Events Search Token
You can use the following search tokens to search information about Events and Exempted Events on the Hunting tab:
Use a boolean query to express your query using AND logic.
Example
To show file created events on certain date and asset name see the following example:
file.created: '2017-08-12' and asset.hostName: `WIN-BU2-1233`
Use a boolean query to express your query using NOT logic.
Example
To show events that are not on a certain asset name see the following example:
not asset.hostName: `WIN-BU2-5555`
Use a boolean query to express your query using OR logic.
Example
To show events on files created by jsmith or kwang see the following example:
file.creator: jsmith or file.creator: kwang
Use a text value to help you find an action that occurred (CONNECTED, CREATED, CHANGE, OPEN, READ, RENAME, RUNNING, WRITE or TERMINATED).
Example
To show events with created action see the following example:
action: CREATED
Use a text value to find an agent ID.
Example
To show events for a certain agent ID see the following example:
asset.agentId: bee72e0a-fd2c-4cfb-a6b0-c28111aa638e
Use quotes or backticks with value to find events with the hostname.
Example
Show any events related to name
asset.hostName: <Hostname> / qualysqcaps
Show any events that contain parts of name
asset.hostName: "<Hostname> / qualysqcaps"
Show events that match exact name
asset.hostName: `<Hostname> / qualysqcaps`
Use a string value to filter events by their loaded script type.
Example
Show any events related to AMSI type
amsi.type: ps
Use a string value to filter events by their loaded script name.
Example
Show any events related to AMSI file name
amsi.filename: mimicatz
Use a string value to filter events by their loaded script arguments.
Example
Show any events related to AMSI arguments
amsi.arguments:--verbose
Use a string value to filter events by their loaded script content.
Example
Show any events related to AMSI buffer content
amsi.buffer: base64
amsi.buffer.lengthamsi.buffer.length
Use a number value to filter events by their loaded script length.
Example
To show any events related to AMSI buffer length, see the following example:
amsi.buffer.length: 1024
antimalware.enginesversionantimalware.enginesversion
Use an integer value to filter assets based on the antimalware engine version.
Example
To show assets based on the antimalware engine version, see the following example:
antimalware.enginesversion:1.2
event.antiransomware.attacktypeevent.antiransomware.attacktype
Use this token to categorize the ransomware event based on the attack method, providing more context for how the ransomware operates.
Example
Show the ransomware attack occurred locally on the affected machine
event.antiransomware.attacktype:LOCAL
Use a boolean value to filter events that have loaded script.
Example
Show any events that have AMSI loaded script.
event.hasAmsi: true / false
Use a text value to help you find an event ID.
Example
Show an event ID
event.id: N_bf9ecb09-6e3a-3efe-b5aa-847cdf5a95ba
Use a date range or specific date to define the date and time event occurred.
Examples
Show events found within certain dates
event.dateTime: [2017-06-15 ... 2017-06-30]
Show events found starting 2017-06-22, ending 1 month ago
event.dateTime: [2017-06-22 ... now-1M]
Show events found starting 2 weeks ago, ending 1 second ago
event.dateTime: [now-2w ... now-1s]
Show events found on specific date
event.dateTime:'2017-06-14'
event.eppeventnameevent.eppeventname
Use the string value to filter the event with specified EPP event name.
Example
Show all the events with the specified EPP event name
event.eppeventname: eicar.txt
event.detectiontypeevent.detectiontype
Use the string value to list all the events with a particular detection type. Choose from Anti-Exploit, Anti-Phishing, Anti-ransomware, Behavioral, Content-Control, Device-Control, Fileless-ASMI, Fileless-Cmdline, Network-Monitor, On-Access, On-Demand, Traffic-Scan
Example
Show all the events with the detection type On Access
event.detectiontype: On Access
event.isdetectedbyeppevent.isdetectedbyepp
Use the boolean value true or false to list all the events that were detected by EPP.
