Detection and exclusion criteria

This page provides detailed information about all the field values that can be used in criteriaList objects when creating or updating a custom rule. The fields are organized by target and include the supported relation values and the validation rules applicable to each corresponding value.

Important

Rules that include only EDR-only fields and values, along with fields and values supported by both EDR and XDR, are processed exclusively by EDR.
Rules that include only XDR-only fields and values, along with fields and values supported by both EDR and XDR, are processed exclusively by XDR.
Rules that include only fields and values supported by both EDR and XDR are processed by both XDR and EDR.
EDR-only fields or values cannot be combined with XDR-only fields or values within the same rule.
Only one XDR resource can be defined as a criterion in a detection rule with the connection or user connection target.
For any criterion object where relation is set to contains, the value property supports the use of wildcards. An exception applies to criteria where field has one of the following values:
- Process.MD5
- Process.SHA2
- File.MD5
- File.SHA2
For any criterion object where relation is set to any, the value property must be an array. The array elements must follow the type specified in the Value validation rules column, or be strings selected from the allowed values listed in that column.

Note

For information about the createCustomRule and updateCustomRule methods, refer to createCustomRule and updateCustomRule.

Available for detection rules (with `type` `1`)	Available for exclusion rules (with `type` `2`)	Field name in GravityZone Control Center	Target	Field API name	EDR or XDR support	Relation API name	Value validation rules
Yes	Yes	Alert name	All target entities	detection Important For any XDR detection rule, you must use either this criterion or an operation criterion, but not both.	Both	is	string
Yes	Yes	Name	process	Process.Name	EDR	is \|contains\| any	string
		Path		Process.Path
		Full path name		Process.FullPathName
		Command line		Process.CommandLine
		Parent name		Process.Parent.Name
		Parent path		Process.Parent.Path
		Parent full path name		Process.Parent.FullPathName
		Parent command line		Process.Parent.CommandLine
		User		Process.User
		MD5		Process.MD5
		SHA256		Process.SHA2
Yes	Yes	Name	file	File.Name	Both	is \|contains\| any	string
		Path		File.Path
		Full path name		File.FullPathName
Yes	Yes	Operation	file	File.Operation Important For any XDR detection rule that uses the `file` target, you must include either this criterion or a `detection` condition, but not both or neither.	EDR for exclusion rules Both for detection rules	is \| any	Possible EDR-only values: `rename` `copy` `create` Possible XDR-only values: `shared` `downloaded` `uploaded` Possible values for both EDR and XDR: `read` `write` `move`
Yes	Yes	Creation process name	file	File.CreatedBy.Name	EDR	is \|contains\| any	string
		Creation process path name		File.CreatedBy.Path
		Creation process full path name		File.CreatedBy.FullPathName
		Creation process command line		File.CreatedBy.CommandLine
		Creation process user		File.CreatedBy.User
		Certificate signer		File.CertificateSigner Important Requires either `File.Name` or `File.FullPathName` to be defined in the same rule. This criterion is incompatible with the `is_unsigned` value of the `File.CertificateSignedStatus` field.
		Certificate issuer		File.CertificateIssuer Important Requires either `File.Name` or `File.FullPathName` to be defined in the same rule. This criterion is incompatible with the `is_unsigned` value of the `File.CertificateSignedStatus` field.
		Certificate signed status		File.CertificateSignedStatus Important Requires either `File.Name` or `File.FullPathName` to be defined in the same rule.		is	Possible values: `is_signed` `is_unsigned` Important The `is_unsigned` value is incompatible with `File.CertificateIssuer` or `File.CertificateSigner` in the same rule.
Yes	Yes	MD5	file	File.MD5	XDR	is \| contains \| any	string
		SHA256		File.SHA2
		URL		File.Url
		Source IP		File.SourceIP		is \|contains\| any	string containing a valid IP
		Destination IP		File.DestinationIP		is \|contains\| any	string containing a valid IP
Yes	Yes	Source IP	connection	Connection.SourceIP	Both	is \|contains\| any	string containing a valid IP
Yes	Yes	Destination IP	connection	Connection.DestinationIP	Both	is \|contains\| any	string containing a valid IP
Yes	Yes	Source port	connection	Connection.SourcePort	EDR	is \|contains\| any	integer between 0 and 65,535
		Destination port		Connection.DestinationPort		is \|contains\| any	integer between 0 and 65,535
		Creation process name		Connection.Process.Name		is \| contains \| any	string
		Creation process path		Connection.Process.Path
		Creation process full path name		Connection.Process.FullPathName
		Creation process command line		Connection.Process.CommandLine
		Creation process user		Connection.Process.User
		URL		Connection.URL Important Incompatible with the following fields in the same rule: `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.TelnetUser` `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser` `Connection.SSHUser` `Connection.WMIExecQuery` If this criterion is used, the `Connection.Protocol` criterion can have only the value `http/https`.
