOkta Agent Version does not exist
Correlation ID
DomainThe specific domain name assigned to a Device asset. In this context, domain names are most often assigned using a domain controller such as Microsoft Active Directory.Domain equals company.com
EmailsAny Emails associated with a User assetEmail equals [email protected]
First Observed TimestampThe first time a Device or User asset was identified as present in your environment by a Source integrationFirst Observed Timestamp is before 05/17/23 12:00 AM
First NameThe first name associated with a User assetFirst Name equals John
ID
Last Activity TimestampThe last time an Device or User asset identified as active on a networkLast Activity is after 05/18/23 12:00 AM
Last NameThe last name associated with a User assetLast Name equals Smith
Last Observed TimestampThe last time a Device or User asset was identified as present in your environment by a Source integrationLast Observed is before 3 days ago
Last UpdatedWhen information about an asset was last updated by a in a SourceLast Updated is before 30 days ago
Number of SourcesThe total number of Sources associated with a Device or User assetNumber of Sources equals 3
SourceAny Source integration that you have configured for your Sevco OrganizationSource equals Crowdstrike
Source ConfigurationAny Source integration configuration associated with an assetSource Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab)
TagAny Tag that has been applied to an asset.Tag equals Password Expired

Telemetry

Devices

AttributeDefinitionExample Query
AttributeA piece of information that corresponds to a Device or User assetAttribute equals hostnames
HostnameAny device name associated with a Device asset. Unlike an Object ID this attribute can change.Hostname equals victorias-macbook-pro
Event TimestampThe date and time that a telemetry event took placeEvent Timestamp is after 05/09/23 12:00 AM
Event TypeThe type of telemetry event that has taken place. This includes changes to attributes as well as observation times by Sources.Event Type equals AttributeValueAdd
Object IDA permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210
SourceAny Source integration that you have configured for your Sevco OrganizationSource equals Crowdstrike
Source ConfigurationAny Source integration configuration associated with an assetSource Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab)
Valid Until TimestampFor AttributeValueAdd telemetry events, the time when the attribute was removed.Valid Until Timestamp is after 3 days ago
ValueAn attribute Value that has changed during a telemetry event. For example: a Device asset's MAC Address changing.Value equals 00:50:56:8A:69:73

Users

AttributeDefinitionExample Query
AttributeA piece of information that corresponds to a Device or User assetAttribute equals emails
Event TimestampThe date and time that a telemetry event took placeEvent Timestamp is after 05/09/23 12:00 AM
Event TypeThe type of telemetry event that has taken place. This includes changes to attributes as well as observation times by Sources.Event Type equals AttributeValueAdd
Object IDA permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210
SourceAny Source integration that you have configured for your Sevco OrganizationSource equals Crowdstrike
Source ConfigurationAny Source integration configuration associated with an assetSource Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab)
Valid Until TimestampFor AttributeValueAdd events, the time when the attribute was removed.Valid Until Timestamp is after 3 days ago
ValueAn attribute Value that has changed during a telemetry event. For example: a User asset's corresponding email being updated.Value equals [email protected]

Source Inventory

Devices

Attribute DefinitionExample
First CollectedWhen a Device or User asset was first collected by a specific Source integrationFirst Collected is on or before 07/31/22 12:00 AM
FQDNThe fully qualified domain name associated with a Device assetFQDN exists
HostnameAny device name associated with a Device asset. Unlike an Object ID this attribute can change.Hostname equals victorias-macbook-pro
IP AddressThe IP Address of the Device asset on a network.IP Address equals 10.10.4.217
Last ActivityThe last time an Device or User asset identified as active on a networkLast Activity is after 05/18/23 12:00 AM
Last ObservedThe last time a Device or User asset was identified as present in your environment by a Source integrationLast Observed is before 3 days ago
MAC AddressAny MAC Address associated with a Device assetMAC Address equals 02:FF:00:BA:C0:39
Object IDA permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210
OS PlatformThe operating system platform of a Device assetOS Platform equals Windows
OS ReleaseThe specific identity of a Device asset's operating system (if available)OS Release equals Windows 10 Enterprise
Serial NumberThe serial number corresponding to a Device assetSerial Number equals 3N326311QW-01

Users

AttributeDefinitionExample
UsernameThe username associated with a User asset for a specific Source integrationUsername equals janesmith
First CollectedWhen a Device or User asset was first collected by a specific Source integrationFirst Collected is on or before 07/31/22 12:00 AM
First NameThe first name associated with a User assetFirst Name equals John
Last NameThe last name associated with a User assetLast Name equals Smith
Last UpdatedWhen information about an asset was last updated by a in a SourceLast Updated is before 30 days ago
Last ActivityThe last time an Device or User asset identified as active on a networkLast Activity is after 05/18/23 12:00 AM
Last ObservedThe last time a Device or User asset was identified as present in your environment by a Source integrationLast Observed is before 3 days ago
Object IDA permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID.SentinelOne Object ID equals 0123456789101112131

ManageEngine Object ID equals 1312111019876543210
Password ChangedWhen a Source integration last identified a password change by a userPassword Change is less than 30 days ago

