Fields for filtering findings - Amazon Macie

Fields for filtering findings

To help you analyze findings more efficiently, the Amazon Macie console and the Amazon Macie API provide access to several sets of fields for filtering findings:

  • Common fields – These fields store data that applies to any type of finding. They correlate to common attributes of findings such as severity, finding type, and finding ID.

  • Affected resource fields – These fields store data about the resources that a finding applies to, such as the name, public access settings, and encryption settings for an affected S3 bucket or object.

  • Policy fields – These fields store data that's specific to policy findings, such as the action that produced a finding, and the entity that performed the action.

  • Sensitive data classification fields – These fields store data that's specific to sensitive data findings, such as the types of sensitive data that Macie found, and the unique identifier for the sensitive data discovery job that produced a finding.

A filter can use a combination of fields from any of the preceding sets.

The topics in this section list and describe the individual fields that you can use to filter findings. For additional details about these fields, including any relationships between the fields, see Findings Descriptions in the Amazon Macie API Reference.

Common fields

The following table lists and describes fields that you can use to filter findings based on common finding attributes. These fields store data that applies to any type of finding.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

Account ID*

accountId

The unique identifier for the Amazon Web Services account that the finding applies to. This is typically the account that owns the affected resource.

archived

A Boolean value that specifies whether the finding was archived by a suppression rule.

To add this field to a filter on the console, choose Current, Archived, or All in the filter bar.

Category

category

The category of the finding.

The console provides a list of values to choose from when you add this field to a filter. In the API, valid values are: CLASSIFICATION, for a sensitive data finding; and, POLICY, for a policy finding.

count

The total number of occurrences of the finding. For sensitive data findings, this value is always 1. All sensitive data findings are considered unique because they derive from individual jobs.

This field isn't available as a filter option on the console. With the API, you can use this field to define a numeric range for a filter.

Created at

createdAt

The date and time when Macie created the finding.

You can use this field to define a time range for a filter.

Finding ID*

id

The unique identifier for the finding. This is a random string that Macie generates and assigns to a finding when it creates the finding.

Finding type*

type

The type of the finding—for example, SensitiveData:S3Object/Personal or Policy:IAMUser/S3BucketPublic.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values in the API, see FindingType in the Amazon Macie API Reference.

Region

region

The AWS Region that Macie created the finding in—for example, us-east-1 or ca-central-1.

Sample

sample

A Boolean value that specifies whether the finding is a sample finding. A sample finding is a finding that uses example data to demonstrate what a finding might contain.

The console provides a list of values to choose from when you add this field to a filter.

Severity

severity.description

The qualitative representation of the finding's severity.

The console provides a list of values to choose from when you add this field to a filter. In the API, valid values are: Low, Medium, and High.

Updated at

updatedAt

The date and time when the finding was last updated. For sensitive data findings, this value is the same as the value for the Created at field. All sensitive data findings are considered new because they derive from individual jobs.

You can use this field to define a time range for a filter.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.

Affected resource fields

The following topics list and describe the fields that you can use to filter findings based on the resource that a finding applies to. The topics are organized by resource type.

S3 bucket

The following table lists and describes fields that you can use to filter findings based on characteristics of the S3 bucket that a finding applies to.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. (Longer JSON field names use the newline character sequence (\n) to improve readability.) The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

resourcesAffected.s3Bucket.createdAt

The date and time when the affected bucket was created.

This field isn't available as a filter option on the console. With the API, you can use this field to define a time range for a filter.

S3 bucket default encryption

resourcesAffected.s3Bucket.defaultServerSideEncryption.encryptionType

The type of server-side encryption that's used by default to encrypt objects that are added to the affected bucket.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see EncryptionType in the Amazon Macie API Reference.

S3 bucket encryption KMS key id*

resourcesAffected.s3Bucket.defaultServerSideEncryption.kmsMasterKeyId

The Amazon Resource Name (ARN) or unique identifier (key ID) for the AWS KMS key that's used by default to encrypt objects that are added to the affected bucket.