		HTTP user		Connection.HTTPUser Important If this criterion is used, the `Connection.Protocol` criterion can have only the value `http/https`. Incompatible with the following fields in the same rule: `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser`
		HTTP downloaded file		Connection.HTTPDownloadedFile Important If this criterion is used, the `Connection.Protocol` criterion can have only the value `http/https`. Incompatible with the following fields in the same rule: `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser`
		HTTP uploaded file		Connection.HTTPUploadedFile Important If this criterion is used, the `Connection.Protocol` criterion can have only the value `http/https`. Incompatible with the following fields in the same rule: `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser`
		FTP user		Connection.FTPUser Important Incompatible with the following fields in the same rule: `Connection.Domain` `Connection.HTTPUser` `Connection.HTTPDownloadedFile` `Connection.HTTPUploadedFile` `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.URL` `Connection.FileRemotePath` `Connection.FileRemoteOperation`
		SMB domain		Connection.SMBDomain Important If this criterion is used, the `Connection.Protocol` criterion can have only the value `smb`. Incompatible with the following fields in the same rule: `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.HTTPDownloadedFile` `Connection.HTTPUploadedFile` `Connection.HTTPUser` `Connection.URL`
		SMB share path		Connection.SMBSharePath Important If this criterion is used, the `Connection.Protocol` criterion can have only the value `smb`. Incompatible with the following fields in the same rule: `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.HTTPDownloadedFile` `Connection.HTTPUploadedFile` `Connection.HTTPUser` `Connection.URL`
		SMB user		Connection.SMBUser Important If this criterion is used, the `Connection.Protocol` criterion can have only the value `smb`. Incompatible with the following fields in the same rule: `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.HTTPDownloadedFile` `Connection.HTTPUploadedFile` `Connection.HTTPUser` `Connection.URL`
		SSH user		Connection.SSHUser Important Incompatible with the following fields in the same rule: `Connection.Domain` `Connection.HTTPUser` `Connection.HTTPDownloadedFile` `Connection.HTTPUploadedFile` `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.URL` `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser`
		WMI exec query		Connection.WMIExecQuery Important Incompatible with the following fields in the same rule: `Connection.Domain` `Connection.HTTPUser` `Connection.HTTPDownloadedFile` `Connection.HTTPUploadedFile` `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.TelnetUser` `Connection.URL` `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser` `Connection.SSHUser`
		Telnet user		Connection.TelnetUser Important Incompatible with the following fields in the same rule: `Connection.Domain` `Connection.HTTPUser` `Connection.HTTPDownloadedFile` `Connection.HTTPUploadedFile` `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.URL` `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser` `Connection.SSHUser` `Connection.WMIExecQuery`
		File remote path		Connection.FileRemotePath Important Incompatible with the following fields in the same rule: `Connection.Domain` `Connection.FTPUser` `Connection.HTTPUser` `Connection.HTTPDownloadedFile` `Connection.HTTPUploadedFile` `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.URL`
		Domain		Connection.Domain Important Requires `Connection.Protocol` to be defined in the same rule. Incompatible with the following fields in the same rule: `Connection.FileRemotePath` `Connection.FileRemoteOperation` `Connection.FTPUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery`
		File remote operation		Connection.FileRemoteOperation Important Incompatible with the following fields in the same rule: `Connection.Domain` `Connection.FTPUser` `Connection.HTTPUser` `Connection.HTTPDownloadedFile` `Connection.HTTPUploadedFile` `Connection.SMBDomain` `Connection.SMBSharePath` `Connection.SMBUser` `Connection.SSHUser` `Connection.TelnetUser` `Connection.WMIExecQuery` `Connection.URL`		is \| any	Possible values: `create` `rem_delete` `read` `write` `move`
		Protocol		Connection.Protocol Important This criterion can only be used together with `Connection.Domain` in the same rule.		is	Possible values: `http/https` Important This value is not supported when the `Connection.SMBDomain`, `Connection.SMBSharePath`, or `Connection.SMBUser` fields are included in the same rule. `smb` Important This value is not supported when the `Connection.URL`, `Connection.HTTPUser`, `Connection.HTTPDownloadedFile`, or `Connection.HTTPUploadedFile` fields are included in the same rule.