Example
Show all the events that were detected by EPP
event.isdetectedbyepp: true
Use a text value to find events based on the source of the event. Choose from Anti-malware | EDR.
Example
Show all EDR events with the specified source
event.source: EDR
event.scoresourceevent.scoresource
Use a text value to find events based on the score source of the event. Choose from Anti-malware, Behavioral Detection and Threat Intel.
Example
To show the score source for Behavioral Detection, see the following example:
event.scoresource: Behavioral Detection
event.phishingURLevent.phishingURL
Use a text value to find events with the specified phishing URL.
Example
Show all events having this phishing URL
event.phishingURL: "www.amtso.org/check-desktop-phishing-page/"
event.phishingTypeevent.phishingType
Use a text value to find events for the specified phishing type. Choose from FRAUD, UNTRUST, PHISHING
Example
Show all events of the phishing type FRAUD
event.phishingType: FRAUD
Use a text value to find events based on the action taken for Phishing url. Choose from CLOSED | ESTABLISHED
Example
Show all events with the phishing URL action Closed
event.action: CLOSED
event.threatnameevent.threatname
Use a text value to find events with the specific threat name.
Example
Show all events having the threat name Application.Hacktool.AUU
event.threatname: Application.Hacktool.AUU
event.threattypeevent.threattype
Use a text value to filter events based on threat type.
Example
To show events of a threat type see the following example:
event.threattype: virus
event.fileActionTakenevent.fileActionTaken
Use a text value to find events based on the action Taken for traffic scan event. Choose from ACTION_NONE, ACTION_DENY, ACTION_DISINFECT, ACTION_DELETE, ACTION_MOVE_TO_QUARANTINE, ACTION_DISINFECT_ONLY
Example
Show all events where the action taken on the traffic scan event is ACTION_DELETE
event.fileActionTaken: ACTION_DELETE
event.fileStateevent.fileState
Use a text value to find events based on the final state of the traffic scan event. Choose from IGNORED, PRESENT, DELETED, BLOCKED, QUARANTINED, CLEANED
Example
Show all events where the final state of the traffic scan event is IGNORED
event.fileState: IGNORED
event.networkUrlevent.networkUrl
Use a text value to find events with specified URL for the Network Monitor event.
Example
Show all events having this URL for Network Monitor events
event.networkUrl: "HTTP://:44646/nice/ports"
event.networkDetectionNameevent.networkDetectionName
Use a text value to find events with specified name of detection for the Network Monitor event.
Example
Show all events having the name for Network Monitor event Exploit.PentestingTool.HTTP.3
event.networkDetectionName: Exploit.PentestingTool.HTTP.3
event.networkAttackTechniqueevent.networkAttackTechnique
Use a text value to find events with specified techniques used for the Network Monitor event.
Example
Show all events having the technique used for Network Monitor event lateralMovement
event.networkAttackTechnique: lateralMovement
event.antiExploitTechniqueevent.antiExploitTechnique
Use a text value to find events with specified techniques used for Anti Exploit event.
Example
Show all events having the technique used for Anti Exploit event -
event.antiExploitTechnique: ROP/Emulation
exception.reasonexception.reason
Use the text value to select the reason to flag the unwanted events generated by non-malicious program. The exception reasons flag are, False Positive, Hide, and Risk Accepted.
Example
To show False Positive events see the following example:
exception.reason: False Positive
Use a date range or specific date to define when files were created.
Examples
Show events with file created on 2017-08-12
file.created: '2017-08-12'
Show events with file created between 2017-06-06 and 1 second ago
file.created: [2017-06-06 .. now-1s]
Show events with file created within date range
file.created: [2017-08-23 .. 2017-08-25]
Use a text value to help you find events on files created by a certain user.
Example
Show events on files created by this user
file.creator: admin
Use a text value to define a file extension you're interested in.
Example
Show events on files with pdf extension
file.extention: pdf
Use a text value to define the full pathname to a file of interest.
