Use Advanced Search Expressions
Perform a more detailed search of incidents on SaaS Security API using advanced search expressions.
An advanced search expression is composed of a set of supported fields, operators, and connectors. Fields and field values can include:
- item.attached_to_name—Attached asset name of an item.
- item.creator—Name of the creator of an item. The name can be partial.
- item.creator_email—Email of the creator of an item. The email address must be complete.
- item.name—Name of file or folder, such as techsupport.tgz.
- item.owner—Name of the owner of an item. The name can be partial.
- item.owner_email—Email of the owner of an item. The email address must be complete.
- item.container_name—Name of the container.
- item.account—Account ID of the container.
- shared.with_domain—Any domain name.
- email.sent—If email has been sent to the user the value is true or false.
- policy.name—Name of a policy rule.
- exposure—Public,External,Internal,Company, orhasCustomURL.
- app.name—Name of any application instance, such as Google Drive Prod.
- data_pattern.name—Name of the data pattern.
- file_modified_in—File modification date with date format YYYY-MM-DD.
- file_sha256—sha256 of file or folder.
- shared_with—Shared with trusted users, untrusted users, or anyone not trusted users.
Operators define the relationship between a field and a value. The following list includes all the available Operators, and you should use the auto completion to verify the operators for a specific field:
- neq—not equal.
- is present—included (partial match).For example,item.owner_emaildoes not support the is present operator.
- not in—not included.
Connectors define the logic associated with groups of items. The following list includes all the Connectors available:
- and—logical AND operation.
- or—logical OR operation.
- and_not—AND is not.
- or_not—OR is not.
Combine fields, operators, and connectors based on the following syntax rules:
Use parentheses to group items in an expression.
(item.owner neq 'email@example.com')
Include field values in single quotes.
(file.type eq 'PDF')
Recognized keywords by SaaS Security API and logical operators do not need quotes.
(exposure eq public)
Use comma-separated lists for multiple values.
(file.type not_in 'PDF','PPT')
The following are examples of advanced search expressions:
To Search for
(item.owner eq 'msmith')
(exposure neg internal) and (email.sent is true)
(item.name eq 'apple vs samsung.pdf') and ((owner neq 'John T Smith') or (owner neq 'Jane Smith'))
(policy.name eq 'credit card number') and not ((exposure eq internal) or (exposure eq company)) or (shared.with eq 'gmail.com')
Recommended For You
Recommended videos not found.