Skip to main content

Detection and exclusion criteria

This page provides detailed information about all the field values that can be used in criteriaList objects when creating or updating a custom rule. The fields are organized by target and include the supported relation values and the validation rules applicable to each corresponding value.

Important

  • Rules that include only EDR-only fields and values, along with fields and values supported by both EDR and XDR, are processed exclusively by EDR.

  • Rules that include only XDR-only fields and values, along with fields and values supported by both EDR and XDR, are processed exclusively by XDR.

  • Rules that include only fields and values supported by both EDR and XDR are processed by both XDR and EDR.

  • EDR-only fields or values cannot be combined with XDR-only fields or values within the same rule.

  • Only one XDR resource can be defined as a criterion in a detection rule with the connection or user connection target.

  • For any criterion object where relation is set to contains, the value property supports the use of wildcards. An exception applies to criteria where field has one of the following values:

    • Process.MD5

    • Process.SHA2

    • File.MD5

    • File.SHA2

  • For any criterion object where relation is set to any, the value property must be an array. The array elements must follow the type specified in the Value validation rules column, or be strings selected from the allowed values listed in that column.

Note

For information about the createCustomRule and updateCustomRule methods, refer to createCustomRule and updateCustomRule.

Available for detection rules (with type 1)

Available for exclusion rules (with type 2)

Field name in GravityZone Control Center

Target

Field API name

EDR or XDR support

Relation API name

Value validation rules

Yes

Yes

Alert name

All target entities

detection

Important

For any XDR detection rule, you must use either this criterion or an operation criterion, but not both.

Both

is

string

Yes

Yes

Name

process

Process.Name

EDR

is |contains| any

string

Path

Process.Path

Full path name

Process.FullPathName

Command line

Process.CommandLine

Parent name

Process.Parent.Name

Parent path

Process.Parent.Path

Parent full path name

Process.Parent.FullPathName

Parent command line

Process.Parent.CommandLine

User

Process.User

MD5

Process.MD5

SHA256

Process.SHA2

Yes

Yes

Name

file

File.Name

Both

is |contains| any

string

Path

File.Path

Full path name

File.FullPathName

Yes

Yes

Operation

file

File.Operation

Important

For any XDR detection rule that uses the file target, you must include either this criterion or a detection condition, but not both or neither.

EDR for exclusion rules

Both for detection rules

is | any

Possible EDR-only values:

  • rename

  • copy

  • create

Possible XDR-only values:

  • shared

  • downloaded

  • uploaded

Possible values for both EDR and XDR:

  • read

  • write

  • move

Yes

Yes

Creation process name

file

File.CreatedBy.Name

EDR

is |contains| any

string

Creation process path name

File.CreatedBy.Path

Creation process full path name

File.CreatedBy.FullPathName

Creation process command line

File.CreatedBy.CommandLine

Creation process user

File.CreatedBy.User

Certificate signer

File.CertificateSigner

Important

  • Requires either File.Name or File.FullPathName to be defined in the same rule.

  • This criterion is incompatible with the is_unsigned value of the File.CertificateSignedStatus field.

Certificate issuer

File.CertificateIssuer

Important

  • Requires either File.Name or File.FullPathName to be defined in the same rule.

  • This criterion is incompatible with the is_unsigned value of the File.CertificateSignedStatus field.

Certificate signed status

File.CertificateSignedStatus

Important

Requires either File.Name or File.FullPathName to be defined in the same rule.

is

Possible values:

  • is_signed

  • is_unsigned

Important

The is_unsigned value is incompatible with File.CertificateIssuer or File.CertificateSigner in the same rule.

Yes

Yes

MD5

file

File.MD5

XDR

is | contains | any

string

SHA256

File.SHA2

URL

File.Url

Source IP

File.SourceIP

is |contains| any

string containing a valid IP

Destination IP

File.DestinationIP

Yes

Yes

Source IP

connection

Connection.SourceIP

Both

is |contains| any

string containing a valid IP

Destination IP

Connection.DestinationIP

Yes

Yes

Source port

connection

Connection.SourcePort

EDR

is |contains| any

integer between 0 and 65,535

Destination port

Connection.DestinationPort

Creation process name

Connection.Process.Name

is | contains | any

string

Creation process path

Connection.Process.Path

Creation process full path name

Connection.Process.FullPathName

Creation process command line

Connection.Process.CommandLine

Creation process user

Connection.Process.User

URL

Connection.URL

Important

  • Incompatible with the following fields in the same rule:

    • Connection.SMBDomain

    • Connection.SMBSharePath

    • Connection.SMBUser

    • Connection.TelnetUser

    • Connection.FileRemotePath

    • Connection.FileRemoteOperation

    • Connection.FTPUser

    • Connection.SSHUser

    • Connection.WMIExecQuery

  • If this criterion is used, the Connection.Protocol criterion can have only the value http/https.