Example
Show events on files at this full path
file.fullPath: "C:\Windows\System32\svchost.exe"
Use a text value to define the MD5 hash of a file you're interested in.
Example
Show events on files with this MD5 hash
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
file.hash.sha256file.hash.sha256
Use a text value to define the SHA256 hash of a file you're interested in.
Example
Show events on files with this SHA256 hash
file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6
Use a text value to help you find events on a file name of interest.
Example
Show events on this file name
file.name: myapp_log.txt
Use a text value to find events on files at a file path you are interested in.
Example
Show events on files at this path
file.path: "C:\Windows\System32\LogFiles"
file.properties.certificate.hashfile.properties.certificate.hash
Use a text value to define a signed certificate hash of interest.
Example
Show events for this signed certificate hash
file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542
file.properties.certificate.issuerfile.properties.certificate.issuer
Use quotes or backticks with value to help you find a certificate issuer.
Example
Show any events that contain parts of issuer name
file.properties.certificate.issuer: "Verizon"
Show events that match exact issuer name
file.properties.certificate.issuer: `Verizon Certificate ABZ`
file.properties.certificate.signedfile.properties.certificate.signed
Use boolean string to help you find signed certificates (true) or unsigned (false).
Example
Show events with signed certificate
file.properties.certificate.signed: true
file.properties.certificate.signeddatefile.properties.certificate.signeddate
Use a date range or specific date to define when certificates were signed.
Examples
Show events with certificate signed on 2017-08-12
file.properties.certificate.signeddate: '2017-08-12'
Show events with certificate signed between 2017-06-06 and 1 second ago
file.properties.certificate.signeddate: [2017-06-06 .. now-1s]
Show events with certificate signed within date range
file.properties.certificate.signeddate: [2017-08-23 .. 2017-08-25]
file.properties.certificate.subjectfile.properties.certificate.subject
Use quotes or backticks with value to help you find a certificate subject.
Example
Show any events that contain parts of subject
file.properties.certificate.subject: "Mycorp Technologies"
Show events that match exact subject
file.properties.certificate.subject: `CN = Mycorp Technologies, Inc O = Mycorp Technologies, Inc L = Menlo Park S = California C = US`
file.properties.certificate.validfile.properties.certificate.valid
Use boolean string to help you find valid certificates (true) or invalid (false).
Example
Show events with valid certificate
file.properties.certificate.valid: true
file.originalfilenamefile.originalfilename
Use string value to generate the list of events that have an original file name.
Example
Show events with original file name chrome.exe
file.originalfilename: chrome.exe
file.shortcutfiletargetfile.shortcutfiletarget
Use string value to generate the list of events that have the shortcut which points to a file extension.
Example
Show events that have shortcut file target chrome.exe
file.shortcutfiletarget: chrome.exe
Use a text value to define files in a Portable Executable (PE) format.
Example
Show events for .exe files
file.type: exe
Use a text value to define a file handle name.
Example
Show events with this file handle name
handle.name: "Global\MsWinZonesCacheCounterMutexA0"
Note: The "handle.name" token is available based on your subscription. For more information, contact Qualys Support.
Use an integer value to define a file handle process ID.
Example
Show events with this file handle name
handle.pid: 1388
Note: The "handle.pid" token is available based on your subscription. For more information, contact Qualys Support.
indicator.severityscoreindicator.severityscore
Use an integer value to define the threat score of an indicator based on all scoring engines.
Examples
Show events with this severity score
indicator.severityscore: 8
Show events with confirmed severity scores
indicator.severityscore >= 8
indicator.threatfeedindicator.threatfeed
Use an integer value to define the threat score of an indicator based on the threat feed scoring engine.
Examples
Show events with this score
indicator.threatfeed: 8
Show events with confirmed scores
indicator.threatfeed >= 8
malware.categorymalware.category
Use quotes or backticks with value to define a malware category.
Example
Show events with this malware category
malware.category: `File Infector`
Use quotes or backticks with value to define a malware family.
Example
Show events with this malware name
malware.family: `CryptoMinerF`
mitre.attack.tactic.idmitre.attack.tactic.id
Use quotes to find events with the tactic ID from the MITRE ATT&CK framework.
Example
Show events with this tactic IDs.
mitre.attack.tactic.id: “TA0002”
Show events with any one or both of the following tactic IDs.
mitre.attack.tactic.id: [“TA0002”,”TA0003”]
mitre.attack.tactic.namemitre.attack.tactic.name
Use quotes to find events with the tactic name from the MITRE ATT&CK framework.
Example
Show events with this tactic name.
mitre.attack.tactic.name: “Execution”
Show events with any one or both of the following tactic names.
mitre.attack.tactic.name: [“Execution”,”Persistence”]
mitre.attack.technique.idmitre.attack.technique.id
Use quotes to find events with the technique ID from the MITRE ATT&CK framework.
Example
Show events with this technique ID.
mitre.attack.technique.id: “T1059.001”
Show events with any one or both of the following technique IDs.
mitre.attack.technique.id: [“T1059.001”,”T1197”]
mitre.attack.technique.namemitre.attack.technique.name
Use quotes to find events with the technique name from the MITRE ATT&CK framework.
Example
Show events with this technique name.
mitre.attack.technique.name: “Command and Scripting Interpreter: PowerShell”
Show events with any one or both of the following technique names.
mitre.attack.technique.name: [“Command and Scripting Interpreter: PowerShell”,”BITS Jobs”]
mitre.attack.software.idmitre.attack.software.id
Use quotes to find events with the softwar ID from the MITRE ATT&CK framework.
Example
Show events with this tactic IDs.
mitre.attack.software.id: “S0106”
Show events with any one or both of the following software IDs.
mitre.attack.software.id: [“S0106”,”S0469”]
mitre.attack.software.namemitre.attack.software.name
Use quotes to find events with the software name from the MITRE ATT&CK framework.
Example
Show events with this software name.
mitre.attack.software.name: “certutil”
Show events with any one or both of the following software names.
mitre.attack.software.name: [“certutil”,”CoinTicker”]
mitre.attack.group.idmitre.attack.group.id
Use quotes to find events with the group ID from the MITRE ATT&CK framework.
Example
Show events with this group IDs.
mitre.attack.group.id: “G0067”
Show events with any one or both of the following group IDs.
mitre.attack.group.id: [“G0067”,”G0082”]
mitre.attack.group.namemitre.attack.group.name
Use quotes to find events with the group name from the MITRE ATT&CK framework.
Example
Show events with this group names.
mitre.attack.group.name: “OilRig”
Show events with any one or both of the following group names.
mitre.attack.group.name: [“OilRig”,”Lazarus Group”]
mitre.attack.rule.namemitre.attack.rule.name
Use quotes to find events with the rule name from the MITRE ATT&CK framework.
Example
Show events with this rule name.
mitre.attack.rule.name: “T1021_001_3”
Show events with any one or both of the following tactic IDs.
mitre.attack.rule.name: [“T1021_001_3”,”T1071_004_3”]
Use a text value ##### to define the NetBIOS name you're interested in.
Examples
Show the asset with this name
netbiosname: VISTASP2-24-208
network.local.address.ipnetwork.local.address.ip
Use a text value to define the local IP address of a process network connection. This token is applicable only for Network type events only.
Example
Show network events on this local network IP
network.local.address.ip: 10.10.10.54
network.local.address.portnetwork.local.address.port
Use an integer value to define the local port number of a process network connection.
Example
Show events on this local network port
network.local.address.port: 80
network.process.namenetwork.process.name
Use a string value to define the name of a network process connection.
Example
Show events with this network process name
network.process.name: chrome.exe
network.process.pidnetwork.process.pid
Use an integer value to define the process ID of a network process connection.