No	Yes	Flow name	connection	Connection.Flow.Name	XDR	is \| contains \| any	string
No	Yes	Bitbucket repository name	connection	Connection.BitbucketRepository.Name	XDR	is \| contains \| any	string
Yes	Yes	File name	connection	Connection.File.Name Important For detection rules, requires `Connection.File.Operation` or `detection` to be defined in the same rule.	XDR	is \| contains \| any	string
		Email subject		Connection.Email.Subject Important For detection rules, requires `Connection.Email.Operation` or `detection` to be defined in the same rule.
		Application name		Connection.Application.Name Important For detection rules, requires `Connection.Application.Operation` or `detection` to be defined in the same rule.
		Key vault name		Connection.KeyVault.Name Important For detection rules, requires `Connection.KeyVault.Operation` or `detection` to be defined in the same rule.
		Role name		Connection.Role.Name Important For detection rules, requires `Connection.Role.Operation` or `detection` to be defined in the same rule.
		Policy name		Connection.Policy.Name Important For detection rules, requires `Connection.Policy.Operation` or `detection` to be defined in the same rule.
		Sharing link name		Connection.SharingLink.Name Important For detection rules, requires `Connection.SharingLink.Operation` or `detection` to be defined in the same rule.
		URL name		Connection.Url.Name Important For detection rules, requires `Connection.Url.Operation` or `detection` to be defined in the same rule.
		SSH key name		Connection.SshKey.Name Important For detection rules, requires `Connection.SshKey.Operation` or `detection` to be defined in the same rule.
		Launch template name		Connection.LaunchTemplate.Name Important For detection rules, requires `Connection.LaunchTemplate.Operation` or `detection` to be defined in the same rule.
		Service principal name		Connection.ServicePrincipal.Name Important For detection rules, requires `Connection.ServicePrincipal.Operation` or `detection` to be defined in the same rule.
		User group name		Connection.UserGroup.Name Important For detection rules, requires `Connection.UserGroup.Operation` or `detection` to be defined in the same rule.
		Automation account name		Connection.AutomationAccount.Name Important For detection rules, requires `Connection.AutomationAccount.Operation` or `detection` to be defined in the same rule.
		Automation account hook name		Connection.AutomationAccountHook.Name Important For detection rules, requires `Connection.AutomationAccountHook.Operation` or `detection` to be defined in the same rule.
		API name		Connection.Api.Name Important For detection rules, requires `Connection.Api.Operation` or `detection` to be defined in the same rule.
		Certificate authority name		Connection.CertificateAuthority.Name Important For detection rules, requires `Connection.CertificateAuthority.Operation` or `detection` to be defined in the same rule.
		Bucket name		Connection.Bucket.Name Important For detection rules, requires `Connection.Bucket.Operation` or `detection` to be defined in the same rule.
		Source user		Connection.SourceUser
		Destination user		Connection.DestinationUser
		Confluence page name		Connection.ConfluencePage.Name Important For detection rules, requires `Connection.ConfluencePage.Operation` or `detection` to be defined in the same rule.
		Jira project name		Connection.JiraProject.Name Important For detection rules, requires `Connection.JiraProject.Operation` or `detection` to be defined in the same rule.
Yes	No	API operation	connection	Connection.Api.Operation Important This criterion can only be applied together with `Connection.Api.Name` and is required when `Connection.Api.Name` is used without `detection`.	XDR	is \| any	Possible values: `modified` `deleted`
		Application operation		Connection.Application.Operation Important This criterion can only be applied together with `Connection.Application.Name` and is required when `Connection.Application.Name` is used without `detection`.			Possible values: `created` `deleted` `authorized` `permission_changed`
		Automation account hook operation		Connection.AutomationAccountHook.Operation Important This criterion can only be applied together with `Connection.AutomationAccountHook.Name` and is required when `Connection.AutomationAccountHook.Name` is used without `detection`.			Possible values: `created`.
		Automation account operation		Connection.AutomationAccount.Operation Important This criterion can only be applied together with `Connection.AutomationAccount.Name` and is required when `Connection.AutomationAccount.Name` is used without `detection`.			Possible values: `created`.