HTTP user

Connection.HTTPUser

Important

  • If this criterion is used, the Connection.Protocol criterion can have only the value http/https.

  • Incompatible with the following fields in the same rule:

    • Connection.SMBDomain

    • Connection.SMBSharePath

    • Connection.SMBUser

    • Connection.SSHUser

    • Connection.TelnetUser

    • Connection.WMIExecQuery

    • Connection.FileRemotePath

    • Connection.FileRemoteOperation

    • Connection.FTPUser

HTTP downloaded file

Connection.HTTPDownloadedFile

Important

  • If this criterion is used, the Connection.Protocol criterion can have only the value http/https.

  • Incompatible with the following fields in the same rule:

    • Connection.SMBDomain

    • Connection.SMBSharePath

    • Connection.SMBUser

    • Connection.SSHUser

    • Connection.TelnetUser

    • Connection.WMIExecQuery

    • Connection.FileRemotePath

    • Connection.FileRemoteOperation

    • Connection.FTPUser

HTTP uploaded file

Connection.HTTPUploadedFile

Important

  • If this criterion is used, the Connection.Protocol criterion can have only the value http/https.

  • Incompatible with the following fields in the same rule:

    • Connection.SMBDomain

    • Connection.SMBSharePath

    • Connection.SMBUser

    • Connection.SSHUser

    • Connection.TelnetUser

    • Connection.WMIExecQuery

    • Connection.FileRemotePath

    • Connection.FileRemoteOperation

    • Connection.FTPUser

FTP user

Connection.FTPUser

Important

Incompatible with the following fields in the same rule:

  • Connection.Domain

  • Connection.HTTPUser

  • Connection.HTTPDownloadedFile

  • Connection.HTTPUploadedFile

  • Connection.SMBDomain

  • Connection.SMBSharePath

  • Connection.SMBUser

  • Connection.SSHUser

  • Connection.TelnetUser

  • Connection.WMIExecQuery

  • Connection.URL

  • Connection.FileRemotePath

  • Connection.FileRemoteOperation

SMB domain

Connection.SMBDomain

Important

  • If this criterion is used, the Connection.Protocol criterion can have only the value smb.

  • Incompatible with the following fields in the same rule:

    • Connection.FileRemotePath

    • Connection.FileRemoteOperation

    • Connection.FTPUser

    • Connection.SSHUser

    • Connection.TelnetUser

    • Connection.WMIExecQuery

    • Connection.HTTPDownloadedFile

    • Connection.HTTPUploadedFile

    • Connection.HTTPUser

    • Connection.URL

SMB share path

Connection.SMBSharePath

Important

  • If this criterion is used, the Connection.Protocol criterion can have only the value smb.

  • Incompatible with the following fields in the same rule:

    • Connection.FileRemotePath

    • Connection.FileRemoteOperation

    • Connection.FTPUser

    • Connection.SSHUser

    • Connection.TelnetUser

    • Connection.WMIExecQuery

    • Connection.HTTPDownloadedFile

    • Connection.HTTPUploadedFile

    • Connection.HTTPUser

    • Connection.URL

SMB user

Connection.SMBUser

Important

  • If this criterion is used, the Connection.Protocol criterion can have only the value smb.

  • Incompatible with the following fields in the same rule:

    • Connection.FileRemotePath

    • Connection.FileRemoteOperation

    • Connection.FTPUser

    • Connection.SSHUser

    • Connection.TelnetUser

    • Connection.WMIExecQuery

    • Connection.HTTPDownloadedFile

    • Connection.HTTPUploadedFile

    • Connection.HTTPUser

    • Connection.URL

SSH user

Connection.SSHUser

Important

Incompatible with the following fields in the same rule:

  • Connection.Domain

  • Connection.HTTPUser

  • Connection.HTTPDownloadedFile

  • Connection.HTTPUploadedFile

  • Connection.SMBDomain

  • Connection.SMBSharePath

  • Connection.SMBUser

  • Connection.TelnetUser

  • Connection.WMIExecQuery

  • Connection.URL

  • Connection.FileRemotePath

  • Connection.FileRemoteOperation

  • Connection.FTPUser

WMI exec query

Connection.WMIExecQuery

Important

Incompatible with the following fields in the same rule:

  • Connection.Domain

  • Connection.HTTPUser

  • Connection.HTTPDownloadedFile

  • Connection.HTTPUploadedFile

  • Connection.SMBDomain

  • Connection.SMBSharePath

  • Connection.SMBUser

  • Connection.TelnetUser

  • Connection.URL

  • Connection.FileRemotePath

  • Connection.FileRemoteOperation

  • Connection.FTPUser

  • Connection.SSHUser

Telnet user

Connection.TelnetUser

Important

Incompatible with the following fields in the same rule:

  • Connection.Domain

  • Connection.HTTPUser

  • Connection.HTTPDownloadedFile

  • Connection.HTTPUploadedFile

  • Connection.SMBDomain

  • Connection.SMBSharePath

  • Connection.SMBUser

  • Connection.URL

  • Connection.FileRemotePath

  • Connection.FileRemoteOperation

  • Connection.FTPUser

  • Connection.SSHUser

  • Connection.WMIExecQuery

File remote path

Connection.FileRemotePath

Important

Incompatible with the following fields in the same rule:

  • Connection.Domain

  • Connection.FTPUser

  • Connection.HTTPUser

  • Connection.HTTPDownloadedFile

  • Connection.HTTPUploadedFile

  • Connection.SMBDomain

  • Connection.SMBSharePath

  • Connection.SMBUser

  • Connection.SSHUser

  • Connection.TelnetUser

  • Connection.WMIExecQuery

  • Connection.URL

Domain

Connection.Domain

Important

  • Requires Connection.Protocol to be defined in the same rule.

  • Incompatible with the following fields in the same rule:

    • Connection.FileRemotePath

    • Connection.FileRemoteOperation

    • Connection.FTPUser

    • Connection.SSHUser

    • Connection.TelnetUser

    • Connection.WMIExecQuery

File remote operation

Connection.FileRemoteOperation

Important

Incompatible with the following fields in the same rule:

  • Connection.Domain

  • Connection.FTPUser

  • Connection.HTTPUser

  • Connection.HTTPDownloadedFile

  • Connection.HTTPUploadedFile

  • Connection.SMBDomain

  • Connection.SMBSharePath

  • Connection.SMBUser

  • Connection.SSHUser

  • Connection.TelnetUser

  • Connection.WMIExecQuery

  • Connection.URL

is | any

Possible values:

  • create

  • rem_delete

  • read

  • write

  • move

Protocol

Connection.Protocol

Important

This criterion can only be used together with Connection.Domain in the same rule.

is

Possible values:

  • http/https

    Important

    This value is not supported when the Connection.SMBDomain, Connection.SMBSharePath, or Connection.SMBUser fields are included in the same rule.

  • smb

    Important

    This value is not supported when the Connection.URL, Connection.HTTPUser, Connection.HTTPDownloadedFile, or Connection.HTTPUploadedFile fields are included in the same rule.

No

Yes

Flow name

connection

Connection.Flow.Name

XDR

is | contains | any

string

Bitbucket repository name

Connection.BitbucketRepository.Name

Yes

Yes

File name

connection

Connection.File.Name

Important

For detection rules, requires Connection.File.Operation or detection to be defined in the same rule.

XDR

is | contains | any

string

Email subject

Connection.Email.Subject

Important

For detection rules, requires Connection.Email.Operation or detection to be defined in the same rule.

Application name

Connection.Application.Name

Important

For detection rules, requires Connection.Application.Operation or detection to be defined in the same rule.

Key vault name

Connection.KeyVault.Name

Important

For detection rules, requires Connection.KeyVault.Operation or detection to be defined in the same rule.

Role name

Connection.Role.Name

Important

For detection rules, requires Connection.Role.Operation or detection to be defined in the same rule.

Policy name

Connection.Policy.Name

Important

For detection rules, requires Connection.Policy.Operation or detection to be defined in the same rule.

Sharing link name

Connection.SharingLink.Name

Important

For detection rules, requires Connection.SharingLink.Operation or detection to be defined in the same rule.

URL name

Connection.Url.Name

Important

For detection rules, requires Connection.Url.Operation or detection to be defined in the same rule.

SSH key name

Connection.SshKey.Name

Important

For detection rules, requires Connection.SshKey.Operation or detection to be defined in the same rule.

Launch template name

Connection.LaunchTemplate.Name

Important

For detection rules, requires Connection.LaunchTemplate.Operation or detection to be defined in the same rule.

Service principal name

Connection.ServicePrincipal.Name

Important

For detection rules, requires Connection.ServicePrincipal.Operation or detection to be defined in the same rule.