Example
Show events with this network process ID
network.process.pid: 12345
network.protocolnetwork.protocol
Use a string value to find events with a network protocol name you're looking for (TCP or UDP).
Example
Show events with this network protocol name
network.protocol: TCP
network.remote.address.fqdnnetwork.remote.address.fqdn
Use a string value to define the FQDN of a process remote connection.
Example
Show events with this network FQDN
network.remote.address.fqdn: 10567-T51.corp.acme.com
network.remote.address.ipnetwork.remote.address.ip
Use a string value to define the IP address of a process remote connection.
Example
Show events with this network IP address
network.remote.address.ip: 198.252.200.123
network.remote.address.portnetwork.remote.address.port
Use an integer value ##### to define the port of a process remote connection.
Example
Show events with this network remote port
network.remote.address.port: 443
Use a string value to define the state of a process network connection (TIME_WAIT or ESTABLISHED).
Example
Show events with established network state
network.state: ESTABLISHED
parent.event.idparent.event.id
Use a string value to help you find events with parent process ID.
Example
Show events for parent process ID
parent.event.id: RTP_fc0c02da-2982-4426-8140-be55d5f050f7_-5443330379451874079_11384
Use this token to assess the risk associated with various processes, especially when analyzing suspicious activity.
Example
Show risks associated with SYSTEM SID
parent.sid:S-1-16-16384
parent.integritylevelparent.integritylevel
Use this token to see the integrity level of the parent process that spawned or initiated the current process or event.
Example
Show the integrity level of the parent process is at the System Integrity Level
parent.integritylevel:ML_SYSTEM
Use string value to display events created by a process.
Example
Show events created by process
parent.name: Notepad.exe
Use an integer value to display the events with parent process ID.
Example
Show events with this parent process ID
parent.pid: 1272
parent.productnameparent.productname
Use the boolean value true or false to list all the events whose parent matches the given product name.
Example
Show events that has parent product name as Microsoft Edge
parent.productname: Microsoft Edge
parent.imagepathparent.imagepath
Use a string value to display events with the parent process image path.
Example
Show events with this parent process image path
parent.imagepath: "C:\Temp\abe.exe"
parent.iscertificateexistsparent.iscertificateexists
Use a boolean value true or false to show all the events have certificate available for the parent.
Example
Show events that have parent certificate available
parent.iscertificateexists: true
parent.iscertificatevalidparent.iscertificatevalid
Use a boolean value true or false to show all the events that have valid certificate for parent.
Example
Show events that have valid parent certificate available
parent.iscertificatevalid: true
Use a string value to help you find events on a platform of interest.
Example
Show events that took place on Windows platform
platform: WINDOWS
process.argumentsprocess.arguments
Use a string value to help you find events on a process running with certain arguments.
Example
Show events on a process with arguments
process.arguments: arguments
process.currentdirectoryprocess.currentdirectory
Use this token to see the current working directory of a process at the time it is running.
Example
process.currentdirectory:usr/local/bin
process.elevatedprocess.elevated
Use boolean string to define events with process running as elevated privileges (true) or not (false).
Example
Show events with process as elevated privileges
process.elevated: true
process.fullPathprocess.fullPath
Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.
Example
Show events with file at this full path
process.fullPath: "C:\windows\system32\svchost.exe"
process.image.fullPathprocess.image.fullPath
Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.
Example
Show events with image file at this full path
process.image.fullPath: "C:\Windows\System32\svchost.exe"
process.image.pathprocess.image.path
Use a string value to define the path to the folder containing the file that launched the process. Enclose the path in double quotes.
Example
Show events with image file contained in this folder
process.image.path: "C:\windows\system32"
process.iscertificateexistsprocess.iscertificateexists
Use the boolean value true or false to show all the process events that have certificates available.
