Query Data Reference
DRAFT — Internal Developer Use Only
This API reference is for internal development teams.
Overview
What it is: Each saved search query ID in Discovery returns a specific set of entity columns when executed through the Search & Query API. This reference documents exactly which fields come back for every built-in query, grouped by entity category.
Why it matters: Control developers building custom dashboards, KPI widgets, or data sync pipelines need to know the exact field paths and data types returned by each query. This reference eliminates guesswork when mapping Discovery response data to Control models.
How to use this reference: Find the query ID you are calling, then review its column table. Fields marked as hidden are available in the response but not shown by default in the UI — they are still accessible via the API. Fields with a subReport link to a drill-down query for related data. Dynamic fields (scores.*, attributes.*) expand based on tenant configuration.
Entity Field Prefixes
Every column field path starts with an entity prefix that indicates the data source:
| Prefix | Entity type | Description |
|---|---|---|
principal.* | Account | Core account/principal identity fields |
principalcollector.* | Data source | The collector/data source that discovered this account |
group.* | Group | Security or distribution group fields |
groupcollector.* | Data source | The collector/data source for a group |
identity.* | Owner | Identity owner (person) fields |
identityfilter.* | Owner (filtered) | Owner fields used in filtered owner queries |
scores.* | Computed | Computed scores, mappings, classifications, and vault status |
member.* | Group member | Account that is a member of a group |
event.* | Audit event | Login and authentication event fields |
loginevent.* | Login event | Aggregated login event data |
vault.* | Vault | PAM vault/safe information |
vaultprincipal.* | Vault account | Account representation within the vault |
vaultcollector.* | Vault data source | The vault integration data source |
vaultsystem.* | Vault platform | Platform info for the vault system |
vaultobject.* | Vault object | Key vault secrets, certificates, and keys |
compromise.* | Compromise | Breach/compromise detection data |
compromisecollector.* | Breach source | Data source that reported the compromise |
threat.* | Threat rule | Individual threat rule/score metadata |
threatscore.* | Threat score | Per-rule score values |
score.* | Impact score | Aggregated impact scoring data |
classification.* | Classification | Account classification labels |
classificationrule.* | Classification rule | Rules that assigned classifications |
collectorstats.* | Collector stats | Statistical data per collector (averages, deviations) |
MFA.* | MFA detail | Multi-factor authentication token details |
sshkey.* | SSH key | SSH key metadata (algorithm, fingerprint, usage) |
edge.* | Edge | Relationship edge data (score edges, classification edges) |
certification.* | Certification | Attestation campaign/certification data |
certentity.* | Cert entity | Per-entity certification progress |
virtual.* | Virtual | Virtual/computed display fields for cross-entity views |
updatedby.* | Updated by | User who last modified the entity |
role.* | Role | Azure/cloud role definitions |
rolemember.* | Role member | Members of a role |
platformprincipal.* | Linked account | Linked/platform account in vault integration |
reconcileprincipal.* | Reconcile account | Reconciliation account for vault rotation |
sourceprincipal.* | Source account | Source account in SSH key trust relationships |
targetprincipal.* | Target account | Target account in SSH key trust relationships |
attributes.* | Attributes | Dynamic extended attribute fields (tenant-configurable) |
Common Account Fields
Most account-oriented queries share a core set of principal fields. The following table lists the common fields that appear across nearly all account searches. Individual query sections below only list additional fields beyond this common set.
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.platform | Account Platform | string | |
principalcollector.collectorname | Collector Name | string | |
principal.id | — | string | yes |
principalcollector.collectorid | — | string | yes |
principal.loginshell | — | string | yes |
principal.homedir | — | string | yes |
principal.shortdomain | Domain | string | |
principal.provider | Provider | string | |
principal.computername | Computer Name | string | yes |
principal.type | Account Type | string | |
principal.name | Account Name | string | |
principal.displayname | Display Name | string | |
principal.path | Path | string | yes |
principal.employeeid | Employee ID | string | yes |
principal.email | string | ||
principal.userprincipalname | UPN | string | |
principal.mfastatus | MFA | string | |
principal.status | Status | string |