S3 bucket encryption required by bucket policy

resourcesAffected.s3Bucket.allowsUnencryptedObjectUploads

Specifies whether the bucket policy for the affected bucket requires server-side encryption of objects when objects are uploaded to the bucket.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see S3Bucket in the Amazon Macie API Reference.

S3 bucket name*

resourcesAffected.s3Bucket.name

The name of the affected bucket.

S3 bucket owner display name*

resourcesAffected.s3Bucket.owner.displayName

The display name of the AWS user who owns the affected bucket.

S3 bucket public access permission

resourcesAffected.s3Bucket.publicAccess.effectivePermission

Specifies whether the affected bucket is publicly accessible based on a combination of permissions settings that apply to the bucket.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see BucketPublicAccess in the Amazon Macie API Reference.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

accountLevelPermissions.blockPublicAccess.blockPublicAcls

A Boolean value that specifies whether Amazon S3 blocks public access control lists (ACLs) for the affected bucket and objects in the bucket. This is an account-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

accountLevelPermissions.blockPublicAccess.blockPublicPolicy

A Boolean value that specifies whether Amazon S3 blocks public bucket policies for the affected bucket. This is an account-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

accountLevelPermissions.blockPublicAccess.ignorePublicAcls

A Boolean value that specifies whether Amazon S3 ignores public ACLs for the affected bucket and objects in the bucket. This is an account-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

accountLevelPermissions.blockPublicAccess.restrictPublicBuckets

A Boolean value that specifies whether Amazon S3 restricts public bucket policies for the affected bucket. This is an account-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.accessControlList.allowsPublicReadAccess

A Boolean value that specifies whether the bucket-level ACL for the affected bucket grants the general public with read access permissions for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.accessControlList.allowsPublicWriteAccess

A Boolean value that specifies whether the bucket-level ACL for the affected bucket grants the general public with write access permissions for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.blockPublicAccess.blockPublicAcls

A Boolean value that specifies whether Amazon S3 blocks public ACLs for the affected bucket and objects in the bucket. This is a bucket-level, block public access setting for a bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.blockPublicAccess.blockPublicPolicy

A Boolean value that specifies whether Amazon S3 blocks public bucket policies for the affected bucket. This is a bucket-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.blockPublicAccess.ignorePublicAcls

A Boolean value that specifies whether Amazon S3 ignores public ACLs for the affected bucket and objects in the bucket. This is a bucket-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.blockPublicAccess.restrictPublicBuckets

A Boolean value that specifies whether Amazon S3 restricts public bucket policies for the affected bucket. This is a bucket-level, block public access setting for the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess

A Boolean value that specifies whether the affected bucket's policy allows the general public to have read access to the bucket.

This field isn't available as a filter option on the console.

resourcesAffected.s3Bucket.publicAccess.permissionConfiguration.\n

bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess

A Boolean value that specifies whether the affected bucket's policy allows the general public to have write access to the bucket.

This field isn't available as a filter option on the console.

S3 bucket tag key*

resourcesAffected.s3Bucket.tags.key

A tag key that's associated with the affected bucket.

S3 bucket tag value*

resourcesAffected.s3Bucket.tags.value

A tag value that's associated with the affected bucket.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.

S3 object

The following table lists and describes fields that you can use to filter findings based on characteristics of the S3 object that a finding applies to.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

S3 object encryption KMS key id*

resourcesAffected.s3Object.serverSideEncryption.kmsMasterKeyId

The Amazon Resource Name (ARN) or unique identifier (key ID) for the AWS KMS key that was used to encrypt the affected object.

S3 object encryption type

resourcesAffected.s3Object.serverSideEncryption.encryptionType

The type of server-side encryption that was used to encrypt the affected object.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see EncryptionType in the Amazon Macie API Reference.

resourcesAffected.s3Object.extension

The file name extension of the affected object. For objects that don't have a file name extension, specify "" as the value for the filter.

This field isn't available as a filter option on the console.

resourcesAffected.s3Object.lastModified

The date and time when the affected object was created or last changed, whichever is latest.

This field isn't available as a filter option on the console. With the API, you can use this field to define a time range for a filter.

S3 object key*

resourcesAffected.s3Object.key

The full key (name) that's assigned to the affected object.

resourcesAffected.s3Object.path

The path to the affected object, including the full key (name).