Example
process.iscertificateexists: true
process.loadedmodule.nameprocess.loadedmodule.name
Use quotes or backticks with value to find events with the name of a loaded module running in a process.
Example
Show any events related to loaded module
process.loadedmodule.name: advapi32
Show any events that contain parts of loaded module name
process.loadedmodule.name: "advapi32"
Show events that match exact name
process.loadedmodule.name: `advapi32`
Note: The "process.loadedmodule.name" token is available based on your subscription. For more information, contact Qualys Support.
process.loadedmodule.pathprocess.loadedmodule.path
Use quotes or backticks with value to find events on the path to the directory containing the loaded module.
Example
Show any events that contain parts of loaded module path
process.loadedmodule.path: "C:\Windows\System32"
Show events that match exact value
process.loadedmodule.path: `C:\Windows\System32`
Note: The "process.loadedmodule.path" token is available based on your subscription. For more information, contact Qualys Support.
process.loadedmodule.fullpathprocess.loadedmodule.fullpath
Use quotes or backticks with value to find events on the full path to the loaded module image.
Example
Show any events that contain parts of loaded module full path
process.loadedmodule.fullpath: "C:\Windows\System32\advapi32.dll"
Show events that match exact value
process.loadedmodule.fullpath: `C:\Windows\System32\advapi32.dll`
Note: The "process.loadedmodule.fullpath" token is available based on your subscription. For more information, contact Qualys Support.
process.loadedmodule.hash.md5process.loadedmodule.hash.md5
Use a text value to define the MD5 hash of a loaded module.
Example
Show events for loaded module with this MD5 hash
process.loadedmodule.hash.md5: c102a6ff0fe651242be9a4be3e579106
Note: The "process.loadedmodule.hash.md5" token is available based on your subscription. For more information, contact Qualys Support.
process.loadedmodule.hash.sha256process.loadedmodule.hash.sha256
Use a text value to define the SHA256 hash of a loaded module.
Example
Show events for loaded module with this SHA256 hash
process.loadedmodule.hash.sha256: ef117b762c2c680d181cf4119ff611c9de46fcea6b60775e746541f5dd8f1cd0
Note: The "process.loadedmodule.hash.sha256" token is available based on your subscription. For more information, contact Qualys Support.
Use a string value to define a process image name of interest.
Example
Show events with this process image name
process.name: explorer.exe
process.originalfilenameprocess.originalfilename
Use this token to see the original filename of a process's executable file before any modifications or renaming that may have occurred.
Example
process.originalfilename:Wmiprvse.exe
process.productnameprocess.productname
Use the string value to list all the process events with a particular product name.
Example
List all the process events for Microsoft Edge Installer
process.productname: Microsoft Edge Installer
process.parentnameprocess.parentname
Use a string value to define a parent process image name of interest.
Example
Show events with this parent process image name
process.parentname: explorer.exe
process.processfile.certificate.hashprocess.processfile.certificate.hash
Use a string value to list the process events with the specific process certificate hash.
Example
To show process events with the specific certificate hash, see the following example:
process.processfile.certificate.hash: 7e9572xxxxxxxx862ebxxxxxx782fcxxxb9
process.processfile.certificate.issuerprocess.processfile.certificate.issuer
Use a string value to list a specific certificate issuer for the process event.
Example
To show process events with the specific certificate isuer, see the following example:
process.processfile.certificate.issuer: Microsoft
process.processfile.certificate.signedprocess.processfile.certificate.signed
Use a boolean value to list the processes that has certificate signed.
Example
To show process events with the specific certificate isuer, see the following example:
process.processfile.certificate.signed: true
process.processfile.certificate.signeddateprocess.processfile.certificate.signeddate
Use an integer value to list the processes that had certificates signed by the certificate issuer on a specific date.
Example
To show process events that has certificate signed on specific date, see the following example:
process.processfile.certificate.signeddate: '2017-08-12'
process.processfile.certificate.validprocess.processfile.certificate.valid
Use a boolean value to list the processes that have valid certificates.