User group name

Connection.UserGroup.Name

Important

For detection rules, requires Connection.UserGroup.Operation or detection to be defined in the same rule.

Automation account name

Connection.AutomationAccount.Name

Important

For detection rules, requires Connection.AutomationAccount.Operation or detection to be defined in the same rule.

Automation account hook name

Connection.AutomationAccountHook.Name

Important

For detection rules, requires Connection.AutomationAccountHook.Operation or detection to be defined in the same rule.

API name

Connection.Api.Name

Important

For detection rules, requires Connection.Api.Operation or detection to be defined in the same rule.

Certificate authority name

Connection.CertificateAuthority.Name

Important

For detection rules, requires Connection.CertificateAuthority.Operation or detection to be defined in the same rule.

Bucket name

Connection.Bucket.Name

Important

For detection rules, requires Connection.Bucket.Operation or detection to be defined in the same rule.

Source user

Connection.SourceUser

Destination user

Connection.DestinationUser

Confluence page name

Connection.ConfluencePage.Name

Important

For detection rules, requires Connection.ConfluencePage.Operation or detection to be defined in the same rule.

Jira project name

Connection.JiraProject.Name

Important

For detection rules, requires Connection.JiraProject.Operation or detection to be defined in the same rule.

Yes

No

API operation

connection

Connection.Api.Operation

Important

This criterion can only be applied together with Connection.Api.Name and is required when Connection.Api.Name is used without detection.

XDR

is | any

Possible values:

  • modified

  • deleted

Application operation

Connection.Application.Operation

Important

This criterion can only be applied together with Connection.Application.Name and is required when Connection.Application.Name is used without detection.

Possible values:

  • created

  • deleted

  • authorized

  • permission_changed

Automation account hook operation

Connection.AutomationAccountHook.Operation

Important

This criterion can only be applied together with Connection.AutomationAccountHook.Name and is required when Connection.AutomationAccountHook.Name is used without detection.

Possible values: created.

Automation account operation

Connection.AutomationAccount.Operation

Important

This criterion can only be applied together with Connection.AutomationAccount.Name and is required when Connection.AutomationAccount.Name is used without detection.

Possible values: created.

Bucket operation

Connection.Bucket.Operation

Important

This criterion can only be applied together with Connection.Bucket.Name and is required when Connection.Bucket.Name is used without detection.

Possible values:

  • created

  • deleted

  • upload

  • download

Certificate authority operation

Connection.CertificateAuthority.Operation

Important

This criterion can only be applied together with Connection.CertificateAuthority.Name and is required when Connection.CertificateAuthority.Name is used without detection.

Possible values:

  • created

  • assigned

Confluence page operation

Connection.ConfluencePage.Operation

Important

This criterion can only be applied together with Connection.ConfluencePage.Name and is required when Connection.ConfluencePage.Name is used without detection.

Possible values: public_link_created.

Email operation

Connection.Email.Operation

Important

This criterion can only be applied together with Connection.Email.Subject and is required when Connection.Email.Subject is used without detection.

Possible values:

  • sent

  • received

File operation

Connection.File.Operation

Important

This criterion can only be applied together with Connection.File.Name and is required when Connection.File.Name is used without detection.

Possible values:

  • shared

  • downloaded

  • uploaded

Jira project operation

Connection.JiraProject.Operation

Important

This criterion can only be applied together with Connection.JiraProject.Name and is required when Connection.JiraProject.Name is used without detection.

Possible values:

  • deleted

  • modified

Key vault operation

Connection.KeyVault.Operation

Important

This criterion can only be applied together with Connection.KeyVault.Name and is required when Connection.KeyVault.Name is used without detection.

Possible values:

  • created

  • deleted

  • authorized

Launch template operation

Connection.LaunchTemplate.Operation

Important

This criterion can only be applied together with Connection.LaunchTemplate.Name and is required when Connection.LaunchTemplate.Name is used without detection.

Possible values: create.

Policy operation

Connection.Policy.Operation

Important

This criterion can only be applied together with Connection.Policy.Name and is required when Connection.Policy.Name is used without detection.

Possible values: assigned.

Role operation

Connection.Role.Operation

Important

This criterion can only be applied together with Connection.Role.Name and is required when Connection.Role.Name is used without detection.

Possible values: assigned.

Service principal operation

Connection.ServicePrincipal.Operation

Important

This criterion can only be applied together with Connection.ServicePrincipal.Name and is required when Connection.ServicePrincipal.Name is used without detection.