This field isn't available as a filter option on the console.

S3 object public access

resourcesAffected.s3Object.publicAccess

A Boolean value that specifies whether the affected object is publicly accessible based on a combination of permission settings that apply to the object.

The console provides a list of values to choose from when you add this field to a filter.

S3 object tag key*

resourcesAffected.s3Object.tags.key

A tag key that's associated with the affected object.

S3 object tag value*

resourcesAffected.s3Object.tags.value

A tag value that's associated with the affected object.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.

Policy fields

The following table lists and describes fields that you can use to filter policy findings. These fields store data that's specific to policy findings.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. (Longer JSON field names use the newline character sequence (\n) to improve readability.) The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

Action type

policyDetails.action.actionType

The type of action that produced the finding. The only valid value for this field is AWS_API_CALL.

API call name*

policyDetails.action.apiCallDetails.api

The name of the operation that was invoked most recently and produced the finding—for example, DeleteBucketEncryption.

API service name*

policyDetails.action.apiCallDetails.apiServiceName

The URL of the AWS service that provides the operation that was invoked and produced the finding—for example, s3.amazonaws.com.

policyDetails.action.apiCallDetails.firstSeen

The first date and time when any operation was invoked and produced the finding.

This field isn't available as a filter option on the console. With the API, you can use this field to define a time range for a filter.

policyDetails.action.apiCallDetails.lastSeen

The most recent date and time when the specified operation (API call name or api) was invoked and produced the finding.

This field isn't available as a filter option on the console. With the API, you can use this field to define a time range for a filter.

policyDetails.actor.domainDetails.domainName

The domain name of the device that was used to perform the action.

This field isn't available as a filter option on the console.

IP city*

policyDetails.actor.ipAddressDetails.ipCity.name

The name of the originating city for the IP address of the device that was used to perform the action.

IP country*

policyDetails.actor.ipAddressDetails.ipCountry.name

The name of the originating country for the IP address of the device that was used to perform the action—for example, United States.

policyDetails.actor.ipAddressDetails.ipOwner.asn

The Autonomous System Number (ASN) for the autonomous system that included the IP address of the device that was used to perform the action.

This field isn't available as a filter option on the console.

IP owner ASN org*

policyDetails.actor.ipAddressDetails.ipOwner.asnOrg

The organization identifier that's associated with the ASN for the autonomous system that included the IP address of the device that was used to perform the action.

IP owner ISP*

policyDetails.actor.ipAddressDetails.ipOwner.isp

The name of the internet service provider (ISP) that owned the IP address of the device that was used to perform the action.

IP V4 address*

policyDetails.actor.ipAddressDetails.ipAddressV4

The Internet Protocol version 4 (IPv4) address of the device that was used to perform the action.

policyDetails.actor.userIdentity.assumedRole.accessKeyId

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the AWS access key ID that identifies the credentials.

This field isn't available as a filter option on the console.

User identity assumed role account id*

policyDetails.actor.userIdentity.assumedRole.accountId

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the unique identifier for the Amazon Web Services account that owns the entity that was used to get the credentials.

User identity assumed role principal id*

policyDetails.actor.userIdentity.assumedRole.principalId

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the unique identifier for the entity that was used to get the credentials.

User identity assumed role session ARN*

policyDetails.actor.userIdentity.assumedRole.arn

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the Amazon Resource Name (ARN) of the source account, IAM user, or role that was used to get the credentials.

policyDetails.actor.userIdentity.assumedRole.sessionContext.\n

sessionIssuer.type

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the source of the temporary security credentials— for example, Root, IAMUser, or Role.

This field isn't available as a filter option on the console.

policyDetails.actor.userIdentity.assumedRole.sessionContext.\n

sessionIssuer.userName

For an action performed with temporary security credentials that were obtained using the AssumeRole operation of the AWS STS API, the name or alias of the user or role that issued the session. Note that this value is null if the credentials were obtained from a root account that doesn't have an alias.

This field isn't available as a filter option on the console.