Account & Principal Queries
General Account Query
| Saved search ID | 0000CaOuQ1VIhqJGvtje3vbefsg |
| Category | Accounts |
| Required entities | vault, principal, principalcollector, scores, attributes, classification, updatedby |
Includes all common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
principalcollector.collectortype | Data Source Platform | string | |
principal.title | Title | string | yes |
principal.department | Department | string | yes |
principal.accountid | Vault Account Id | string | yes |
principal.secrettype | Secret Type | string | yes |
principal.samaccountname | SAM Account Name | string | yes |
principal.custom1 – principal.custom10 | Custom 1–10 | string | yes |
scores.entities | Owners Mapped | number | |
scores.mappings | Mapped To | string | |
scores.classes | Classifications | string | |
scores.actions | Actions | string | yes |
scores.igacount | Managed by IGA | number | |
scores.igas | IGA Platforms | string | |
scores.pamstatus | PAM Status | string | |
scores.vaults | Safe | string | |
scores.vaultaccountnames | Vault Account Name | string | |
scores.vaultsecrettypes | Vault Secret Types | string | |
updatedby.displayname | Updated By | string | yes |
principal.lastupdated | Last Updated | date | yes |
attributes.* | (dynamic) | varies | yes |
Account Status
| Saved search ID | DYhMbWB3zsTqwK6CvcSmobhAXEw |
| Category | Accounts |
| Required entities | scores, principal, principalcollector |
Includes all common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
scores.entities | Mapped To | number |
Password Secret Age
| Saved search ID | RbhOuwKIQL4aJtFm1j8SVYQ29yL |
| Category | Accounts |
| Required entities | scores, principal, principalcollector |
Includes all common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
scores.entities | Mapped To | number | |
principal.passwordchanged | Password Changed | date | |
principal.passwordchangedage | Password Age | number |
Stale Accounts
| Saved search ID | N0Ta8FDwqzBURecu551neptjE7q |
| Category | Accounts |
| Required entities | scores, principal, principalcollector |
Includes all common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
scores.entities | Mapped To | number | |
principal.lastlogon | Last Logon | date | |
principal.lastlogonage | Last Logon Age | number | |
principal.created | Created | date | |
principal.createdage | Created Age | number |
Password Secret Never Set
| Saved search ID | Qo5kWAQD7nuQQQZeqIoMAsK7qyM |
| Category | Accounts |
| Required entities | scores, principal, principalcollector |
Includes all common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
scores.entities | Mapped To | number | |
principal.passwordchangedage | Password Age | number |
Account Changes By Date
| Saved search ID | Ge30SKv50HEhUA5O448tDjCmgOM |
| Category | Accounts |
| Required entities | principal, principalcollector |
Returns a subset of common account fields: collector name, platform, account type, name, UPN, display name, email, status. Does not include MFA, provider, or domain fields by default.
Accounts Created
| Saved search ID | AIlACtQBw19GgDHYH8qsrhbYnsY |
| Category | Accounts |
| Required entities | principal, principalcollector |
Same structure as Account Changes By Date.
Login Activity
| Saved search ID | YsSAjcNRh6x8V0zGBlQp1BmlMzp |
| Category | Accounts |
| Required entities | event, principal, principalcollector |
Includes all common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
event.eventtime | Event Time | date | |
principal.lastlogon | Last Logon | date |
Failed Logins
| Saved search ID | 73L8y7WdXW63AA98rKYVSMl45p8 |
| Category | Accounts |
| Required entities | loginevent, principal, principalcollector, eventcollector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.id | — | string | |
loginevent.count | Failed Login Count | number |
Session Activity
| Saved search ID | a5k2RS1OHV0iwKq0BPxi9CErUMk |
| Category | Accounts |
| Required entities | event, principal, principalcollector |
Same event-based structure as Login Activity.
Login Audit
| Saved search ID | 4LVYPMbrR6LSouqXafAU8tZp6kA |
| Category | Accounts |
| Required entities | event, principal, principalcollector, eventcollector |
Includes common account fields with virtual.* display fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
virtual.collectorname | Collector Name | string | |
virtual.collectorid | Collector Id | string | yes |
virtual.displayname | Display Name | string | |
virtual.email | string | ||
event.id | Event Id | string | yes |
event.eventtype | Event Type | string | |
event.eventtime | Event Time | date | |
event.eventage | Event Age | number |
Account Login Audit
| Saved search ID | MfNMq5Z7a3ftAO1IjOGpehoPoNN |
| Category | Accounts |
| Required entities | event, principal, principalcollector, eventcollector |
Same column structure as Login Audit. Accepts an account Id parameter to scope results to a single account.