Possible values:

  • create

  • delete

  • modified

Sharing link operation

Connection.SharingLink.Operation

Important

This criterion can only be applied together with Connection.SharingLink.Name and is required when Connection.SharingLink.Name is used without detection.

Possible values: created.

SSH key operation

Connection.SshKey.Operation

Important

This criterion can only be applied together with Connection.SshKey.Name and is required when Connection.SshKey.Name is used without detection.

Possible values: assigned.

URL operation

Connection.Url.Operation

Important

This criterion can only be applied together with Connection.Url.Name and is required when Connection.Url.Name is used without detection.

Possible values:

  • downloaded

  • uploaded

  • delete

User group operation

Connection.UserGroup.Operation

Important

This criterion can only be applied together with Connection.UserGroup.Name and is required when Connection.UserGroup.Name is used without detection.

Possible values: added.

Yes

Yes

Key

registry

Registry.Key

EDR

is | contains | any

string

Value

Registry.Value

Creation process name

Registry.CreatedBy.Name

Creation process path

Registry.CreatedBy.Path

Creation process full path name

Registry.CreatedBy.FullPathName

Creation process command line

Registry.CreatedBy.CommandLine

Registry data

Registry.Data

Important

This criterion must be used together with Registry.DataType.

string

Important

For the binary, resource_list, full_resource_descriptor, and resource_requirements_list registry types, the Registry.Data value must be encoded in base64.

Operation

Registry.Operation

is | any

Possible values:

  • key_created

  • key_deleted

  • key_renamed

  • value_created

  • value_deleted

  • value_written

Registry type

Registry.DataType

is

Possible values:

  • string

  • expandablestring

  • dword

  • qword

  • binary

  • none

  • link

  • resource_list

  • full_resource_descriptor

  • resource_requirements_list

Yes

Yes

Name

user connection

UserLogin.Name

EDR

is | contains | any

string

Domain

UserLogin.Domain

No

Yes

Bitbucket repository name

user connection

UserLogin.BitbucketRepository.Name

XDR

is | contains | any

string

Flow name

UserLogin.Flow.Name

Yes

Yes

Jira project name

user connection

UserLogin.JiraProject.Name

Important

For detection rules, requires UserLogin.JiraProject.Operation or detection to be defined in the same rule.

XDR

is | contains | any

string

Source user

UserLogin.SourceUser

Destination user

UserLogin.DestinationUser

File name

UserLogin.File.Name

Important

For detection rules, requires UserLogin.File.Operation or detection to be defined in the same rule.

Email subject

UserLogin.Email.Subject

Important

For detection rules, requires UserLogin.Email.Operation or detection to be defined in the same rule.

Application name

UserLogin.Application.Name

Important

For detection rules, requires UserLogin.Application.Operation or detection to be defined in the same rule.

Key vault name

UserLogin.KeyVault.Name

Important

For detection rules, requires UserLogin.KeyVault.Operation or detection to be defined in the same rule.

Role name

UserLogin.Role.Name

Important

For detection rules, requires UserLogin.Role.Operation or detection to be defined in the same rule.

Policy name

UserLogin.Policy.Name

Important

For detection rules, requires UserLogin.Policy.Operation or detection to be defined in the same rule.

Sharing link name

UserLogin.SharingLink.Name

Important

For detection rules, requires UserLogin.SharingLink.Operation or detection to be defined in the same rule.

URL name

UserLogin.Url.Name

Important

For detection rules, requires UserLogin.Url.Operation or detection to be defined in the same rule.

SSH key name

UserLogin.SshKey.Name

Important

For detection rules, requires UserLogin.SshKey.Operation or detection to be defined in the same rule.

Launch template name

UserLogin.LaunchTemplate.Name

Important

For detection rules, requires UserLogin.LaunchTemplate.Operation or detection to be defined in the same rule.

Service principal name

UserLogin.ServicePrincipal.Name

Important

For detection rules, requires UserLogin.ServicePrincipal.Operation or detection to be defined in the same rule.

User group name

UserLogin.UserGroup.Name

Important

For detection rules, requires UserLogin.UserGroup.Operation or detection to be defined in the same rule.

Automation account name

UserLogin.AutomationAccount.Name

Important

For detection rules, requires UserLogin.AutomationAccount.Operation or detection to be defined in the same rule.

Automation account hook name

UserLogin.AutomationAccountHook.Name

Important

For detection rules, requires UserLogin.AutomationAccountHook.Operation or detection to be defined in the same rule.

Api name

UserLogin.Api.Name

Important

For detection rules, requires UserLogin.Api.Operation or detection to be defined in the same rule.