User identity AWS account account id*

policyDetails.actor.userIdentity.awsAccount.accountId

For an action performed using the credentials for another Amazon Web Services account, the unique identifier for the account.
User identity AWS account principal id*

policyDetails.actor.userIdentity.awsAccount.principalId

For an action performed using the credentials for another Amazon Web Services account, the unique identifier for the entity that performed the action.

User identity AWS service invoked by

policyDetails.actor.userIdentity.awsService.invokedBy

For an action performed by an account that belongs to an Amazon Web Services service, the name of the service.

policyDetails.actor.userIdentity.federatedUser.accessKeyId

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the AWS access key ID that identifies the credentials.

This field isn't available as a filter option on the console.

User identity federated session ARN*

policyDetails.actor.userIdentity.federatedUser.arn

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the ARN of the entity that was used to get the credentials.

User identity federated user account id*

policyDetails.actor.userIdentity.federatedUser.accountId

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the unique identifier for the Amazon Web Services account that owns the entity that was used to get the credentials.

User identity federated user principal id*

policyDetails.actor.userIdentity.federatedUser.principalId

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the unique identifier for the entity that was used to get the credentials.

policyDetails.actor.userIdentity.federatedUser.sessionContext.\n

sessionIssuer.type

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the source of the temporary security credentials—for example, Root, IAMUser, or Role.

This field isn't available as a filter option on the console.

policyDetails.actor.userIdentity.federatedUser.sessionContext.\n

sessionIssuer.userName

For an action performed with temporary security credentials that were obtained using the GetFederationToken operation of the AWS STS API, the name or alias of the user or role that issued the session. Note that this value is null if the credentials were obtained from a root account that doesn't have an alias.

This field isn't available as a filter option on the console.

User identity IAM account id*

policyDetails.actor.userIdentity.iamUser.accountId

For an action performed using an IAM user's credentials, the unique identifier for the Amazon Web Services account that's associated with the IAM user who performed the action.

User identity IAM principal id*

policyDetails.actor.userIdentity.iamUser.principalId

For an action performed using an IAM user's credentials, the unique identifier for the IAM user who performed the action.

User identity IAM user name*

policyDetails.actor.userIdentity.iamUser.userName

For an action performed using an IAM user's credentials, the user name of the IAM user who performed the action.

User identity root account id*

policyDetails.actor.userIdentity.root.accountId

For an action performed using the credentials for your Amazon Web Services account, the unique identifier for the account.

User identity root principal id*

policyDetails.actor.userIdentity.root.principalId

For an action performed using the credentials for your Amazon Web Services account, the unique identifier for the entity that performed the action.

User identity type

policyDetails.actor.userIdentity.type

The type of entity that performed the action that produced the finding.

The console provides a list of values to choose from when you add this field to a filter. For a list of valid values for the API, see UserIdentityType in the Amazon Macie API Reference.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.

Sensitive data classification fields

The following table lists and describes fields that you can use to filter sensitive data findings. These fields store data that's specific to sensitive data findings.

In the table, the Field column indicates the name of the field on the Amazon Macie console. The JSON field column uses dot notation to indicate the name of the field in JSON representations of findings and the Amazon Macie API. The Description column provides a brief description of the data that the field stores, and indicates any requirements for filter values. The table is sorted in ascending alphabetical order by field, and then by JSON field.

Field JSON field Description

Customer data identifier detection ARN*

classificationDetails.result.customDataIdentifiers.detections.arn

The Amazon Resource Name (ARN) of the custom data identifier that detected the data and produced the finding.

Customer data identifier detection name*

classificationDetails.result.customDataIdentifiers.detections.name

The name of the custom data identifier that detected the data and produced the finding.

Customer data identifier total count

classificationDetails.result.customDataIdentifiers.detections.count

The total number of occurrences of data that was detected by custom data identifiers and produced the finding.

You can use this field to define a numeric range for a filter.

Job ID*

classificationDetails.jobId

The unique identifier for the sensitive data discovery job that produced the finding.

classificationDetails.result.mimeType

The type of content, as a MIME type, that the finding applies to—for example, text/csv for a CSV file or application/pdf for an Adobe Portable Document Format file.

