Query Parameters and Attributes
A complete list of query parameters and attributes
Query Parameters
The Query Builder has four main parameters that can be used to assemble a query.
Source Attributes
The Attribute parameters allow you to select the what data attribute(s) you would like to build your query around. Select the Attribute field to begin defining this parameter.
The attributes menu is broken down into several areas:
-
At the top of the menu, there are Devices and User tabs. The tab corresponding to the Live Inventory page you are in is selected by default. These tabs are primarily used for cross-asset searches, which will be covered in a later section.
-
The left-panel contains a list Sources. If needed, use this section to specify if you would only like to include assets from a specific Source in your rule's condition.
-
The right-panel is where you will select what data Attribute(s) you would like to build your query around.
Condition
The Condition parameter is used to define the condition an attribute must meet to meet a rule's requirements. Only assets and telemetry events that satisfy your conditions will be displayed in your results.
Value
Once you've selected an attribute and condition, you will need to define the Value you will be using to determine if a condition is satisfied. Please note that this field will not display when the Exists or Does not exist condition is selected, as the value is already defined in the condition itself.
In some instances, you may be asked to select a value from a pre-defined list of values. This is dependent on the attribute you have chosen.
Source Attributes
This Attributes list excludes Source-specific attributes. For questions about these attributes, please contact our Support team.
Please review the tables below for a list of Source attributes for each query builder in the Sevco platform. You will also find every possible condition and value that can be applied to an attribute.
Live Inventory
Devices
Attribute | Definition | Example |
---|---|---|
Active Directory Domains | The specific Active Directory domain name assigned to a Device or User asset. | Active Directory Domains equals company.com |
Agent Version | The Agent Version a Source integration is currently running on for a particular Device asset | Crowdstrike Agent Version is not like 6.42* |
Associated Usernames | Any usernames associated with a Device asset | Associated Usernames is like john* |
Category | The Category that a Source integration falls under | Category equals Enterprise Endpoint |
City | The City corresponding to a Device asset's External IP address | City equals Brooklyn |
Controls | The Enterprise Endpoint subcategory that identifies the type of source control present for an asset | Controls equals Configuration Management |
Correlation ID | ||
Distinguished Name | The name typically associated with or issued by Directory Service Source integrations. | Distinguished Name equals cn=fcfdlfs,ou=dpnqvufst oz,ou=bluth dpnqvufst,dc=bluth-dp,dc=com |
Domain | The specific domain name assigned to a Device asset. In this context, domain names are most often assigned using a domain controller such as Microsoft Active Directory. | Domain equals company.com |
External IP Address | The External IP Address associated with any network a Device asset has connected to | IP Address between 192.158.1.10 (and) 192.158.1.40 |
First Collection Date | When a Device or User asset was first collected by Sevco | First Collection Date is on or before 07/31/22 12:00 AM |
First Observed Timestamp | The first time a Device or User asset was identified as present in your environment by a Source integration | First Observed Timestamp is before 05/17/23 12:00 AM |
FQDN | The fully qualified domain name associated with a Device asset | FQDN exists |
GeoIP Associated IP | ||
Hostname | Any device name associated with a Device asset. Unlike an Object ID this attribute can change | Hostname equals victorias-macbook-pro |
ID | ||
Internal IPs | The Internal IP Address associated with any network a Device asset has connected to. | IP Address equals 192.168.1.1 |
IP Address | The IP Address of the Device asset on a network. | IP Address equals 10.10.4.217 |
Last Activity Timestamp | The last time an Device or User asset identified as active on a network | Last Activity Timestamp is after 05/18/23 12:00 AM |
Last Observed Timestamp | The last time a Device or User asset was identified as present in your environment by a Source integration | Last Observed is before 3 days ago |
Latitude | The latitude corresponding to a Device asset's External IP address | Latitude equals 37.4221° N |
Longitude | The longitude corresponding to a Device asset's External IP address | Longitude equals 122.0841° W |
MAC Address | Any MAC address associated with a Device asset | MAC Address equals 02:FF:00:BA:C0:39 |
MAC Manufacturer | The MAC manufacturer who manufactured a piece of network hardware on a Device asset | MAC Manufacturer equals Intel Corporate |
Network Location | The Network type a Device asset is associated with: On Premise, Cloud, or Unknown (typically listed as a location if available) | Network Location does not equal Cloud |