		Bucket operation		Connection.Bucket.Operation Important This criterion can only be applied together with `Connection.Bucket.Name` and is required when `Connection.Bucket.Name` is used without `detection`.			Possible values: `created` `deleted` `upload` `download`
		Certificate authority operation		Connection.CertificateAuthority.Operation Important This criterion can only be applied together with `Connection.CertificateAuthority.Name` and is required when `Connection.CertificateAuthority.Name` is used without `detection`.			Possible values: `created` `assigned`
		Confluence page operation		Connection.ConfluencePage.Operation Important This criterion can only be applied together with `Connection.ConfluencePage.Name` and is required when `Connection.ConfluencePage.Name` is used without `detection`.			Possible values: `public_link_created`.
		Email operation		Connection.Email.Operation Important This criterion can only be applied together with `Connection.Email.Subject` and is required when `Connection.Email.Subject` is used without `detection`.			Possible values: `sent` `received`
		File operation		Connection.File.Operation Important This criterion can only be applied together with `Connection.File.Name` and is required when `Connection.File.Name` is used without `detection`.			Possible values: `shared` `downloaded` `uploaded`
		Jira project operation		Connection.JiraProject.Operation Important This criterion can only be applied together with `Connection.JiraProject.Name` and is required when `Connection.JiraProject.Name` is used without `detection`.			Possible values: `deleted` `modified`
		Key vault operation		Connection.KeyVault.Operation Important This criterion can only be applied together with `Connection.KeyVault.Name` and is required when `Connection.KeyVault.Name` is used without `detection`.			Possible values: `created` `deleted` `authorized`
		Launch template operation		Connection.LaunchTemplate.Operation Important This criterion can only be applied together with `Connection.LaunchTemplate.Name` and is required when `Connection.LaunchTemplate.Name` is used without `detection`.			Possible values: `create`.
		Policy operation		Connection.Policy.Operation Important This criterion can only be applied together with `Connection.Policy.Name` and is required when `Connection.Policy.Name` is used without `detection`.			Possible values: `assigned`.
		Role operation		Connection.Role.Operation Important This criterion can only be applied together with `Connection.Role.Name` and is required when `Connection.Role.Name` is used without `detection`.			Possible values: `assigned`.
		Service principal operation		Connection.ServicePrincipal.Operation Important This criterion can only be applied together with `Connection.ServicePrincipal.Name` and is required when `Connection.ServicePrincipal.Name` is used without `detection`.			Possible values: `create` `delete` `modified`
		Sharing link operation		Connection.SharingLink.Operation Important This criterion can only be applied together with `Connection.SharingLink.Name` and is required when `Connection.SharingLink.Name` is used without `detection`.			Possible values: `created`.
		SSH key operation		Connection.SshKey.Operation Important This criterion can only be applied together with `Connection.SshKey.Name` and is required when `Connection.SshKey.Name` is used without `detection`.			Possible values: `assigned`.
		URL operation		Connection.Url.Operation Important This criterion can only be applied together with `Connection.Url.Name` and is required when `Connection.Url.Name` is used without `detection`.			Possible values: `downloaded` `uploaded` `delete`
		User group operation		Connection.UserGroup.Operation Important This criterion can only be applied together with `Connection.UserGroup.Name` and is required when `Connection.UserGroup.Name` is used without `detection`.			Possible values: `added`.
Yes	Yes	Key	registry	Registry.Key	EDR	is \| contains \| any	string
		Value		Registry.Value
		Creation process name		Registry.CreatedBy.Name
		Creation process path		Registry.CreatedBy.Path
		Creation process full path name		Registry.CreatedBy.FullPathName
		Creation process command line		Registry.CreatedBy.CommandLine
		Registry data		Registry.Data Important This criterion must be used together with `Registry.DataType`.			string Important For the `binary`, `resource_list`, `full_resource_descriptor`, and `resource_requirements_list` registry types, the `Registry.Data` value must be encoded in base64.