This field isn't available as a filter option on the console.

classificationDetails.result.sizeClassified

The total storage size, in bytes, of the S3 object that the finding applies to.

This field isn't available as a filter option on the console. With the API, you can use this field to define a numeric range for a filter.

Result status code*

classificationDetails.result.status.code

The status of the finding. Valid values are:

  • COMPLETE – Macie completed its analysis of the object.

  • PARTIAL – Macie analyzed only a subset of the data in the object. For example, the object is an archive file that contains files in an unsupported format.

  • SKIPPED – Macie wasn't able to analyze the object. For example, the object is a malformed file.

Sensitive data category

classificationDetails.result.sensitiveData.category

The category of sensitive data that was detected and produced the finding.

The console provides a list of values to choose from when you add this field to a filter. In the API, valid values are: CREDENTIALS, FINANCIAL_INFORMATION, and PERSONAL_INFORMATION.

Sensitive data detection type

classificationDetails.result.sensitiveData.detections.type

The type of sensitive data that was detected and produced the finding.

The console provides a list of values to choose from when you add this field to a filter. For a complete list of types, see Sensitive data detection types.

Sensitive data total count

classificationDetails.result.sensitiveData.detections.count

The total number of occurrences of the sensitive data that was detected and produced the finding.

You can use this field to define a numeric range for a filter.

* To specify multiple values for this field on the console, add a condition that uses the field and specifies a distinct value for the filter, and then repeat that step for each additional value. To do this with the API, use an array that lists the values to use for the filter.

Sensitive data detection types

The following topics list values that you can specify for the Sensitive data detection type field in a filter. (The JSON name of this field is classificationDetails.result.sensitiveData.detections.type.) The topics are organized by the categories of sensitive data that Macie can detect using managed data identifiers.

To learn more about a specific detection type, see Using managed data identifiers.

Credentials

You can specify the following values to filter findings that report occurrences of credentials data in S3 objects.

Detection type Filter values
AWS secret access key AWS_CREDENTIALS
OpenSSH private key OPENSSH_PRIVATE_KEY
PGP private key PGP_PRIVATE_KEY
Public Key Cryptography Standard (PKCS) private key PKCS
PuTTY private key PUTTY_PRIVATE_KEY

Financial information

You can specify the following values to filter findings that report occurrences of financial information in S3 objects.

Detection type Filter values
Bank account number BANK_ACCOUNT_NUMBER (for Canadian and US bank account numbers), FRANCE_BANK_ACCOUNT_NUMBER, GERMANY_BANK_ACCOUNT_NUMBER, ITALY_BANK_ACCOUNT_NUMBER, SPAIN_BANK_ACCOUNT_NUMBER, UK_BANK_ACCOUNT_NUMBER
Credit card expiration date CREDIT_CARD_EXPIRATION
Credit card magnetic strip data CREDIT_CARD_MAGNETIC_STRIPE
Credit card number CREDIT_CARD_NUMBER (for credit card numbers that are in proximity of a keyword) and CREDIT_CARD_NUMBER_(NO_KEYWORD) (for credit card numbers that aren't in proximity of a keyword)
Credit card verification code CREDIT_CARD_SECURITY_CODE

Personal information

You can specify the following values to filter findings that report occurrences of personal health information (PHI) in S3 objects.

Detection type Filter values
Drug Enforcement Agency (DEA) Registration Number US_DRUG_ENFORCEMENT_AGENCY_NUMBER
Health Insurance Claim Number (HICN) USA_HEALTH_INSURANCE_CLAIM_NUMBER
Health insurance or medical identification number CANADA_HEALTH_NUMBER, EUROPEAN_HEALTH_INSURANCE_CARD_NUMBER, FINLAND_EUROPEAN_HEALTH_INSURANCE_NUMBER, FRANCE_HEALTH_INSURANCE_NUMBER, UK_NHS_NUMBER, USA_MEDICARE_BENEFICIARY_IDENTIFIER
Healthcare Common Procedure Coding System (HCPCS) code USA_HEALTHCARE_PROCEDURE_CODE
National Drug Code (NDC) USA_NATIONAL_DRUG_CODE
National Provider Identifier (NPI) USA_NATIONAL_PROVIDER_IDENTIFIER
Unique device identifier (UDI) MEDICAL_DEVICE_UDI

You can specify the following values to filter findings that report occurrences of personally identifiable information (PII) in S3 objects.