Example
To show process events that has valid certificate, see the following example:
process.processfile.certificate.valid: true
process.processfile.certificate.subjectprocess.processfile.certificate.subject
Use a string value to list the processes that have certificate subject.
Examples
To show process events that contains part of subject, see the following example:
process.processfile.certificate.subject: "Mycorp Technologies"
To show process events that match exact subject, see the following example:
process.processfile.certificate.subject: `CN=MYcorp technologies, Inc O=MyCorp Technologies`
process.processfile.md5process.processfile.md5
Use this token to see the MD5 hash of the executable file associated with a running process.
Example
Show the MD5 hash of example.exe
process.processfile.md5:d41d8cd98f00b204e9800998ecf8427e
process.parentPidprocess.parentPid
Use an integer value to define the process parent ID.
Example
Show events with this process parent ID
process.parentPid: "8877" / <ID of parent process>
Use an integer value to define the process ID.
Example
Show events with this process ID
process.pid: 1655
Use the string value to list all the process events with a particualr security identifier (SID).
Example
Show process events with sid S-1-16-12288
process.sid: S-1-16-12288
process.startedprocess.started
Use a date range or specific date to define when a process was started.
Examples
Show events with process started on 2017-08-12
process.started: '2017-08-12'
Show events with process started between 2017-06-06 and 1 second ago
process.started: [2017-06-06 .. now-1s]
Show events with process started within date range
process.started: [2017-08-23 .. 2017-08-25]
process.terminatedprocess.terminated
Use a date range or specific date to define when a process was terminated.
Examples
Show events with process terminated on 2017-08-12
process.terminated: '2017-08-12'
Show events with process terminated between 2017-06-06 and 1 second ago
process.terminated: [2017-06-06 .. now-1s]
Show events with process terminated within date range
process.terminated: [2017-08-23 .. 2017-08-25]
process.usernameprocess.username
Use a string value to help you find a process username.
Example
Show events with this process image name
process.username: sslong
Use a string value to help you find events with a registry name.
Example
Show events with this registry key name
registry.key: HKEY_CURRENT_CONFIG
Note: The "registry.key" token is available based on your subscription. For more information, contact Qualys Support.
Use a string value to help you find events with a certain registry value in the key.
Example
Show events with this registry value
registry.value: "C:\Program Files"
Note: The "registry.value" token is available based on your subscription. For more information, contact Qualys Support.
Use a string value to help you find events with certain registry data.
Example
Show events with this registry data
registry.data: "filename.exe"
Note: The "registry.data" token is available based on your subscription. For more information, contact Qualys Support.
response.actionresponse.action
Use a string value to help you find events with response action (Delete File, Kill Process,or Quarantine File).
Example
Show events with this response action
response.action: Kill Process
response.statusresponse.status
Use a string value to help you find events with response status (failed, in_progress, success).
Example
Shows events with this response status
response.status: success
Use a string value to list response actions executed by a certain user.
Example
Shows response actions for this user
response.user: John Doe
response.userIdresponse.userId
Use a string value to list response actions executed by a certain username.
Example
Shows response actions for this username
response.userId: jdoe
response.priorScoreresponse.priorScore
Use an integer value to search events by the score before executing the response action.
Examples
Show events with this prior score
response.priorScore: 8
Show events with prior scores less than equal to this value
response.priorScore >= 9
response.statusMessageresponse.statusMessage
Use a string value to search events by status message displayed after the response action is completed.
Examples
Show events that contain parts of the status message
response.statusMessage:"Process"
Shows events with this status message
response.statusMessage:`Process does not exist`
Use a string value to search events by the session name assigned to the session.
Examples
Show event(s) that have a session name
session.name:*
Show event(s) that have a session name Services
session.name:Services
Use a string value to search events by the session id assigned to the session.
