>
    Strata Copilot
    Use Advanced Search Expressions
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Search in Data Security
    4. Use Advanced Search Expressions
    Download PDF
    SaaS Security

    Use Advanced Search Expressions

    Table of Contents

    Use Advanced Search Expressions

    Perform a more detailed search of incidents on Data Security using advanced search expressions.
    An advanced search expression is composed of a set of supported fields, operators, and connectors. Fields and field values can include:
    • item.attached_to_name—Attached asset name of an item.
    • item.creator—Name of the creator of an item. The name can be partial.
    • item.creator_email—Email of the creator of an item. The email address must be complete.
    • item.name—Name of file or folder, such as techsupport.tgz.
    • item.owner—Name of the owner of an item. The name can be partial.
    • item.owner_email—Email of the owner of an item. The email address must be complete.
    • item.container_name—Name of the container.
    • item.account—Account ID of the container.
    • shared.with_domain—Any domain name.
    • file.type—File format supported by Data Security, such as TGZ.
    • email.sent—If email has been sent to the user the value is true or false.
    • policy.name—Name of a policy rule.
    • exposurePublic, External, Internal, Company, or hasCustomURL.
    • app.name—Name of any application instance, such as Google Drive Prod.
    • data_pattern.name—Name of the data pattern.
    • file_modified_in—File modification date with date format YYYY-MM-DD.
    • file_sha256—sha256 of file or folder.
    • shared_with—Shared with trusted users, untrusted users, or anyone not trusted users.
    Operators define the relationship between a field and a value. The following list includes all the available Operators, and you should use the auto completion to verify the operators for a specific field:
    • eq—equals.
    • neq—not equal.
    • is present—included (partial match).
      For example, item.owner_email does not support the is present operator.
    • in—included.
    • not in—not included.
    Connectors define the logic associated with groups of items. The following list includes all the Connectors available:
    • and—logical AND operation.
    • or—logical OR operation.
    • and_not—AND is not.
    • or_not—OR is not.
    Combine fields, operators, and connectors based on the following syntax rules:
    Syntax Rule
    Example
    Use parentheses to group items in an expression.
    (item.owner neq 'rjsmith@smith.com')
    Include field values in single quotes.
    (file.type eq 'PDF')
    Recognized keywords by Data Security and logical operators do not need quotes.
    (exposure eq public)
    Use comma-separated lists for multiple values.
    (file.type not_in 'PDF','PPT')
    The following are examples of advanced search expressions:
    To Search for
    Example
    • Any asset owned by a user named msmith.
    (item.owner eq 'msmith')
    • Any asset with Public, External, or Company exposure that caused an email alert.
    (exposure neg internal) and (email.sent is true)
    • A file named “apple vs samsung.pdf” John T Smith or Jane Smith does not own.
    (item.name eq 'apple vs samsung.pdf') and ((owner neq 'John T Smith') or (owner neq 'Jane Smith'))
    • Any asset that includes a credit card number and share on gmail.com or has Public or External exposure. Do not include assets with credit card numbers that have Internal or Company exposure.
    (policy.name eq 'credit card number') and not ((exposure eq internal) or (exposure eq company)) or (shared.with eq 'gmail.com')

    © 2025 Palo Alto Networks, Inc. All rights reserved.