Certificate authority name

UserLogin.CertificateAuthority.Name

Important

For detection rules, requires UserLogin.CertificateAuthority.Operation or detection to be defined in the same rule.

Bucket name

UserLogin.Bucket.Name

Important

For detection rules, requires UserLogin.Bucket.Operation or detection to be defined in the same rule.

Confluence page name

UserLogin.ConfluencePage.Name

Important

For detection rules, requires UserLogin.ConfluencePage.Operation or detection to be defined in the same rule.

Source IP

UserLogin.SourceIP

string containing a valid IP

Destination IP

UserLogin.DestinationIP

Yes

No

API operation

user connection

UserLogin.Api.Operation

Important

This criterion can only be applied together with UserLogin.Api.Name and is required when UserLogin.Api.Name is used without detection.

XDR

is | any

Possible values:

  • modified

  • deleted

Application operation

UserLogin.Application.Operation

Important

This criterion can only be applied together with UserLogin.Application.Name and is required when UserLogin.Application.Name is used without detection.

Possible values:

  • created

  • deleted

  • authorized

  • permission_changed

Automation account hook operation

UserLogin.AutomationAccountHook.Operation

Important

This criterion can only be applied together with UserLogin.AutomationAccountHook.Name and is required when UserLogin.AutomationAccountHook.Name is used without detection.

Possible values: created.

Automation account operation

UserLogin.AutomationAccount.Operation

Important

This criterion can only be applied together with UserLogin.AutomationAccount.Name and is required when UserLogin.AutomationAccount.Name is used without detection.

Possible values: created.

Bucket operation

UserLogin.Bucket.Operation

Important

This criterion can only be applied together with UserLogin.Bucket.Name and is required when UserLogin.Bucket.Name is used without detection.

Possible values:

  • created

  • deleted

  • upload

  • download

Certificate authority operation

UserLogin.CertificateAuthority.Operation

Important

This criterion can only be applied together with UserLogin.CertificateAuthority.Name and is required when UserLogin.CertificateAuthority.Name is used without detection.

Possible values:

  • created

  • assigned

Confluence page operation

UserLogin.ConfluencePage.Operation

Important

This criterion can only be applied together with UserLogin.ConfluencePage.Name and is required when UserLogin.ConfluencePage.Name is used without detection.

Possible values: public_link_created.

Email operation

UserLogin.Email.Operation

Important

This criterion can only be applied together with UserLogin.Email.Subject and is required when UserLogin.Email.Subject is used without detection.

Possible values:

  • sent

  • received

File operation

UserLogin.File.Operation

Important

This criterion can only be applied together with UserLogin.File.Name and is required when UserLogin.File.Name is used without detection.

Possible values:

  • shared

  • downloaded

  • uploaded

Jira project operation

UserLogin.JiraProject.Operation

Important

This criterion can only be applied together with UserLogin.JiraProject.Name and is required when UserLogin.JiraProject.Name is used without detection.

Possible values:

  • deleted

  • modified

Key vault operation

UserLogin.KeyVault.Operation

Important

This criterion can only be applied together with UserLogin.KeyVault.Name and is required when UserLogin.KeyVault.Name is used without detection.

Possible values:

  • created

  • deleted

  • authorized

Launch template operation

UserLogin.LaunchTemplate.Operation

Important

This criterion can only be applied together with UserLogin.LaunchTemplate.Name and is required when UserLogin.LaunchTemplate.Name is used without detection.

Possible values: create.

Policy operation

UserLogin.Policy.Operation

Important

This criterion can only be applied together with UserLogin.Policy.Name and is required when UserLogin.Policy.Name is used without detection.

Possible values: assigned.

Role operation

UserLogin.Role.Operation

Important

This criterion can only be applied together with UserLogin.Role.Name and is required when UserLogin.Role.Name is used without detection.

Possible values: assigned.

Service principal operation

UserLogin.ServicePrincipal.Operation

Important

This criterion can only be applied together with UserLogin.ServicePrincipal.Name and is required when UserLogin.ServicePrincipal.Name is used without detection.

Possible values:

  • create

  • delete

  • modified

Sharing link operation

UserLogin.SharingLink.Operation

Important

This criterion can only be applied together with UserLogin.SharingLink.Name and is required when UserLogin.SharingLink.Name is used without detection.

Possible values: created.

SSH key operation

UserLogin.SshKey.Operation

Important

This criterion can only be applied together with UserLogin.SshKey.Name and is required when UserLogin.SshKey.Name is used without detection.

Possible values: assigned.

URL operation

UserLogin.Url.Operation

Important

This criterion can only be applied together with UserLogin.Url.Name and is required when UserLogin.Url.Name is used without detection.