		Operation		Registry.Operation		is \| any	Possible values: `key_created` `key_deleted` `key_renamed` `value_created` `value_deleted` `value_written`
		Registry type		Registry.DataType		is	Possible values: `string` `expandablestring` `dword` `qword` `binary` `none` `link` `resource_list` `full_resource_descriptor` `resource_requirements_list`
Yes	Yes	Name	user connection	UserLogin.Name	EDR	is \| contains \| any	string
Yes	Yes	Domain	user connection	UserLogin.Domain	EDR	is \| contains \| any	string
No	Yes	Bitbucket repository name	user connection	UserLogin.BitbucketRepository.Name	XDR	is \| contains \| any	string
No	Yes	Flow name	user connection	UserLogin.Flow.Name	XDR	is \| contains \| any	string
Yes	Yes	Jira project name	user connection	UserLogin.JiraProject.Name Important For detection rules, requires `UserLogin.JiraProject.Operation` or `detection` to be defined in the same rule.	XDR	is \| contains \| any	string
		Source user		UserLogin.SourceUser
		Destination user		UserLogin.DestinationUser
		File name		UserLogin.File.Name Important For detection rules, requires `UserLogin.File.Operation` or `detection` to be defined in the same rule.
		Email subject		UserLogin.Email.Subject Important For detection rules, requires `UserLogin.Email.Operation` or `detection` to be defined in the same rule.
		Application name		UserLogin.Application.Name Important For detection rules, requires `UserLogin.Application.Operation` or `detection` to be defined in the same rule.
		Key vault name		UserLogin.KeyVault.Name Important For detection rules, requires `UserLogin.KeyVault.Operation` or `detection` to be defined in the same rule.
		Role name		UserLogin.Role.Name Important For detection rules, requires `UserLogin.Role.Operation` or `detection` to be defined in the same rule.
		Policy name		UserLogin.Policy.Name Important For detection rules, requires `UserLogin.Policy.Operation` or `detection` to be defined in the same rule.
		Sharing link name		UserLogin.SharingLink.Name Important For detection rules, requires `UserLogin.SharingLink.Operation` or `detection` to be defined in the same rule.
		URL name		UserLogin.Url.Name Important For detection rules, requires `UserLogin.Url.Operation` or `detection` to be defined in the same rule.
		SSH key name		UserLogin.SshKey.Name Important For detection rules, requires `UserLogin.SshKey.Operation` or `detection` to be defined in the same rule.
		Launch template name		UserLogin.LaunchTemplate.Name Important For detection rules, requires `UserLogin.LaunchTemplate.Operation` or `detection` to be defined in the same rule.
		Service principal name		UserLogin.ServicePrincipal.Name Important For detection rules, requires `UserLogin.ServicePrincipal.Operation` or `detection` to be defined in the same rule.
		User group name		UserLogin.UserGroup.Name Important For detection rules, requires `UserLogin.UserGroup.Operation` or `detection` to be defined in the same rule.
		Automation account name		UserLogin.AutomationAccount.Name Important For detection rules, requires `UserLogin.AutomationAccount.Operation` or `detection` to be defined in the same rule.
		Automation account hook name		UserLogin.AutomationAccountHook.Name Important For detection rules, requires `UserLogin.AutomationAccountHook.Operation` or `detection` to be defined in the same rule.
		Api name		UserLogin.Api.Name Important For detection rules, requires `UserLogin.Api.Operation` or `detection` to be defined in the same rule.
		Certificate authority name		UserLogin.CertificateAuthority.Name Important For detection rules, requires `UserLogin.CertificateAuthority.Operation` or `detection` to be defined in the same rule.
		Bucket name		UserLogin.Bucket.Name Important For detection rules, requires `UserLogin.Bucket.Operation` or `detection` to be defined in the same rule.
		Confluence page name		UserLogin.ConfluencePage.Name Important For detection rules, requires `UserLogin.ConfluencePage.Operation` or `detection` to be defined in the same rule.
		Source IP		UserLogin.SourceIP			string containing a valid IP
		Destination IP		UserLogin.DestinationIP			string containing a valid IP
Yes	No	API operation	user connection	UserLogin.Api.Operation Important This criterion can only be applied together with `UserLogin.Api.Name` and is required when `UserLogin.Api.Name` is used without `detection`.	XDR	is \| any	Possible values: `modified` `deleted`
		Application operation		UserLogin.Application.Operation Important This criterion can only be applied together with `UserLogin.Application.Name` and is required when `UserLogin.Application.Name` is used without `detection`.			Possible values: `created` `deleted` `authorized` `permission_changed`
		Automation account hook operation		UserLogin.AutomationAccountHook.Operation Important This criterion can only be applied together with `UserLogin.AutomationAccountHook.Name` and is required when `UserLogin.AutomationAccountHook.Name` is used without `detection`.			Possible values: `created`.