Number of Sources | The total number of Sources associated with a Device or User asset | Number of Sources equals 3 |
Object ID | A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. | SentinelOne Object ID equals 0123456789101112131 ManageEngine Object ID equals 1312111019876543210 |
OS | The operating system of a Device asset | OS Release equals Windows 11 Professional (x64) |
OS End of Life Timestamp | The date and time that a Device asset's operating system enters an end-of-life state (is no longer supported by its vendor). | OS End of Life Timestamp is on or before 30 days ago |
OS Platform | The operating system platform of a Device asset | OS Platform equals Windows |
OS Release | The specific identity of a Device asset's operating system (if available) | OS Release equals Windows 11 Professional |
OS Version | The specific version of a Device asset's operating system. | OS Platform equals MacOS OS Version is like 12.6* _ |
Region | The world region corresponding to a Device asset's External IP address | Region equals Europe |
Serial Number | The serial number corresponding to a Device asset | Serial Number equals 3N326311QW-01 |
Source | Any Source integration that you have configured for your Sevco Organization | Source equals Crowdstrike |
Source Configuration | Any Source integration configuration associated with an asset | Source Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab) |
Tag | Any Tag that has been assigned to an asset | Tag equals Password Expired |
Users
Attribute | Definition | Value |
---|---|---|
Active Directory Domains | The specific Active Directory domain name assigned to a Device or User asset. | Active Directory Domains equals company.com |
Agent Version | The Agent Version a Source is currently running on for a particular asset | Okta Agent Version does not exist |
Correlation ID | ||
Domain | The specific domain name assigned to a Device asset. In this context, domain names are most often assigned using a domain controller such as Microsoft Active Directory. | Domain equals company.com |
Emails | Any Emails associated with a User asset | Email equals [email protected] |
First Observed Timestamp | The first time a Device or User asset was identified as present in your environment by a Source integration | First Observed Timestamp is before 05/17/23 12:00 AM |
First Name | The first name associated with a User asset | First Name equals John |
ID | ||
Last Activity Timestamp | The last time an Device or User asset identified as active on a network | Last Activity is after 05/18/23 12:00 AM |
Last Name | The last name associated with a User asset | Last Name equals Smith |
Last Observed Timestamp | The last time a Device or User asset was identified as present in your environment by a Source integration | Last Observed is before 3 days ago |
Last Updated | When information about an asset was last updated by a in a Source | Last Updated is before 30 days ago |
Number of Sources | The total number of Sources associated with a Device or User asset | Number of Sources equals 3 |
Source | Any Source integration that you have configured for your Sevco Organization | Source equals Crowdstrike |
Source Configuration | Any Source integration configuration associated with an asset | Source Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab) |
Tag | Any Tag that has been applied to an asset. | Tag equals Password Expired |
Telemetry
Devices
Attribute | Definition | Example Query |
---|---|---|
Attribute | A piece of information that corresponds to a Device or User asset | Attribute equals hostnames |
Hostname | Any device name associated with a Device asset. Unlike an Object ID this attribute can change. | Hostname equals victorias-macbook-pro |
Event Timestamp | The date and time that a telemetry event took place | Event Timestamp is after 05/09/23 12:00 AM |
Event Type | The type of telemetry event that has taken place. This includes changes to attributes as well as observation times by Sources. | Event Type equals AttributeValueAdd |
Object ID | A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. | SentinelOne Object ID equals 0123456789101112131 ManageEngine Object ID equals 1312111019876543210 |
Source | Any Source integration that you have configured for your Sevco Organization | Source equals Crowdstrike |
Source Configuration | Any Source integration configuration associated with an asset | Source Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab) |
Valid Until Timestamp | For AttributeValueAdd telemetry events, the time when the attribute was removed. | Valid Until Timestamp is after 3 days ago |
Value | An attribute Value that has changed during a telemetry event. For example: a Device asset's MAC Address changing. | Value equals 00:50:56:8A:69:73 |
Users
Attribute | Definition | Example Query |
---|---|---|
Attribute | A piece of information that corresponds to a Device or User asset | Attribute equals emails |
Event Timestamp | The date and time that a telemetry event took place | Event Timestamp is after 05/09/23 12:00 AM |