Account Groups
| Saved search ID | APa4DUQNWCiXqU6JMWLZaYxxzZG |
| Category | Accounts |
| Required entities | group, member, groupcollector, membercollector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
groupcollector.collectorname | Collector Name | string | |
group.id | Group Id | string | yes |
groupcollector.collectorid | — | string | yes |
group.platform | Group Platform | string | |
group.shortdomain | Domain | string | |
group.provider | Provider | string | |
group.name | Group Name | string | |
group.displayname | Display Name | string | |
member.shortdomain | Member Domain | string | |
member.computername | Computer Name | string | yes |
member.name | Name | string | |
member.displayname | Display Name | string | |
member.userprincipalname | UPN | string | |
member.email | string | ||
member.loginshell | Login Shell | string | yes |
member.path | Path | string | |
member.objectsid | SID | string | yes |
member.status | Status | string |
Account Classification
| Saved search ID | EPFi08RwfU6yV1VrhZ4OsYfc3iz |
| Category | Accounts |
| Required entities | scores, principal, principalcollector, classification, classificationrule |
Includes common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
classification.name | Classification | string | |
classificationrule.name | Classification Rule | string | |
scores.entities | Mapped To | number |
Account Scores
| Saved search ID | MGiNLIsVvc2UQEdeBIyv4bSBGSN |
| Category | Accounts |
| Required entities | principal, threatscore, principalcollector |
Includes common account fields (without MFA) plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
threatscore.id | Threat Rule Id | string | yes |
threatscore.name | Threat Rule | string | |
score.score | Score | number |
Account Z-Score
| Saved search ID | E2SVTGeGpWjnxmj1Y5pYJlZE2YR |
| Category | Accounts |
| Required entities | scores, principal, group, principalcollector, collectorstats |
Includes all common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
scores.entities | Mapped To | number | |
collectorstats.groupcountdeviation | Standard Deviation | number | |
collectorstats.groupcountavg | Average Member Count | number | |
principal.groupcount | Group Count | number | |
principal.groupdifference | Group Difference | number | |
principal.groupdeviations | Group Membership Z-Score | number |
Account Z-Score Threats
| Saved search ID | 794IndeqvqzIqrjzy5CgCfBtwxx |
| Category | Accounts |
| Required entities | scores, principal, group, principalcollector, collectorstats |
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.id | — | string |
Minimal column set — used as a sub-report for Z-Score threat drill-down.
Account Threat Scores
| Saved search ID | B5wzD0WU4ggdhAo7BNiXpLdZjBG |
| Category | Accounts |
| Required entities | scores, principal, principalcollector |
Includes all common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
scores.* | (dynamic Score Set) | varies |
The scores.* field expands dynamically to include all configured threat score columns based on the tenant's Score Set configuration.
Compromised Accounts
| Saved search ID | Ah5pa2KZuMZho0wnmLrLonor6mU |
| Category | Accounts |
| Required entities | compromise, principal, principalcollector, compromisecollector, scores |
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.type | Account Type | string | |
compromise.id | — | string | yes |
principal.id | — | string | yes |
compromisecollector.collectorname | Breach Source | string | |
compromise.name | Breach Name | string | |
compromise.breachdate | Breach Date | date | |
compromise.breachdateage | Breach Age | number | |
principalcollector.collectorname | Collector Name | string | |
principal.shortdomain | Domain | string | |
principal.name | Account Name | string | |
principal.employeeid | Employee ID | string | yes |
principal.email | string | ||
principal.passwordchangedage | Password Age | number | |
principal.passwordchanged | Password Changed | date | |
scores.* | (dynamic Score Set) | varies | yes |
Vault Queries
Vaulted Accounts
| Saved search ID | 0000CZNzRfoREvBuaNZ9CwSAvws |
| Category | Accounts |
| Required entities | vault, vaultprincipal, vaultcollector, scores, principal, platformprincipal, reconcileprincipal, platformprincipalcollector, platformprincipalsystem, principalcollector, classification |
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.type | Account Type | string | |
scores.classes | Classifications | string | |
scores.pamstatus | PAM Status | string | |
principal.platform | Account Platform | string | |
principalcollector.collectorname | Collector Name | string | |
principal.displayname | Display Name | string | |
principal.name | Account Name | string | |
vault.name | Safe | string | |
platformprincipal.nameordisplayname | Linked Account Name | string | |
platformprincipal.platform | Linked Account Platform | string | |
platformprincipalcollector.collectorname | Linked Account Data Source | string | |
reconcileprincipal.nameordisplayname | Reconcile Account Name | string | |
reconcileprincipal.displayname | Reconcile Account Display Name | string | |
principal.secretreconciled | Last Reconciled | date | |
principal.secretstatus | Reconcile Status | string | |
principal.passwordchanged | Password Changed | date | |
scores.actions | Actions | string | |
scores.mappings | Mapped To | string | |
principal.mfastatus | MFA | string | |
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number | yes |
principal.status | Status | string |
Plus standard hidden fields: vaultcollector.credentialid, principal.id, principalcollector.collectorid, principal.accountid, principal.secrettype, etc.
Vaulted Account Management
| Saved search ID | 0000CbuesIiBcSJlsPk6jzuIcrm |
| Category | Accounts |
| Required entities | vault, discoveredaccounts, scores, principal, vaultprincipal, platformprincipal, principalcollector, vaultcollector, vaultsystem, classification |
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.platform | Account Platform | string | |
principalcollector.collectorname | Collector Name | string | |
principal.name | Account Name | string | |
scores.actions | Actions | string | |
scores.pamstatus | PAM Status | string | |
vaultsystem.platform | Vault Platform | string | |
vaultcollector.collectorname | Vault Data Source | string | |
vault.name | Safe | string | |
vaultprincipal.displaynameorname | Vault Account Name | string | |
platformprincipal.nameordisplayname | Platform Account | string | |
principal.displayname | Display Name | string | |
principal.type | Account Type | string | |
scores.classes | Classifications | string | |
scores.mappings | Mapped To | string | |
principal.mfastatus | MFA | string | |
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number | |
principal.status | Status | string |
Account Vault Status
| Saved search ID | 0000IrdpnFudkVXDaoLGubUBIbe |
| Category | Accounts |
| Required entities | vault, scores, principal, vaultprincipal, principalcollector, vaultcollector, vaultsystem, classification |
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.type | Account Type | string | |
scores.classes | Classifications | string | |
scores.pamstatus | PAM Status | string | |
principal.platform | Account Platform | string | |
principalcollector.collectorname | Collector Name | string | |
principal.displayname | Display Name | string | |
principal.name | Account Name | string | |
vaultprincipal.displaynameorname | Vault Account Name | string | |
vaultsystem.platform | Vault Platform | string | |
vaultcollector.collectorname | Vault Data Source | string | |
vault.name | Safe | string | |
scores.actions | Actions | string | |
scores.mappings | Mapped To | string | |
principal.mfastatus | MFA | string | |
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number | |
principal.status | Status | string |
Account Key Vault Objects
| Saved search ID | 7J3TaqEtCgXB7sDwWhwZcT1YgM8 |
| Category | Accounts |
| Required entities | principal, principalcollector, vaultobject |
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.platform | Platform | string | |
principal.provider | Provider | string | |
principalcollector.collectorname | Collector Name | string | |
principal.displayname | Display Name | string | |
principal.name | Account Name | string | |
principal.type | Account Type | string | |
principal.shortdomain | Domain | string | |
vaultobject.VaultName | Vault Name | string | |
vaultobject.ItemType | Object Type | string | |
vaultobject.Name | Object Name | string | |
vaultobject.ObjectEnabled | Object Status | string | |
vaultobject.Permission | Object Permission | string | |
vaultobject.Path | Object Path | string | |
vaultobject.CreateDate | Object Create Date | date | |
vaultobject.StartDate | Object Start Date | date | |
vaultobject.ExpiryDate | Object Expiry Date | date | |
vaultobject.AliasNames | Object Aliases | string | |
vaultobject.PublicKey | Object Public Key | string | |
vaultobject.HSMPlatform | Object HSM Platform | string |
Group Key Vault Objects
| Saved search ID | 7Dt6XcnjJOzpexYxZlz7kIN1zCF |
| Category | Groups |
| Required entities | group, groupcollector, vaultobject |
Same vault object fields as Account Key Vault Objects but with group entity fields (group.platform, group.provider, group.name, group.shortdomain) instead of principal fields.
Group User Key Vault Objects
| Saved search ID | a62mQQOqiTzBN8F2sFMNJyiY0F0 |
| Category | Groups |
| Required entities | group, groupcollector, member, vaultobject |
Combines group fields, member account fields, and vault object fields.
Account Role Membership
| Saved search ID | 1gbrYrq61lu5dymofZGYu8ACOTT |
| Category | Accounts |
| Report query ID | 6jZNu3bAmCBJ5rZtN6V1FDQN6ms |
| Required args | actorid (Account ID) |
Returns role assignments for a specific account. Used by the Role Membership tab on Account Details.
| Field | Display name | Type | Hidden |
|---|---|---|---|
role.name | Role Name | string | |
role.displayname | Display Name | string | |
principalsystem.datasource | Data Source | string | |
principalsystem.platform | Platform | string | |
role.type | Role Type | string |
Owner Role Membership
| Saved search ID | GcN0B8yAZVqXi3SvOjLVeL581I8 |
| Category | Owners |
| Report query ID | XxQ9DzWCqtCIUNduJ8AmOsf6oVR |
| Required args | actorid (Identity ID) |
Returns aggregated role assignments across all accounts mapped to a specific owner. Used by the Role Membership tab on Owner Details.
| Field | Display name | Type | Hidden |
|---|---|---|---|
role.name | Role Name | string | |
role.displayname | Display Name | string | |
principal.name | Account Name | string | |
principalsystem.datasource | Data Source | string | |
principalsystem.platform | Platform | string | |
role.type | Role Type | string |
Group Queries
General Group Query
| Saved search ID | Od1oCfsGRnV77zCWNvi6YFg9E2d |
| Category | Groups |
| Required entities | group, attributes, groupcollector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
group.id | Group Id | string | yes |
group.platform | Group Platform | string | |
groupcollector.collectorid | Data Source Id | string | |
groupcollector.collectorname | Data Source Name | string | |
group.shortdomain | Domain | string | |
group.provider | Provider | string | |
group.name | Group Name | string | |
group.displayname | Display Name | string | |
group.path | Path | string | yes |
group.objectsid | SID | string | yes |
directmember.count | Direct Member Count | number | |
member.count | Member Count | number | |
attributes.* | (dynamic) | varies | yes |
Groups By Date
| Saved search ID | TUdfgfRUd5ZFVDlgi5Ix5tf1Lmb |
| Category | Groups |
| Required entities | group, groupcollector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
groupcollector.collectorname | Collector Name | string | |
group.platform | Group Platform | string | |
group.shortdomain | Domain | string | |
group.provider | Provider | string | |
group.name | Group Name | string | |
group.displayname | Display Name | string | |
group.path | Path | string | yes |
Group Changes By Date
| Saved search ID | Da90sRZm6VkElZh5tpwhPm7Ihtd |
| Category | Groups |
| Required entities | group, groupcollector |
Same column structure as Groups By Date.
