List Operators
List operators check whether an attribute's value appears in or matches elements of a list.
When using list operators:
- Wrap string values in double quotes.
- Enclose list values in square brackets (
[]). - Add a space after each comma for readability.
- List operators are not case-sensitive. For example,
IN,In,iN, andinall behave the same. - Strings are case-sensitive ("Critical", "Confirmed active", "Production", etc.).
For example:
FIND Vulnerability AS v
WHERE v.status = "Confirmed active"
AND v.firstFound IN LAST 30 days
AND v.riskRating IN ["Critical", "High"]
The above query uses the IN operator and returns confirmed active vulnerabilities discovered in the last 30 days with a risk rating of either "Critical" or "High".
You can also use CONTAINS. Although CONTAINS can't be followed by a list, the attribute you use it on can be a list.
IN
Use IN to check whether an attribute value exists in a list of values.
FIND Finding AS f
WHERE f.severity IN ["Critical", "High"]
The above query returns findings with a severity of "Critical" or "High".
NOT IN
Use NOT IN to exclude values that appear in the list.
FIND Finding AS f
WHERE f.severity NOT IN ["Critical", "High"]
The above query returns findings with a severity that is neither "Critical" nor "High".
CONTAINS ANY
Use CONTAINS ANY to check whether any elements of a list contain one or more of the specified terms.
FIND Asset AS a
WHERE a.tags CONTAINS ANY ["Crown", "Prod"]
The above query returns any assets whose tags list includes at least one of the specified terms—either partially or fully. The match is case-sensitive and can match substrings.
For example, the results may include tags like:
- "Crown Jewel" (matches "Crown")
- "Production" or "Prod" (Matches "Prod")
You will also see results for assets that contain additional tags, not just the matching ones. In the example below, one asset includes "Prod", but also contains tags for "PCI" and "PII":
Notice what happens when you change "Prod" to lowercase "prod"—the query no longer matches any assets with tags like "Production" or "Prod" because the comparison is case-sensitive:
CONTAINS ALL
Use CONTAINS ALL to check whether all specified terms exist within a list.
FIND Asset AS a
WHERE a.technologies CONTAINS ALL ["AWS", "Cloud Infrastructure"]
The above query returns all assets whose technologies list includes both "AWS" and "Cloud Infrastructure".
NOT CONTAINS ANY
Use NOT CONTAINS ANY to return results where none of the specified values appear in the list.
FIND Host AS h
WHERE h.publicIpAddresses NOT CONTAINS ANY ["192.168.145.141", "90.57.128.178"]
NOT CONTAINS ALL
Use NOT CONTAINS ALL to return results where at least one value from the list is missing.
FIND Host AS h
WHERE h.privateIpAddresses NOT CONTAINS ALL ["127.0.0.1", "127.0.0.2"]
The above query returns hosts where one or both of the specified private IPs are missing.
LIKE ANY
Use LIKE ANY to match values using wildcards. It supports pattern matching with * and is case-insensitive.
FIND Asset AS a
WHERE a.complianceFlags LIKE ANY ["Pc*", "Pi*"]
The above query returns any assets whose compliance flags start with "PC" or "PI", regardless or letter casing.
For example, the results may include flags like:
- "PCI" (matches "Pc*")
- "PII" (Matches "Pi*")
NOT LIKE ANY
Use NOT LIKE ANYto exclude results that match any of the specified wildcard patterns. This operator supports * for pattern matching and is case-insensitive.
FIND Finding AS f
WHERE f.displayName NOT LIKE ANY ["path tra*", "archive*"]
The above query returns any findings whose display names do not start with "path tra" or "archive".
For example, the screenshot below shows findings that include display names like "Path Traversal" and "Archive File Download". These are the types of results the NOT LIKE ANY operator is designed to exclude:
The following screenshot shows the results returned by the query. Notice that the display names no longer include Path Traversal or Archive File Download, demonstrating how the NOT LIKE ANY operator filters out matching patterns:
