Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

Query Filters

Query Filters help you refine search results by specifying the conditions InsightCloudSec searches for when identifying matching resources.

Query filters contribute to other functionality that helps you understand your risk and automate your actions:

Insights combine Query Filters, scope, and reporting.
Bots take action based on the output of Query Filters, scope, and Insights.

Go to Security > Query Filters to get started.

Refining query filters

Because we are continually updating the filtering toolset in response to cloud providers' newly released capabilities as well as customer requests, the list of filters is long. It is recommended that you refine your view by identifying the filters relevant to your needs and focusing on higher priority resources. You can narrow your view of using the search bar to find a specific Query Filter with keywords or terms, by scoping by supporting clouds or resource type, or by looking through specific versions of InsightCloudSec. Custom Query Filters are also included in the full listing. You can find them by sorting on the Owner column.

Inspecting Your Query Filters

To inspect the Query Filters in the results, click the Query Filter Name to view the internal Python code associated with this Query Filter. For example, the code associated with the Access List Contains Public IPs Query Filter:


python
1
@QueryRegistry.register(
2
    query_id="divvy.query.access_list_contains_public_addresses",
3
    name="Access List Contains Public IPs",
4
    description="Match access lists which have at least one address that is neither RFC 1918, nor belongs to the "
5
    "Unique Local Address range.",
6
    supported_clouds=[
7
        CloudType.ALICLOUD,
8
        CloudType.AMAZON_WEB_SERVICES,
9
        CloudType.AMAZON_WEB_SERVICES_GOV,
10
        CloudType.AMAZON_WEB_SERVICES_CHINA,
11
        CloudType.GOOGLE_CLOUD_PLATFORM,
12
        CloudType.MICROSOFT_AZURE_ARM,
13
        CloudType.MICROSOFT_AZURE_GOV,
14
        CloudType.MICROSOFT_AZURE_CHINA,
15
        CloudType.ORACLE_CLOUD,
16
    ],
17
    supported_resources=[ResourceType.RESOURCE_ACCESS_LIST],
18
    settings_config=[
19
        BooleanField(
20
            name="only_sgs",
21
            display_name="Only Security Groups",
22
            description="When enabled, only match rules associated with Security Groups",
23
        ),
24
    ],
25
    version="18.1",
26
    categories=[
27
        Category.NETWORK,
28
    ],
29
)
30
def access_list_contains_public_addresses(query, db_cls, settings_config):
31
    resource_ids = set()
32
    session = query.session
33
    subq = (
34
        session.query(ResourceAccessListRule.parent_resource_id)
35
        .filter(
36
            ResourceAccessListRule.rule_action == "allow",
37
            ResourceAccessListRule.direction == "ingress",
38
            ResourceAccessListRule.source_network.isnot(None),
39
            ~ResourceAccessListRule.source_network.like("%sg-%"),
40
        )
41
        .filter(or_(and_(*REMOVE_PRIVATE_NETWORKS), ResourceAccessListRule.source_network == "Internet"))
42
    )
43

44
    changeset_resource_ids = QueryRegistry.get_resource_ids_from_changeset(
45
        settings_config, [ResourceType.RESOURCE_ACCESS_LIST]
46
    )
47
    if changeset_resource_ids:
48
        subq = subq.filter(ResourceAccessListRule.parent_resource_id.in_(changeset_resource_ids))
49

50
    subq = subq.distinct()
51

52
    if settings_config.get("only_sgs"):
53
        subq = subq.filter(~ResourceAccessListRule.parent_resource_id.like("%acl-%"))
54

55
    # Discount rules pending deletion
56
    subq = filter_pending_deletion(query=subq, db_cls=ResourceAccessListRule, session=session)
57
    for row in subq:
58
        resource_ids.add(row.parent_resource_id)
59

60
    return query.filter(db_cls.resource_id.in_(resource_ids))

Using Query Filters with Bots

Query Filters are also used in the creation of Bots. For detailed step by step instructions check out Creating Bots. You can also view Working with Bots (Best Practices & Examples) if you want to work with some examples.

Using Query Filters With Resources

Query Filters are also found on the Resource Inventory. Review Resources for more information.

Did this page help you?

Inventory

Resource Terminology

Query Filters & Insights

Understand Risk with Insights