Event Type | The type of telemetry event that has taken place. This includes changes to attributes as well as observation times by Sources. | Event Type equals AttributeValueAdd |
Object ID | A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. | SentinelOne Object ID equals 0123456789101112131 ManageEngine Object ID equals 1312111019876543210 |
Source | Any Source integration that you have configured for your Sevco Organization | Source equals Crowdstrike |
Source Configuration | Any Source integration configuration associated with an asset | Source Configutation equals Microsoft Azure(01234567-0123-abcd-abcd-0123456789ab) |
Valid Until Timestamp | For AttributeValueAdd events, the time when the attribute was removed. | Valid Until Timestamp is after 3 days ago |
Value | An attribute Value that has changed during a telemetry event. For example: a User asset's corresponding email being updated. | Value equals [email protected] |
Source Inventory
Devices
Attribute | Definition | Example |
---|---|---|
First Collected | When a Device or User asset was first collected by a specific Source integration | First Collected is on or before 07/31/22 12:00 AM |
FQDN | The fully qualified domain name associated with a Device asset | FQDN exists |
Hostname | Any device name associated with a Device asset. Unlike an Object ID this attribute can change. | Hostname equals victorias-macbook-pro |
IP Address | The IP Address of the Device asset on a network. | IP Address equals 10.10.4.217 |
Last Activity | The last time an Device or User asset identified as active on a network | Last Activity is after 05/18/23 12:00 AM |
Last Observed | The last time a Device or User asset was identified as present in your environment by a Source integration | Last Observed is before 3 days ago |
MAC Address | Any MAC Address associated with a Device asset | MAC Address equals 02:FF:00:BA:C0:39 |
Object ID | A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. | SentinelOne Object ID equals 0123456789101112131 ManageEngine Object ID equals 1312111019876543210 |
OS Platform | The operating system platform of a Device asset | OS Platform equals Windows |
OS Release | The specific identity of a Device asset's operating system (if available) | OS Release equals Windows 10 Enterprise |
Serial Number | The serial number corresponding to a Device asset | Serial Number equals 3N326311QW-01 |
Users
Attribute | Definition | Example |
---|---|---|
Username | The username associated with a User asset for a specific Source integration | Username equals janesmith |
First Collected | When a Device or User asset was first collected by a specific Source integration | First Collected is on or before 07/31/22 12:00 AM |
First Name | The first name associated with a User asset | First Name equals John |
Last Name | The last name associated with a User asset | Last Name equals Smith |
Last Updated | When information about an asset was last updated by a in a Source | Last Updated is before 30 days ago |
Last Activity | The last time an Device or User asset identified as active on a network | Last Activity is after 05/18/23 12:00 AM |
Last Observed | The last time a Device or User asset was identified as present in your environment by a Source integration | Last Observed is before 3 days ago |
Object ID | A permanent ID number that is assigned by a Source integration to identify a Device asset. Each Source assigns its own Object ID. | SentinelOne Object ID equals 0123456789101112131 ManageEngine Object ID equals 1312111019876543210 |
Password Changed | When a Source integration last identified a password change by a user | Password Change is less than 30 days ago |
Software
Attribute | Definition | Example |
---|---|---|
Software Name | The name of a piece of software that has been installed on a Device asset | Software Name equals 1Password |
Version | The version of a piece of software that has been installed on a Device asset | Software Name equals 1Password , and Software Version is like 7.* |
Vendor | The vendor of a piece of software that has been installed on a Device asset | Software Vendor equals WindowsUpdate |
Hostname | Any device name associated with a Device asset. Unlike an Object ID this attribute can change. | Hostname equals victorias-macbook-pro |
Vulnerabilities
Attribute | Definition | Example |
---|---|---|
Vulnerability | Potential security threats that a software vendor has identified on a Device asset | Vulnerability is like Adobe Flash* |
CVE | Any Common Vulnerabilities and Exposures (CVE) codes associated with a Vulnerability. Please note that some vulnerabilities may contain multiple CVEs or none at all. | CVE equals CVE-2018-17456 |
OS Platform | The operating system platform associated with a Device asset | OS Platform equals Windows |
OS Release | The specific operating system release installed on a Device asset | OS Release equals Windows 10 Enterprise |
Severity | The severity of a Vulnerability on a Device asset. Sevco determines severity of a vulnerability using the CVSS3 and CVSS2 scores assigned to it by your software vendor. | Severity equals High |
