The filters object parameter allows you to specify an array of parameters and values to include or exclude from your report. For example, you can target historical configuration details for a specific domain while excluding certain actions that are not relevant to the target report data.
Each filter specifies a set of terms that are in or nin (not in) the report:
| Member | Type | Description |
|---|---|---|
in | Array | An array of strings containing filter parameters to include in the report. |
nin | Array | An array of strings containing filter parameters to exclude from the report. |
{
"action": {
"in": [ "1" ]
},
"isAlert": {
"in": [ "true" ]
},
"site": {
"in": [ "-1" ]
},
"list": {
"in": [ "1" ]
},
"policy": {
"in": [ "164" ]
},
"category": {
"in": [ "1" ]
},
"domain": {
"in": [ "njit.edu." ]
}
}
Specify your filter query as an object member of the filters object in the request body. Object members include:
| Member | Type | Description |
|---|---|---|
action | String | Filter by action ID. |
blockDescription | String | Block based on a description string. |
category | String | Filter by category ID. |
clientRequestId | String | Filter by client request ID. |
confidence | String | Filter by confidence level. |
destinationIP | String | Filter by destination IP address. |
destinationPort | String | Filter by destination port. |
detectionType | String | Filter data by detection type. One of inline, lookback, offline-dynamic, or offline. |
deviceId | String | Filter by device ID. |
deviceOwnerId | String | Filter by device owner ID. |
dohAttribution | String | Filter by user-defined DNS over HTTP attribute value. |
dlpFileHash | String | Filter by DLP file hash. |
dlpDictionaryId | String | Filter data by DLP dictionary IDs. |
fileType | String | Filter by file type. |
eventName | String | Filter by event name. |
hasSinkholeCorrelation | Boolean | Filter based on if the resource has Security Connector-related records. |
httpRequestMethod | String | Filter data by HTTP request method. One of PUT, POST, PATCH, OPTIONS, HEAD, GET, DELETE, or CONNECT. |
domain | String | Filter by detection domain. |
hostname | String | Filter by hostname. |
internalIP | String | Filter by internal IP address. |
isAlert | Boolean | Whether the there is an alert. |
list | String | Filter by list ID. |
machineName | String | Filter by machine name. |
onRamp | String | Filter by whether the onramp is enabled, Yes or No. |
onrampType | String | Filter by the onramp type. Refer to Onramp types for a complete list. |
policy | String | Filter by policy ID. |
severityId | Integer | Filter by severity ID: 0 - Unclassified, 1 - Critical, 2 - High, 3 - Medium, 4 - Low. |
sinkholeId | String | Filter by sinkhole ID |
sinkholeIP | String | Filter by sinkhole IP address. |
site | String | Filter by site ID. A site ID of -1 points to the roaming location. |
sourcePort | String | Filter by source port. |
uuid | String | JSON criteria object representing in and not-in clauses for UUID. |