Groups By Member Count
| Saved search ID | AKXH3V3MPiHZD5xfmqaveYlZUnx |
| Category | Groups |
| Required entities | group, groupcollector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
groupcollector.collectorname | Collector Name | string | |
group.id | — | string | yes |
groupcollector.collectorid | — | string | yes |
group.platform | Group Platform | string | |
group.shortdomain | Domain | string | |
group.provider | Provider | string | |
group.name | Group Name | string | |
group.displayname | Display Name | string |
Privileged Groups
| Saved search ID | 2rkv9qq7HWNwiEuk97chCdnAO8B |
| Category | Groups |
| Required entities | group, groupcollector |
Same column structure as General Group Query with privilege-level filtering.
Expanded Group Membership
| Saved search ID | US6oSTzOLxZ9LyK2shh5nMysTk5 |
| Category | Groups |
| Required entities | group, member, groupcollector, membercollector |
Same column structure as Account Groups — returns group + member fields with full recursive expansion.
Direct Group Membership
| Saved search ID | 6dIqKgxTygmSilzBx4kNSNzJR5Q |
| Category | Groups |
| Required entities | group, member, groupcollector, membercollector |
Same column structure as Account Groups — returns only direct (non-recursive) memberships.
Group Membership
| Saved search ID | 0qwQBiyYucYSQbvfkdSQi4U84m7 |
| Category | Groups |
| Required entities | group, member, membercollector, groupcollector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
membercollector.collectorname | Data Source Name | string | |
group.id | Group Id | string | yes |
membercollector.collectorid | Data Source Id | string | yes |
group.platform | Group Platform | string | |
group.shortdomain | Group Domain | string | |
group.provider | Group Provider | string | |
group.name | Group Name | string | |
group.displayname | Group Display Name | string | |
member.shortdomain | Domain Name | string | |
member.computername | Computer Name | string | yes |
member.name | Name | string | |
member.displayname | Display Name | string | |
member.userprincipalname | UPN | string | |
member.email | string | ||
member.loginshell | Login Shell | string | yes |
member.path | Path | string | |
member.objectsid | SID | string | yes |
member.status | Status | string |
Group Login Audit
| Saved search ID | WkjkxGR0LE99gvzmTcYdQt9VJyF |
| Category | Groups |
| Required entities | group, member, groupcollector, event, membercollector |
Combines group + member fields from Group Membership plus event fields:
| Field | Display name | Type | Hidden |
|---|---|---|---|
event.id | Event Id | string | yes |
event.eventtype | Event Type | string | |
event.eventtime | Event Time | date | |
event.eventage | Event Age | number |
Owner & Identity Queries
Global Search Owner
| Saved search ID | NFZg0Ss2HDfKd8VIsY0RMJwTDzF |
| Category | Owners |
| Required entities | identity, scores |
| Field | Display name | Type | Hidden |
|---|---|---|---|
identity.postalCode | Postal Code | string | yes |
identity.countryCode | Country | string | yes |
identity.id | — | string | yes |
identity.name | Name | string | |
identity.email | string | ||
identity.alternativeemail | Alternative Email | string | yes |
identity.status | Status | string | yes |
identity.ownertype | Owner Type | string | yes |
identity.startdate | Start Date | date | yes |
identity.enddate | End Date | date | yes |
identity.title | Title | string | yes |
identity.dept | Department | string | yes |
identity.manager | Manager | string | yes |
identity.location | Location | string | yes |
identity.phone | Phone | string | yes |
identity.mobile | Mobile Phone | string | yes |
scores.entities | Mapped Accounts | number | |
scores.* | (dynamic Score Set) | varies | yes |
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number |
Owner Threat Scores
| Saved search ID | VkAGnFi7Yjdy14x9x4WZT0DtcS2 |
| Category | Owners |
| Required entities | identity, scores |
| Field | Display name | Type | Hidden |
|---|---|---|---|
identity.id | — | string | yes |
identity.name | Name | string | |
identity.email | string | ||
scores.entities | Mapped Accounts | number | |
scores.* | (dynamic Score Set) | varies |
Owner Account Data
| Saved search ID | K5Wb75il7Or3lxfFdmr4gfwsbkn |
| Category | Owners |
| Required entities | identity, scores |
| Field | Display name | Type | Hidden |
|---|---|---|---|
identity.id | Owner Identifier | string | yes (also shown visible) |
identity.postalCode | Postal Code | string | |
identity.countryCode | Country | string | |
identity.name | Name | string | |
identity.email | string | ||
identity.alternativeemail | Alternative Email | string | |
identity.alternativename | Alternative Display Name | string | |
identity.status | Status | string | |
identity.ownertype | Owner Type | string | |
identity.startdate | Start Date | date | |
identity.enddate | End Date | date | |
identity.title | Title | string | |
identity.dept | Department | string | |
identity.manager | Manager | string | |
identity.location | Location | string | |
identity.phone | Phone | string | |
identity.mobile | Mobile | string | |
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number |
Owner Login Audit
| Saved search ID | 4rAqYWwpS7R7ev4qvomlzaxW8b4 |
| Category | Owners |
| Required entities | event, identity, principal, principalcollector, eventcollector |
Same column structure as Login Audit. Scoped to accounts mapped to a specific owner via Identity Id parameter.