Examples
Show event(s) that have a session id
session.userid:*
Show event(s) that have a session id 2
session.userid:2
session.usernamesession.username
Use a string value to search events by the session username assigned to the session.
Examples
Show event(s) that have a session username
session.username:*
Show event(s) that have a session username NT AUTHORITY\SYSTEM
session.username:NT AUTHORITY\SYSTEM
Use a text value to collect all the system events and display them in your EDR view using these filters:
- Provider
- Event ID
- Critical/Warning
- Success/Failure
Example
Show a system event ID
system.eventid: 3003 - Configuration change applied to firewall settings on 2024-07-22 at 11:00 PTC
system.providersystem.provider
Use a text value to identify the source or entity responsible for generating or managing a particular event or log entry.
Example
Show sources responsible for generating this event
system.provider: AntivirusEngine; system.eventid: 3001; event.threattype: virus
Use a string value to help you find events with the object type you're looking for (FILE, MUTEX, NETWORK, REGISTRY,etc).
Example
Show events with this object type
type: FILE
Note: "MUTEX" and "REGISTRY" values are available based on your subscription. For more information, contact Qualys Support.
Use a text value to help you find a Yara rule with a name.
Example
Show a Yara rule
yara.ruleName: SHA3_constants
asset.architectureasset.architecture
Use the string value to filter the Mac assets according to its architeture. For Mac assets ARM architecture is arm64 and for Intel Mac it is x86_64.
Example
Show the Mac asset with the architecture
asset.architecture:arm64
Tokens for Non PE Files
file.creatingapplicationfile.creatingapplication
Use a text value to help you find files that are created by using the specified application.
Example
Show files that are created using Microsoft Office Word
file.creatingapplication: Microsoft Office Word
file.lastmodifiedbyfile.lastmodifiedby
Use a text value to help you find files that were last modified by the specified author.
Example
Show file that were last modified by this author
file.lastmodifiedby: ABC
file.numofpagesfile.numofpages
Use an integer value to help you find files by the number of pages present in the file.
Examples
Show files that have more than one page.
file.numofpages > 1
Show files that have 20 pages.
file.numofpages: 20
Use the values true | false to find files that are of non PE file type.
Example
Show files that are non PE.
file.nonpefile: True
Use an integer value to help you find files by the value of /AA field in the PDF file header.
Examples
Show files that have zero automatic actions to be performed when a given page of the document is viewed.
file.pdf.aa: 0
file.pdf.javascriptfile.pdf.javascript
Use an integer value to help you find files by the value of /JavaScript field in the PDF file header.
Examples
Show files that have more than one JavaScript block present in the PDF file.
file.pdf.javascript > 1
Show files that have 20 JavaScript blocks present in the PDF file.
file.pdf.javascript: 20
Use an integer value to help you find files by the value of /JS field in the PDF file header.
Examples
Show files that have more than one /JS present in the PDF file.
file.pdf.js > 1
Show files that have 20 /JS present in the PDF file.
file.pdf.js: 20
file.pdf.objstmfile.pdf.objstm
Use an integer value to help you find files by the value of /ObjStm field in the PDF file header.
Examples
Show files that have zero /ObjStm files in the PDF file.
file.pdf.objstm: 0
file.pdf.openactionfile.pdf.openaction
Use an integer value to help you find files by the value of /OpenAction field in the PDF file header.
Examples
Show files that have zero open actions to be performed when the document is viewed.
file.pdf.openaction: 0
Use an integer value to help you find files by the number of pages present in the PDF file.
Examples
Show PDF files that have more than one page.
file.pdf.pages > 1
Show PDF files that have 20 pages.
file.pdf.pages: 20
Use a text value to help you find events of the specified file title.
Example
Show events with this file title
file.title: myapp
response.commentsresponse.comments
Use a string value to list events by comments added while initiating the response action.
Example
Show events that contain parts of the comment
response.comments: "malicious"Show events that match exact comment
response.comments: `killing malicious process`