		Automation account operation		UserLogin.AutomationAccount.Operation Important This criterion can only be applied together with `UserLogin.AutomationAccount.Name` and is required when `UserLogin.AutomationAccount.Name` is used without `detection`.			Possible values: `created`.
		Bucket operation		UserLogin.Bucket.Operation Important This criterion can only be applied together with `UserLogin.Bucket.Name` and is required when `UserLogin.Bucket.Name` is used without `detection`.			Possible values: `created` `deleted` `upload` `download`
		Certificate authority operation		UserLogin.CertificateAuthority.Operation Important This criterion can only be applied together with `UserLogin.CertificateAuthority.Name` and is required when `UserLogin.CertificateAuthority.Name` is used without `detection`.			Possible values: `created` `assigned`
		Confluence page operation		UserLogin.ConfluencePage.Operation Important This criterion can only be applied together with `UserLogin.ConfluencePage.Name` and is required when `UserLogin.ConfluencePage.Name` is used without `detection`.			Possible values: `public_link_created`.
		Email operation		UserLogin.Email.Operation Important This criterion can only be applied together with `UserLogin.Email.Subject` and is required when `UserLogin.Email.Subject` is used without `detection`.			Possible values: `sent` `received`
		File operation		UserLogin.File.Operation Important This criterion can only be applied together with `UserLogin.File.Name` and is required when `UserLogin.File.Name` is used without `detection`.			Possible values: `shared` `downloaded` `uploaded`
		Jira project operation		UserLogin.JiraProject.Operation Important This criterion can only be applied together with `UserLogin.JiraProject.Name` and is required when `UserLogin.JiraProject.Name` is used without `detection`.			Possible values: `deleted` `modified`
		Key vault operation		UserLogin.KeyVault.Operation Important This criterion can only be applied together with `UserLogin.KeyVault.Name` and is required when `UserLogin.KeyVault.Name` is used without `detection`.			Possible values: `created` `deleted` `authorized`
		Launch template operation		UserLogin.LaunchTemplate.Operation Important This criterion can only be applied together with `UserLogin.LaunchTemplate.Name` and is required when `UserLogin.LaunchTemplate.Name` is used without `detection`.			Possible values: `create`.
		Policy operation		UserLogin.Policy.Operation Important This criterion can only be applied together with `UserLogin.Policy.Name` and is required when `UserLogin.Policy.Name` is used without `detection`.			Possible values: `assigned`.
		Role operation		UserLogin.Role.Operation Important This criterion can only be applied together with `UserLogin.Role.Name` and is required when `UserLogin.Role.Name` is used without `detection`.			Possible values: `assigned`.
		Service principal operation		UserLogin.ServicePrincipal.Operation Important This criterion can only be applied together with `UserLogin.ServicePrincipal.Name` and is required when `UserLogin.ServicePrincipal.Name` is used without `detection`.			Possible values: `create` `delete` `modified`
		Sharing link operation		UserLogin.SharingLink.Operation Important This criterion can only be applied together with `UserLogin.SharingLink.Name` and is required when `UserLogin.SharingLink.Name` is used without `detection`.			Possible values: `created`.
		SSH key operation		UserLogin.SshKey.Operation Important This criterion can only be applied together with `UserLogin.SshKey.Name` and is required when `UserLogin.SshKey.Name` is used without `detection`.			Possible values: `assigned`.
		URL operation		UserLogin.Url.Operation Important This criterion can only be applied together with `UserLogin.Url.Name` and is required when `UserLogin.Url.Name` is used without `detection`.			Possible values: `downloaded` `uploaded` `delete`
		User group operation		UserLogin.UserGroup.Operation Important This criterion can only be applied together with `UserLogin.UserGroup.Name` and is required when `UserLogin.UserGroup.Name` is used without `detection`.			Possible values: `added`.