Categories | The category a Vulnerability falls under | Categories equals MacOS X Local Security Checks |
First Found | When a Vulnerability was first identified on a Device asset by your software vendor | First Found is on or before 06/07/23 12:00 AM |
Last Found | The last time a Vulnerability was identified on a Device asset by your software vendor | Last Found is on or after 06/10/23 12:00 AM |
CVSS3 Base | A severity score assigned by your software vendor using the most recent version of the Common Vulnerability Scoring System (CVSS). This score is determined when a Vulnerability is first discovered. Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more | CVSS3 Base is greater than 6.9 |
CVSS3 Temporal | A severity score assigned by your software vendor using the most recent version of the Common Vulnerability Scoring System (CVSS). This score may change depending on factors such as the time a Vulnerability has been present on a Device Asset. Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more | CVSS3 Temporal is greater than 8.9 |
CVSS2 Base | A severity score assigned by your software vendor using an older version of the Common Vulnerability Scoring System (CVSS). This score is determined when a Vulnerability is first discovered. Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more | CVSS2 Base is greater than 6.9 |
CVSS2 Temporal | A severity score assigned by your software vendor using an older version of the Common Vulnerability Scoring System (CVSS). This score may change depending on factors such as the time a Vulnerability has been present on a Device Asset. Sevco uses this score in conjunction with other CVSS scores to determine the overall severity of a vulnerability. Learn more | CVSS3 Temporal is greater than or equal to 7.0 |
Control Attributes
Control State Awareness and Tracking is Sevco’s ability to normalize control attributes to a common field in order to monitor and provide context about a critical control states that affects its ability to deliver the function of the control.
Attribute | Definition | Example |
---|---|---|
Encryption Status | The current status and level of encryption being provided by a Control | Encryption Status equals [status] |
Management State | The state or condition of a specific Control that indicates whether a device can be managed or how it is currently being managed | Rapid7 InsightVM``Management State equals Agent |
Protection State | The state or condition of a Control that indicates the level of or how a device is being controlled | Microsoft Defender for Endpoints``Protection State equals Prevention |
Status | The state or condition of a specific Control that indicates whether a device is online, active, or able to be controlled | Microsoft Defender for Endpoints``Status equals Active |
Query Conditions
Qualitative
Condition | Definition | Query Example |
---|---|---|
exists | An attribute exists for an asset, regardless of its value | MAC Address exists |
does not exist | An attribute value does not exist for an asset | Hostname does not exist |
is like | Specifies that an attribute value must begin with certain combination of alphanumeric characters | Crowdstrike Agent Version is like 6.4* Note:This field requires the use of at least one wildcard (*) |
is not like | Specifies that an attribute value must not start with certain combination of alphanumeric characters | Crowdstrike Agent Version is not like 6.42* Note:This field requires the use of at least one wildcard (*) |
Quantitative
Condition | Definition | Query Example |
---|---|---|
between | An attribute value is between two specified numerical values | IP Address between 192.158.1.10 (and) 192.158.1.40 |
equals | An attribute value is equal (identical) to a specified value | First Name equals John |
does not equal | An attribute value is not equal (identical) to a specified value | Last Name does not equal Smith |
is greater than | An attribute value is greater than a numerical value specified by the user | CVSS3 Base is greater than 9.1 |
is greater than or equal to | An attribute value is greater than or equal to a numerical value | CVSS3 Base is greater than or equal to 9.1 |
is less than | An attribute value is less than a numerical value | CVSS3 Temporal is less than 8.8 |
is less than or equal to | An attribute value is less than or equal to a numerical value | CVSS3 Base is less than or equal to 8.8 |
Time
Condition | Definition | Query Example |
---|---|---|
is after | An event has taken place after a specified time | Last Activity is after 3 days ago |
is on or after | An event took place at or after a specified time. We recommend using this if you are trying to identify an event that may have taken place at a specific time of day. | Last Activity is on or after 05/18/23 12:00 AM |
is before | An event took place before a specified time | Last Observed is before 3 days ago |
is on or before | An event took place at or before a specified time. We recommend using this if you are trying to identify an event that may have taken place at a specific time of day. | Last Observed is on or before 05/18/23 12:00 AM |
Updated about 1 month ago