Possible values:

  • downloaded

  • uploaded

  • delete

User group operation

UserLogin.UserGroup.Operation

Important

This criterion can only be applied together with UserLogin.UserGroup.Name and is required when UserLogin.UserGroup.Name is used without detection.

Possible values: added.

Yes

No

Operation

email

Email.Operation

Important

Any detection rule with the email target entity must use either this criterion or the detection field, but not both.

Both

is | any

Possible values:

  • sent

  • received

Yes

Yes

Subject

Email.Subject

is | contains | any

string

Sender

Email.Sender

string, valid email

Receiver

Email.Receivers

Attachment

Email.Attachments

string

Url

Email.Url

XDR

Source IP

Email.SourceIP

is | contains | any

string containing a valid IP

Destination IP

Email.DestinationIP

Yes

No

Operation

application

Application.Operation

Important

Any detection rule with the application target entity must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values:

  • created

  • deleted

  • authorized

  • permission_changed

Yes

Yes

Name

Application.Name

is | contains | any

string

Id

Application.Id

Application address

Application.Address

Source user

Application.SourceUser

Destination user

Application.DestinationUser

Source IP

Application.SourceIP

string containing a valid IP

Destination IP

Application.DestinationIP

Yes

No

Operation

key vault

KeyVault.Operation

Important

Any detection rule with the key vault target entity must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values:

  • created

  • deleted

  • authorized

Yes

Yes

Name

KeyVault.Name

is | contains | any

string

Source user

KeyVault.SourceUser

Destination user

KeyVault.DestinationUser

Source IP

KeyVault.SourceIP

string containing a valid IP

Destination IP

KeyVault.DestinationIP

Yes

No

Operation

role

Role.Operation

Important

Any detection rule with the role target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values: assigned.

Yes

Yes

Name

Role.Name

is | contains | any

string

Id

Role.Id

Source user

Role.SourceUser

Destination user

Role.DestinationUser

Source IP

Role.SourceIP

string containing a valid IP

Destination IP

Role.DestinationIP

Yes

No

Operation

policy

Policy.Operation

Important

Any detection rule with the policy target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values: assigned.

Yes

Yes

Name

Policy.Name

is | contains | any

string

Id

Policy.Id

Resource policy type

Policy.ResourcePolicyType

Source user

Policy.SourceUser

Destination user

Policy.DestinationUser

Source IP

Policy.SourceIP

string containing a valid IP

Destination IP

Policy.DestinationIP

Yes

No

Operation

sharing link

SharingLink.Operation

Important

Any detection rule with the sharing link target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values: created.

Yes

Yes

Name

SharingLink.Name

is | contains | any

string

URL

SharingLink.Url

Source user

SharingLink.SourceUser

Destination user

SharingLink.DestinationUser

Source IP

SharingLink.SourceIP

string containing a valid IP

Destination IP

SharingLink.DestinationIP

No

Yes

Name

flow

Flow.Name

XDR

is | contains | any

string

Id

Flow.Id

URL

Flow.Url

Source user

Flow.SourceUser

Destination user

Flow.DestinationUser

Source IP

Flow.SourceIP

string containing a valid IP

Destination IP

Flow.DestinationIP

Yes

No

Operation

url

Url.Operation

Important

Any detection rule with the url target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values:

  • downloaded

  • uploaded

  • delete

Yes

Yes

Name

Url.Name

is | contains | any

string

URL

Url.Url

Source user

Url.SourceUser

Destination user

Url.DestinationUser

Source IP

Url.SourceIP

string containing a valid IP

Destination IP

Url.DestinationIP

Yes

No

Operation

ssh key

SshKey.Operation

Important

Any detection rule with the ssh key target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values: assigned.

Yes

Yes

Name

SshKey.Name

is | contains | any

string

SSH public key

SshKey.PublicKey

Source user

SshKey.SourceUser

Destination user

SshKey.DestinationUser

Source IP

SshKey.SourceIP

string containing a valid IP

Destination IP

SshKey.DestinationIP

Yes

No

Operation

launch template

LaunchTemplate.Operation

Important

Any detection rule with the launch template target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values: create.