Yes	No	Operation	email	Email.Operation Important Any detection rule with the `email` target entity must use either this criterion or the `detection` field, but not both.	Both	is \| any	Possible values: `sent` `received`
Yes	Yes	Subject		Email.Subject		is \| contains \| any	string
		Sender		Email.Sender			string, valid email
		Receiver		Email.Receivers			string, valid email
		Attachment		Email.Attachments			string
		Url		Email.Url	XDR		string
		Source IP		Email.SourceIP		is \| contains \| any	string containing a valid IP
		Destination IP		Email.DestinationIP		is \| contains \| any	string containing a valid IP
Yes	No	Operation	application	Application.Operation Important Any detection rule with the `application` target entity must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `created` `deleted` `authorized` `permission_changed`
Yes	Yes	Name		Application.Name		is \| contains \| any	string
		Id		Application.Id
		Application address		Application.Address
		Source user		Application.SourceUser
		Destination user		Application.DestinationUser
		Source IP		Application.SourceIP			string containing a valid IP
		Destination IP		Application.DestinationIP			string containing a valid IP
Yes	No	Operation	key vault	KeyVault.Operation Important Any detection rule with the `key vault` target entity must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `created` `deleted` `authorized`
Yes	Yes	Name		KeyVault.Name		is \| contains \| any	string
		Source user		KeyVault.SourceUser
		Destination user		KeyVault.DestinationUser
		Source IP		KeyVault.SourceIP			string containing a valid IP
		Destination IP		KeyVault.DestinationIP			string containing a valid IP
Yes	No	Operation	role	Role.Operation Important Any detection rule with the `role` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `assigned`.
Yes	Yes	Name		Role.Name		is \| contains \| any	string
		Id		Role.Id
		Source user		Role.SourceUser
		Destination user		Role.DestinationUser
		Source IP		Role.SourceIP			string containing a valid IP
		Destination IP		Role.DestinationIP			string containing a valid IP
Yes	No	Operation	policy	Policy.Operation Important Any detection rule with the `policy` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `assigned`.
Yes	Yes	Name		Policy.Name		is \| contains \| any	string
		Id		Policy.Id
		Resource policy type		Policy.ResourcePolicyType
		Source user		Policy.SourceUser
		Destination user		Policy.DestinationUser
		Source IP		Policy.SourceIP			string containing a valid IP
		Destination IP		Policy.DestinationIP			string containing a valid IP
Yes	No	Operation	sharing link	SharingLink.Operation Important Any detection rule with the `sharing link` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `created`.
Yes	Yes	Name		SharingLink.Name		is \| contains \| any	string
		URL		SharingLink.Url
		Source user		SharingLink.SourceUser
		Destination user		SharingLink.DestinationUser
		Source IP		SharingLink.SourceIP			string containing a valid IP
		Destination IP		SharingLink.DestinationIP			string containing a valid IP
No	Yes	Name	flow	Flow.Name	XDR	is \| contains \| any	string
		Id		Flow.Id
		URL		Flow.Url
		Source user		Flow.SourceUser
		Destination user		Flow.DestinationUser
		Source IP		Flow.SourceIP			string containing a valid IP
		Destination IP		Flow.DestinationIP			string containing a valid IP
Yes	No	Operation	url	Url.Operation Important Any detection rule with the `url` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `downloaded` `uploaded` `delete`
Yes	Yes	Name		Url.Name		is \| contains \| any	string
		URL		Url.Url
		Source user		Url.SourceUser
		Destination user		Url.DestinationUser
		Source IP		Url.SourceIP			string containing a valid IP
		Destination IP		Url.DestinationIP			string containing a valid IP
Yes	No	Operation	ssh key	SshKey.Operation Important Any detection rule with the `ssh key` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `assigned`.
Yes	Yes	Name		SshKey.Name		is \| contains \| any	string
		SSH public key		SshKey.PublicKey
		Source user		SshKey.SourceUser
		Destination user		SshKey.DestinationUser
		Source IP		SshKey.SourceIP			string containing a valid IP
		Destination IP		SshKey.DestinationIP			string containing a valid IP
Yes	No	Operation	launch template	LaunchTemplate.Operation Important Any detection rule with the `launch template` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `create`.
Yes	Yes	Name		LaunchTemplate.Name		is \| contains \| any	string
		Id		LaunchTemplate.Id
		Source user		LaunchTemplate.SourceUser
		Destination user		LaunchTemplate.DestinationUser
		Source IP		LaunchTemplate.SourceIP			string containing a valid IP
		Destination IP		LaunchTemplate.DestinationIP			string containing a valid IP
Yes	No	Operation	service principal	ServicePrincipal.Operation Important Any detection rule with the `service principal` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `create` `delete` `modified`
Yes	Yes	Name		ServicePrincipal.Name		is \| contains \| any	string
		Id		ServicePrincipal.Id
		Source user		ServicePrincipal.SourceUser
		Destination user		ServicePrincipal.DestinationUser
		Source IP		ServicePrincipal.SourceIP			string containing a valid IP
		Destination IP		ServicePrincipal.DestinationIP			string containing a valid IP
Yes	No	Operation	user group	UserGroup.Operation Important Any detection rule with the `user group` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `added`.