Detection type Filter values
Birth date DATE_OF_BIRTH
Driver’s license identification number AUSTRALIA_DRIVERS_LICENSE, AUSTRIA_DRIVERS_LICENSE, BELGIUM_DRIVERS_LICENSE, BULGARIA_DRIVERS_LICENSE, CANADA_DRIVERS_LICENSE, CROATIA_DRIVERS_LICENSE, CYPRUS_DRIVERS_LICENSE, CZECHIA_DRIVERS_LICENSE, DENMARK_DRIVERS_LICENSE, DRIVERS_LICENSE (for the US), ESTONIA_DRIVERS_LICENSE, FINLAND_DRIVERS_LICENSE, FRANCE_DRIVERS_LICENSE, GERMANY_DRIVERS_LICENSE, GREECE_DRIVERS_LICENSE, HUNGARY_DRIVERS_LICENSE, IRELAND_DRIVERS_LICENSE, ITALY_DRIVERS_LICENSE, LATVIA_DRIVERS_LICENSE, LITHUANIA_DRIVERS_LICENSE, LUXEMBOURG_DRIVERS_LICENSE, MALTA_DRIVERS_LICENSE, NETHERLANDS_DRIVERS_LICENSE, POLAND_DRIVERS_LICENSE, PORTUGAL_DRIVERS_LICENSE, ROMANIA_DRIVERS_LICENSE, SLOVAKIA_DRIVERS_LICENSE, SLOVENIA_DRIVERS_LICENSE, SPAIN_DRIVERS_LICENSE, SWEDEN_DRIVERS_LICENSE, UK_DRIVERS_LICENSE
Electoral roll number UK_ELECTORAL_ROLL_NUMBER
Full name NAME
Global Positioning System (GPS) coordinates LATITUDE_LONGITUDE
Mailing address ADDRESS, BRAZIL_CEP_CODE
National identification number BRAZIL_RG_NUMBER, FRANCE_NATIONAL_IDENTIFICATION_NUMBER, GERMANY_NATIONAL_IDENTIFICATION_NUMBER, ITALY_NATIONAL_IDENTIFICATION_NUMBER, SPAIN_DNI_NUMBER
National Insurance Number (NINO) UK_NATIONAL_INSURANCE_NUMBER
Passport number CANADA_PASSPORT_NUMBER, FRANCE_PASSPORT_NUMBER, GERMANY_PASSPORT_NUMBER, ITALY_PASSPORT_NUMBER, SPAIN_PASSPORT_NUMBER, UK_PASSPORT_NUMBER, USA_PASSPORT_NUMBER
Permanent residence number CANADA_NATIONAL_IDENTIFICATION_NUMBER
Phone number BRAZIL_PHONE_NUMBER, FRANCE_PHONE_NUMBER, GERMANY_PHONE_NUMBER, ITALY_PHONE_NUMBER, PHONE_NUMBER (for Canada and the US), SPAIN_PHONE_NUMBER, UK_PHONE_NUMBER
Social Insurance Number (SIN) CANADA_SOCIAL_INSURANCE_NUMBER
Social Security number (SSN) SPAIN_SOCIAL_SECURITY_NUMBER, USA_SOCIAL_SECURITY_NUMBER
Taxpayer identification or reference number AUSTRALIA_TAX_FILE_NUMBER, BRAZIL_CNPJ_NUMBER, BRAZIL_CPF_NUMBER, FRANCE_TAX_IDENTIFICATION_NUMBER, GERMANY_TAX_IDENTIFICATION_NUMBER, SPAIN_NIE_NUMBER, SPAIN_NIF_NUMBER, SPAIN_TAX_IDENTIFICATION_NUMBER, UK_TAX_IDENTIFICATION_NUMBER, USA_INDIVIDUAL_TAX_IDENTIFICATION_NUMBER
Vehicle identification number (VIN) VEHICLE_IDENTIFICATION_NUMBER