Owner Account MFA
| Saved search ID | Qe2RsFtZUMDkIRkpnky8xxHe5UY |
| Category | Owners |
| Required entities | identity, principal, principalcollector |
Includes common account fields. Scoped to accounts mapped to a specific owner.
Owner Account Risk
| Saved search ID | 4W3yZV5j7Joi0lFvuwz48I5kT0t |
| Category | Owners |
| Required entities | identity, principal, principalcollector, scores |
Includes common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
scores.* | (dynamic Score Set) | varies |
Owner Group Membership
| Saved search ID | XheILctS3gRnDWLhbRBnSCmVZpa |
| Category | Owners |
| Required entities | identityfilter, principal, group, groupcollector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
identityfilter.name | Owner Name | string | |
groupcollector.collectorname | Collector Name | string | |
group.id | Group Id | string | yes |
groupcollector.collectorid | — | string | yes |
group.platform | Group Platform | string | |
group.shortdomain | Domain | string | |
group.provider | Provider | string | |
group.name | Group Name | string | |
group.displayname | Display Name | string | |
principal.shortdomain | Domain | string | |
principal.computername | Computer Name | string | yes |
principal.name | Account Name | string | |
principal.displayname | Display Name | string | |
principal.userprincipalname | UPN | string | |
principal.employeeid | Employee ID | string | yes |
principal.email | string | ||
principal.loginshell | Login Shell | string | yes |
principal.path | Path | string | |
principal.status | Status | string |
Owner Group Membership (Bulk)
| Saved search ID | VixlNXPx92So7lQ8b6nwpDlT7vg |
| Category | Owners |
| Required entities | identityfilter, principal, group, groupcollector |
Combines full owner identity fields (identityfilter.*) with group and principal member fields. Returns all owner-group-account relationships in a single flat result set for bulk export.
Mapped Owners
| Saved search ID | T2MBuk8ZhWZ2zSAJMvwf8dR1GRg |
| Category | Owners |
| Required entities | principal, identity |
| Field | Display name | Type | Hidden |
|---|---|---|---|
identity.name | Name | string | |
identity.email | string |
Sub-report used for drill-down from account queries to see which owners are mapped.
Mapped Accounts
| Saved search ID | WJk4TU9UZ7fNmIWZtvHaSjyxZkL |
| Category | Owners |
| Required entities | identity, principal, principalcollector, scores |
Includes common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.lastlogon | Last Logon | date | |
scores.pamstatus | PAM Status | string | |
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number |
Sub-report used for drill-down from owner queries to see mapped accounts.
Global Search (Cross-Entity)
Global Search — Accounts
| Saved search ID | GjJXh07y2K3xrTOwohZjde4SkLU |
| Category | Global Search |
| Required entities | scores, attributes, principal, principalcollector |
Returns an extensive account dataset with most fields hidden by default for use in cross-entity search:
| Field | Display name | Type | Hidden |
|---|---|---|---|
principalcollector.collectortype | Data Source Platform | string | |
principalcollector.collectorname | Collector Name | string | |
principal.platform | Account Platform | string | |
principal.displayname | Display Name | string | |
principal.name | Account Name | string | |
principal.email | string | ||
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number | |
principal.status | Status | string | |
principal.type | Account Type | string | |
principal.samaccountname | SAM Account Name | string | yes |
principal.custom1 – principal.custom10 | Custom 1–10 | string | yes |
principal.title | Title | string | yes |
principal.department | Department | string | yes |
scores.classes | Classifications | string | yes |
scores.actions | Actions | string | yes |
scores.pamstatus | PAM Status | string | yes |
scores.vaults | Safe | string | yes |
scores.vaultaccountnames | Vault Account Names | string | yes |
scores.vaultsecrettypes | Vault Secret Types | string | yes |
scores.entities | Mapped Owners | number | yes |
scores.mappings | Mapped To | string | yes |
principal.userprincipalname | UPN | string | yes |
principal.lastlogonage | Last Logon Age | number | yes |
principal.lastlogon | Last Logon | date | yes |
principal.created | Created | date | yes |
principal.passwordchanged | Password Changed | date | yes |
principal.passwordchangedage | Password Age | number | yes |
principal.mfastatus | MFA | string | yes |
scores.* | (dynamic Score Set) | varies | yes |
attributes.* | (dynamic Attributes) | varies | yes |
scores.breachname | Compromise Name | string | yes |
scores.breachdate | Compromise Date | date | yes |
scores.breachdateage | Compromise Age | number | yes |
Global Search — Groups
| Saved search ID | 3QJOML6Yg7Hem6MtAsar9lleE6A |
| Category | Global Search |
| Required entities | group, member, scores, attributes, groupcollector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
group.id | — | string | yes |
group.platform | Group Platform | string | |
groupcollector.collectorname | Collector Name | string | |
groupcollector.collectortype | Data Source Platform | string | yes |
group.shortdomain | Domain | string | yes |
group.provider | Provider | string | yes |
group.name | Group Name | string | |
group.displayname | Display Name | string | |
group.path | Path | string | yes |
group.objectsid | SID | string | yes |
directmember.count | Direct Member Count | number | |
member.count | Member Count | number | |
scores.* | (dynamic Score Set) | varies | yes |
attributes.* | (dynamic Attributes) | varies | yes |
Compliance & Insights
Insights And Recommendations — NIST CSF V2.0
| Saved search ID | EUo14Qdnd04fogoYMKGv8JjOTFj |
Insights And Recommendations — CIS V8
| Saved search ID | LC9DrZsZWuAtK2VbcvQwsElgodt |
Insights And Recommendations — CRITIER4 V2
| Saved search ID | 7CPLbSf0cZHim76HO8j2a7HJNWE |
All three compliance frameworks share the same column structure — they return framework-specific assessment data against the configured Score Sets.
Permissions
| Saved search ID | O2IMv9WseU6NVITC3gPw8Vto4wE |
| Required entities | principal, principalcollector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
principalcollector.collectorname | Collector Name | string | |
principal.id | — | string | yes |
principalcollector.collectorid | — | string | yes |
principal.platform | Account Platform | string | |
principal.name | Account Name | string | |
principal.userprincipalname | UPN | string | |
principal.displayname | Display Name | string | |
principal.path | Path | string | yes |
principal.employeeid | Employee ID | string | yes |
principal.email | string | ||
principal.status | Status | string |
Entitlements
| Saved search ID | Cs9H6go9QfNKGuNuUaiUuGbmnQY |
| Required entities | principal, principalcollector |
Same column structure as Permissions.
Privileged Roles
| Saved search ID | LEtIh62OjUxex7u2iJU9cQQAD0M |
| Required entities | role, rolemember, rolemembercollector, rolecollector |
Returns role and member fields similar to group membership queries.
Scores
| Saved search ID | Hz0YvM5S8FCRjXmnoKSkYtSsEyp |
| Required entities | scores, virtualprincipal, virtualgroup, virtualidentity, collector |
| Field | Display name | Type | Hidden |
|---|---|---|---|
scores.id | Score ID | string | |
scores.grouping | Grouping | string | |
scores.* | (dynamic Score Set) | varies |
Scoring & Classification
Score Edges
| Saved search ID | Sh8AOdOMlTD4SyzmLbzgEOVJUlL |
| Required entities | edge |
| Field | Display name | Type | Hidden |
|---|---|---|---|
edge.edgetype | Edge Type | string | |
edge.parentid | Parent ID | string | |
edge.childid | Child ID | string | |
edge.direct | Direct | bool |
Classification Edges
| Saved search ID | ZaWWoHqOrOBPZU6v3kwQINT2KWm |
| Required entities | edge |
Same column structure as Score Edges. Filters to edge.classification and edge.classificationrule edge types.
Flyout Queries
Flyout queries power the risk flyout panel in the Discovery UI. They are called internally by the flyout endpoint and return aggregated threat data grouped by different dimensions.
Flyout Data
| Saved search ID | J4sUtdVNIXJZBgEtHZqYpfFQXXy |
| Required entities | scores, principal, principalcollector, threat |
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.id | — | string | |
principalcollector.collectorname | Collector Name | string | |
principal.platform | Account Platform | string | |
principal.name | Account Name | string | |
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number | |
threat.name | Threat Name | string |
Grouped by principal.id — returns top risky accounts.
Flyout Data Threat
| Saved search ID | UGWfuXAU0s77MuWYbxVwtQKh2JI |
| Required entities | scores, principal, principalcollector, threat |
Same fields as Flyout Data plus principal.idcount. Grouped by threat.name — returns account counts per threat rule.
Flyout Data Platform
| Saved search ID | UYxpUZMKDRTazl2CPsTlVfWMD3U |
| Required entities | scores, principal, principalcollector, threat |
Same fields as Flyout Data plus principal.idcount. Grouped by principal.platform — returns risk distribution per platform.
Flyout Data Service
| Saved search ID | QLzXWkDyPj1fydf3fBRnCIkYBr1 |
| Required entities | scores, principal, principalcollector, threat |
Same fields as Flyout Data plus principal.idcount. Filtered to principal.type = "service account" — returns service account risk data.
Flyout Distribution
| Saved search ID | EDYoMksgyE4CYlFs0cphqM7pYQA |
| Required entities | scores, principal, principalcollector, threat |
Same fields as Flyout Data plus principal.idcount (displayed as percentage). Grouped by threat.name — returns percentage distribution of threat rules.
Mapping & Export Queries
Mapped Accounts Bulk
| Saved search ID | 6opzOoSgU9NYwW9WLR9uuLLGiVE |
| Required entities | identity, principal, principalcollector, scores |
Full owner identity fields plus full account fields. Used by Control for bulk data synchronization:
| Field | Display name | Type | Hidden |
|---|---|---|---|
identity.id | ID | string | |
identity.postalCode | Postal Code | string | |
identity.countryCode | Country | string | |
identity.name | Name | string | |
identity.email | string | ||
identity.alternativeemail | Alternative Email | string | |
identity.status | Status | string | |
principal.status | Account Status | string | |
identity.ownertype | Owner Type | string | |
identity.startdate | Start Date | date | |
identity.enddate | End Date | date | |
identity.title | Title | string | |
identity.dept | Department | string | |
identity.manager | Manager | string | |
identity.location | Location | string | |
identity.phone | Phone | string | |
identity.mobile | Mobile Phone | string | |
scores.entities | Mapped Accounts | number | |
scores.mappings | Mapped To | string | |
| + all common account fields | |||
principal.lastlogon | Last Logon | date | |
scores.pamstatus | PAM Status | string | |
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number |
Users Export
| Saved search ID | YOmamp53l581Tw6YJAAHP55qJVd |
Full account data export with all principal fields for CSV download.
Groups Export
| Saved search ID | 2duji0UlFRUKO3iGjfPrCtkJOvp |
Full group data export with all group and member fields for CSV download.
General Resource Query
| Saved search ID | FHddWu8ylCTNmncivqiThqriqF1 |
| Required entities | principal, attributes, principalcollector |
Includes common account fields plus:
| Field | Display name | Type | Hidden |
|---|---|---|---|
attributes.* | (dynamic) | varies | yes |
CyberArk Onboarding
| Saved search ID | OBXNfYIw71ZiwfwQ297xZAkMfxE |
| Required entities | vault, discoveredaccounts, scores, principal, principalcollector, classification |
Returns accounts eligible for CyberArk onboarding (not yet managed by PAM):
| Field | Display name | Type | Hidden |
|---|---|---|---|
principal.platform | Account Platform | string | |
principalcollector.collectorname | Collector Name | string | |
scores.actions | Actions | string | |
scores.pamstatus | PAM Status | string | |
scores.vaults | Safe | string | |
scores.vaultaccountnames | Vault Account Name | string | |
scores.vaultsecrettypes | Vault Secret Types | string | |
principal.name | Account Name | string | |
principal.displayname | Display Name | string | |
principal.type | Account Type | string | |
scores.classes | Classifications | string | |
scores.mappings | Mapped To | string | |
principal.mfastatus | MFA | string | |
scores.F0001p8NopubZzx9n9u6AwF37YVL | Total Threat | number | |
principal.status | Status | string |
Approvals
| Saved search ID | HxM4qza1UFtGdLpVFEQWRljN746 |
Returns pending workflow approval events for review.
Stub Report
| Saved search ID | WG2mnQ36yVa30jAeWJ0jwEPC5bR |
Empty placeholder report used for testing and UI scaffolding.
Control Integration — Sync Query Fields
Control uses specific query IDs for data synchronization (documented in Search & Query API — Control Integration). The key fields Control maps from each sync query:
| Sync purpose | Query ID | Key fields consumed |
|---|---|---|
| All accounts | ASpnJ4bLpFRGBZxEwAEPullOFx5 | principal.name, principal.type, principal.platform, principal.status, principal.mfastatus, scores.F0001p8NopubZzx9n9u6AwF37YVL, scores.classes, scores.pamstatus |
| Account owners | UVYaMSAx8evNujhC75QELLRej2T | identity.name, identity.email, scores.entities, scores.F0001p8NopubZzx9n9u6AwF37YVL |
| Bulk owner accounts | DUrG0M5i1MYn0H99KwSpezBqLtt | Full identity + principal + scores fields (see Mapped Accounts Bulk) |
| Bulk group memberships | W8fSFbTri7TqbXWgdZVpBjLZMNn | Full identity + group + principal fields (see Owner Group Membership Bulk) |
| List groups | 5giWu96fvwE0N3LVgm60eKfI6X6 | group.name, group.platform, group.displayname, directmember.count, member.count |
| List owner accounts | MG4VCGoPBLa1aHtSHRziTeHvb34 | Full account fields + scores.pamstatus, scores.F0001p8NopubZzx9n9u6AwF37YVL |
| List owner groups | GlLjXWQNzXixQCqikR3K9mJMoTa | Owner + group + principal membership fields |
| Get group members | 8XYzi8x3XmVmA47OehS6q1K8Jia | group.name, member.name, member.email, member.status |