Yes	Yes	Name		UserGroup.Name		is \| contains \| any	string
		Id		UserGroup.Id
		Source user		UserGroup.SourceUser
		Destination user		UserGroup.DestinationUser
		Source IP		UserGroup.SourceIP			string containing a valid IP
		Destination IP		UserGroup.DestinationIP			string containing a valid IP
Yes	No	Operation	automation account	AutomationAccount.Operation Important Any detection rule with the `automation account` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `created`.
Yes	Yes	Name		AutomationAccount.Name		is \| contains \| any	string
		Id		AutomationAccount.Id
		Source user		AutomationAccount.SourceUser
		Destination user		AutomationAccount.DestinationUser
		Source IP		AutomationAccount.SourceIP			string containing a valid IP
		Destination IP		AutomationAccount.DestinationIP			string containing a valid IP
Yes	No	Operation	automation account hook	AutomationAccountHook.Operation Important Any detection rule with the `automation account hook` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `created`.
Yes	Yes	Name		AutomationAccountHook.Name		is \| contains \| any	string
		Id		AutomationAccountHook.Id
		Source user		AutomationAccountHook.SourceUser
		Destination user		AutomationAccountHook.DestinationUser
		Source IP		AutomationAccountHook.SourceIP			string containing a valid IP
		Destination IP		AutomationAccountHook.DestinationIP			string containing a valid IP
Yes	No	Operation	api	Api.Operation Important Any detection rule with the `api` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `modified` `deleted`
Yes	Yes	Name		Api.Name		is \| contains \| any	string
		Id		Api.Id
		Destination user		Api.DestinationUser
		Source user		Api.SourceUser
		Source IP		Api.SourceIP			string containing a valid IP
		Destination IP		Api.DestinationIP			string containing a valid IP
Yes	No	Operation	certificate authority	CertificateAuthority.Operation Important Any detection rule with the `certificate authority` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `created` `assigned`
Yes	Yes	Name		CertificateAuthority.Name		is \| contains \| any	string
		Source user		CertificateAuthority.SourceUser
		Destination user		CertificateAuthority.DestinationUser
		Source IP		CertificateAuthority.SourceIP			string containing a valid IP
		Destination IP		CertificateAuthority.DestinationIP			string containing a valid IP
Yes	No	Operation	bucket	Bucket.Operation Important Any detection rule with the `bucket` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `created` `deleted` `upload` `download`
Yes	Yes	Name		Bucket.Name		is \| contains \| any	string
		Source user		Bucket.SourceUser
		Destination user		Bucket.DestinationUser
		Source IP		Bucket.SourceIP			string containing a valid IP
		Destination IP		Bucket.DestinationIP			string containing a valid IP
No	Yes	Name	bitbucket repository	BitbucketRepository.Name	XDR	is \| contains \| any	string
		Id		BitbucketRepository.Id
		Destination user		BitbucketRepository.DestinationUser
		Source user		BitbucketRepository.SourceUser
		URL		BitbucketRepository.Url
		Source IP		BitbucketRepository.SourceIP			string containing a valid IP
		Destination IP		BitbucketRepository.DestinationIP			string containing a valid IP
Yes	No	Operation	jira project	JiraProject.Operation Important Any detection rule with the `jira project` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `deleted` `modified`
No	Yes	Id		JiraProject.Id		is \| contains \| any	string
Yes	Yes	Name		JiraProject.Name
		Domain		JiraProject.Domain
		Destination user		JiraProject.DestinationUser
		Source user		JiraProject.SourceUser
		Source IP		JiraProject.SourceIP			string containing a valid IP
		Destination IP		JiraProject.DestinationIP			string containing a valid IP
Yes	No	Operation	confluence page	ConfluencePage.Operation Important Any detection rule with the `confluence page` target must use either this criterion or the `detection` field, but not both.	XDR	is \| any	Possible values: `public_link_created`.
No	Yes	Id		ConfluencePage.Id		is \| contains \| any	string
Yes	Yes	Name		ConfluencePage.Name
		URL		ConfluencePage.Url
		Destination user		ConfluencePage.DestinationUser
		Source user		ConfluencePage.SourceUser
		Source IP		ConfluencePage.SourceIP			string containing a valid IP
		Destination IP		ConfluencePage.DestinationIP			string containing a valid IP

In this section: