Skip to content

Search examples

You can combine different terms to create complex searches.

The table lists examples of searches combining different terms and techniques.

Search objective Query
Find alerts seen in the last 2 days that are related to GDPR policy checks. Alert AND lastSeen:[now-2d TO *] AND policyTagName:GDPR
Find hosts that were started in the last 3 days, are not part of an auto scaling group, and have a public interface. Host AND startTime:[now-3d TO *] AND isPublic:true AND NOT "Auto Scaling"
Find public, unencrypted S3 buckets created in the last year. creationDate:[now/y TO *] AND isPublic:true AND not _exists_:defaultEncryption
Find S3 buckets created in the last 6 months, by aws-pcg in the us-west-2 region. creationDate:[now-6M TO *] AND isPublic:true AND owner:aws-pcg* AND region:us-west-2
Find over-privileged IAM users created over a month ago that have been inactive. User AND isOverPrivileged:true AND createDate:[* TO now-1M] AND not _exists_:lastActivity
Find security groups that allow inbound traffic from any port and from any IP address. _ingressRules.toPort:"-1" and _ingressRules.fromPort:"-1" and _ingressRules.ipRange:""
Find hosts with outbound traffic to specific IP addresses and ports. outGoingIp:("IP1" "IP2" "IP3") and outGoingPort:("PORT1" "PORT2" "PORT3")
Find hosts with the Sophos server protection agent installed, and the agent reports bad security health. Host AND