Software

AttributeDefinitionExample
Software NameThe name of a piece of software that has been installed on a Device assetSoftware Name equals 1Password
VersionThe version of a piece of software that has been installed on a Device assetSoftware Name equals 1Password, and
Software Version is like 7.*
VendorThe vendor of a piece of software that has been installed on a Device assetSoftware Vendor equals WindowsUpdate
HostnameAny device name associated with a Device asset. Unlike an Object ID this attribute can change.Hostname equals victorias-macbook-pro

Vulnerabilities

AttributeDefinitionExample
VulnerabilityPotential security threats that a software vendor has identified on a Device assetVulnerability is like Adobe Flash*
CVEAny Common Vulnerabilities and Exposures (CVE) codes associated with a Vulnerability. Please note that some vulnerabilities may contain multiple CVEs or none at all.CVE equals CVE-2018-17456
OS PlatformThe operating system platform associated with a Device assetOS Platform equals Windows
OS ReleaseThe specific operating system release installed on a Device assetOS Release equals Windows 10 Enterprise
SeverityThe severity of a Vulnerability on a Device asset. Sevco determines severity of a vulnerability using the CVSS3 and CVSS2 scores assigned to it by your software vendor.Severity equals High
CategoriesThe category a Vulnerability falls underCategories equals MacOS X Local Security Checks
First FoundWhen a Vulnerability was first identified on a Device asset by your software vendorFirst Found is on or before 06/07/23 12:00 AM
Last FoundThe last time a Vulnerability was identified on a Device asset by your software vendorLast Found is on or after 06/10/23 12:00 AM
CVSS3 BaseA severity score assigned by your software vendor using the most recent version of the Common Vulnerability Scoring System (CVSS). This score is determined when a Vulnerability is first discovered.
Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more
CVSS3 Base is greater than 6.9
CVSS3 TemporalA severity score assigned by your software vendor using the most recent version of the Common Vulnerability Scoring System (CVSS). This score may change depending on factors such as the time a Vulnerability has been present on a Device Asset.
Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more
CVSS3 Temporal is greater than 8.9
CVSS2 BaseA severity score assigned by your software vendor using an older version of the Common Vulnerability Scoring System (CVSS). This score is determined when a Vulnerability is first discovered.
Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more
CVSS2 Base is greater than 6.9
CVSS2 TemporalA severity score assigned by your software vendor using an older version of the Common Vulnerability Scoring System (CVSS). This score may change depending on factors such as the time a Vulnerability has been present on a Device Asset.
Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more
CVSS3 Temporal is greater than or equal to 7.0

Control Attributes

Control State Awareness and Tracking is Sevco’s ability to normalize control attributes to a common field in order to monitor and provide context about a critical control states that affects its ability to deliver the function of the control.

AttributeDefinitionExample
Encryption StatusThe current status and level of encryption being provided by a ControlEncryption Status equals [status]
Management StateThe state or condition of a specific Control that indicates whether a device can be managed or how it is currently being managedRapid7 InsightVM``Management State equals Agent
Protection StateThe state or condition of a Control that indicates the level of or how a device is being controlledMicrosoft Defender for Endpoints``Protection State equals Prevention
StatusThe state or condition of a specific Control that indicates whether a device is online, active, or able to be controlledMicrosoft Defender for Endpoints``Status equals Active

Query Conditions

Qualitative

ConditionDefinitionQuery Example
existsAn attribute exists for an asset, regardless of its valueMAC Address exists
does not existAn attribute value does not exist for an assetHostname does not exist
is likeSpecifies that an attribute value must begin with certain combination of alphanumeric charactersCrowdstrike Agent Version is like 6.4*

Note:This field requires the use of at least one wildcard (*)
is not likeSpecifies that an attribute value must not start with certain combination of alphanumeric charactersCrowdstrike Agent Version is not like 6.42*

Note:This field requires the use of at least one wildcard (*)

Quantitative

ConditionDefinitionQuery Example
betweenAn attribute value is between two specified numerical valuesIP Address between 192.158.1.10 (and) 192.158.1.40
equalsAn attribute value is equal (identical) to a specified valueFirst Name equals John
does not equalAn attribute value is not equal (identical) to a specified valueLast Name does not equal Smith
is greater thanAn attribute value is greater than a numerical value specified by the userCVSS3 Base is greater than 9.1
is greater than or equal toAn attribute value is greater than or equal to a numerical valueCVSS3 Base is greater than or equal to 9.1
is less thanAn attribute value is less than a numerical valueCVSS3 Temporal is less than 8.8
is less than or equal toAn attribute value is less than or equal to a numerical valueCVSS3 Base is less than or equal to 8.8

Time

ConditionDefinitionQuery Example
is afterAn event has taken place after a specified timeLast Activity is after 3 days ago
is on or afterAn event took place at or after a specified time. We recommend using this if you are trying to identify an event that may have taken place at a specific time of day.Last Activity is on or after 05/18/23 12:00 AM
is beforeAn event took place before a specified timeLast Observed is before 3 days ago
is on or beforeAn event took place at or before a specified time. We recommend using this if you are trying to identify an event that may have taken place at a specific time of day.Last Observed is on or before 05/18/23 12:00 AM