Filters object

The filters object parameter allows you to specify an array of parameters and values to include or exclude from your report. For example, you can target historical configuration details for a specific domain while excluding certain actions that are not relevant to the target report data.

Each filter specifies a set of terms that are in or nin (not in) the report:

inArrayAn array of strings containing filter parameters to include in the report.
ninArrayAn array of strings containing filter parameters to exclude from the report.
  "action": {
    "in": [ "1" ]
  "isAlert": {
    "in": [ "true" ]
  "site": {
    "in": [ "-1" ]
  "list": {
    "in": [ "1" ]
  "policy": {
    "in": [ "164" ]
  "category": {
    "in": [ "1" ]
  "domain": {
    "in": [ "" ]

Specify your filter query as an object member of the filters object in the request body. Object members include:

actionStringFilter by action ID.
blockDescriptionStringBlock based on a description string.
categoryStringFilter by category ID.
clientRequestIdStringFilter by client request ID.
confidenceStringFilter by confidence level.
destinationIPStringFilter by destination IP address.
destinationPortStringFilter by destination port.
detectionTypeStringFilter data by detection type. One of inline, lookback, offline-dynamic, or offline.
deviceIdStringFilter by device ID.
deviceOwnerIdStringFilter by device owner ID.
dohAttributionStringFilter by user-defined DNS over HTTP attribute value.
dlpFileHashStringFilter by DLP file hash.
dlpDictionaryIdStringFilter data by DLP dictionary IDs.
fileTypeStringFilter by file type.
eventNameStringFilter by event name.
hasSinkholeCorrelationBooleanFilter based on if the resource has Security Connector-related records.
httpRequestMethodStringFilter data by HTTP request method. One of PUT, POST, PATCH, OPTIONS, HEAD, GET, DELETE, or CONNECT.
domainStringFilter by detection domain.
hostnameStringFilter by hostname.
internalIPStringFilter by internal IP address.
isAlertBooleanWhether the there is an alert.
listStringFilter by list ID.
machineNameStringFilter by machine name.
onRampStringFilter by whether the onramp is enabled, Yes or No.
onrampTypeStringFilter by the onramp type. Refer to Onramp types for a complete list.
policyStringFilter by policy ID.
severityIdIntegerFilter by severity ID: 0 - Unclassified, 1 - Critical, 2 - High, 3 - Medium, 4 - Low.
sinkholeIdStringFilter by sinkhole ID
sinkholeIPStringFilter by sinkhole IP address.
siteStringFilter by site ID. A site ID of -1 points to the roaming location.
sourcePortStringFilter by source port.
uuidStringJSON criteria object representing in and not-in clauses for UUID.