Yes

Yes

Name

LaunchTemplate.Name

is | contains | any

string

Id

LaunchTemplate.Id

Source user

LaunchTemplate.SourceUser

Destination user

LaunchTemplate.DestinationUser

Source IP

LaunchTemplate.SourceIP

string containing a valid IP

Destination IP

LaunchTemplate.DestinationIP

Yes

No

Operation

service principal

ServicePrincipal.Operation

Important

Any detection rule with the service principal target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values:

  • create

  • delete

  • modified

Yes

Yes

Name

ServicePrincipal.Name

is | contains | any

string

Id

ServicePrincipal.Id

Source user

ServicePrincipal.SourceUser

Destination user

ServicePrincipal.DestinationUser

Source IP

ServicePrincipal.SourceIP

string containing a valid IP

Destination IP

ServicePrincipal.DestinationIP

Yes

No

Operation

user group

UserGroup.Operation

Important

Any detection rule with the user group target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values: added.

Yes

Yes

Name

UserGroup.Name

is | contains | any

string

Id

UserGroup.Id

Source user

UserGroup.SourceUser

Destination user

UserGroup.DestinationUser

Source IP

UserGroup.SourceIP

string containing a valid IP

Destination IP

UserGroup.DestinationIP

Yes

No

Operation

automation account

AutomationAccount.Operation

Important

Any detection rule with the automation account target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values: created.

Yes

Yes

Name

AutomationAccount.Name

is | contains | any

string

Id

AutomationAccount.Id

Source user

AutomationAccount.SourceUser

Destination user

AutomationAccount.DestinationUser

Source IP

AutomationAccount.SourceIP

string containing a valid IP

Destination IP

AutomationAccount.DestinationIP

Yes

No

Operation

automation account hook

AutomationAccountHook.Operation

Important

Any detection rule with the automation account hook target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values: created.

Yes

Yes

Name

AutomationAccountHook.Name

is | contains | any

string

Id

AutomationAccountHook.Id

Source user

AutomationAccountHook.SourceUser

Destination user

AutomationAccountHook.DestinationUser

Source IP

AutomationAccountHook.SourceIP

string containing a valid IP

Destination IP

AutomationAccountHook.DestinationIP

Yes

No

Operation

api

Api.Operation

Important

Any detection rule with the api target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values:

  • modified

  • deleted

Yes

Yes

Name

Api.Name

is | contains | any

string

Id

Api.Id

Destination user

Api.DestinationUser

Source user

Api.SourceUser

Source IP

Api.SourceIP

string containing a valid IP

Destination IP

Api.DestinationIP

Yes

No

Operation

certificate authority

CertificateAuthority.Operation

Important

Any detection rule with the certificate authority target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values:

  • created

  • assigned

Yes

Yes

Name

CertificateAuthority.Name

is | contains | any

string

Source user

CertificateAuthority.SourceUser

Destination user

CertificateAuthority.DestinationUser

Source IP

CertificateAuthority.SourceIP

string containing a valid IP

Destination IP

CertificateAuthority.DestinationIP

Yes

No

Operation

bucket

Bucket.Operation

Important

Any detection rule with the bucket target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values:

  • created

  • deleted

  • upload

  • download

Yes

Yes

Name

Bucket.Name

is | contains | any

string

Source user

Bucket.SourceUser

Destination user

Bucket.DestinationUser

Source IP

Bucket.SourceIP

string containing a valid IP

Destination IP

Bucket.DestinationIP

No

Yes

Name

bitbucket repository

BitbucketRepository.Name

XDR

is | contains | any

string

Id

BitbucketRepository.Id

Destination user

BitbucketRepository.DestinationUser

Source user

BitbucketRepository.SourceUser

URL

BitbucketRepository.Url

Source IP

BitbucketRepository.SourceIP

string containing a valid IP

Destination IP

BitbucketRepository.DestinationIP

Yes

No

Operation

jira project

JiraProject.Operation

Important

Any detection rule with the jira project target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values:

  • deleted

  • modified

No

Yes

Id

JiraProject.Id

is | contains | any

string

Yes

Yes

Name

JiraProject.Name

Domain

JiraProject.Domain

Destination user

JiraProject.DestinationUser

Source user

JiraProject.SourceUser

Source IP

JiraProject.SourceIP

string containing a valid IP

Destination IP

JiraProject.DestinationIP

Yes

No

Operation

confluence page

ConfluencePage.Operation

Important

Any detection rule with the confluence page target must use either this criterion or the detection field, but not both.

XDR

is | any

Possible values: public_link_created.

No

Yes

Id

ConfluencePage.Id

is | contains | any

string

Yes

Yes

Name

ConfluencePage.Name

URL

ConfluencePage.Url

Destination user

ConfluencePage.DestinationUser

Source user

ConfluencePage.SourceUser

Source IP

ConfluencePage.SourceIP

string containing a valid IP

Destination IP

ConfluencePage.DestinationIP