Use a boolean query to express your query using AND logic.
Example
To show file created events on certain date and asset name, see the following example:
file.name: MWP_MALICIOUSJ.exe and response.status: success
Use a boolean query to express your query using NOT logic.
Example
To show events that are not on a certain asset name, see the following example:
not asset.hostName: `WIN-BU2-5555`
Use a boolean query to express your query using OR logic.
Example
To show events on files created by jsmith or kwang, see the following example:
file.creator: jsmith or file.creator: kwang
antimalware.enginesversionantimalware.enginesversion
Use an integer value to filter assets based on the antimalware engine version.
Example
To show assets based on the antimalware engine version, see the following example:
antimalware.enginesversion:1.2
antimalware.lastScanDoneantimalware.lastScanDone
Use this token for filtering assets based on the last Antimalware scan time.
Example
To show assets that were last scanned on 10th April see the following example:
antimalware.lastScanDone:2023-04-10
antimalware.lastreportedtimeantimalware.lastreportedtime
Use this token to show last reported time of the antimalware, before specific date and time.
Example
To show assets that have last reported time as 6:30 on 10th February 2023 see the following example:
antimalware.lastreportedtime < "2023-02-10T06:30:12Z"
antimalware.productversionantimalware.productversion
Use this token to filter assets based on the antimalware product version.
Example
To show assets based on the antimalware product version, see the following example:
antimalware.productversion:1.2.3
antimalware.scanStatusantimalware.scanStatus
Use this token to filter assets based on the antimalware scan status.
Example
To show assets based on antimalware scan see the following example:
antimalware.scanStatus:Pass
antimalware.statusantimalware.status
Use this token to filter assets based on their antimalware status.
Example
To show assets based on antimalware status, see the following example:
antimalware.status:Downloading
antimalware.status.categoryantimalware.status.category
Use this token to filter assets based on their antimalware status category.
Example
To show assets based on their antimalware status category, see the following example:
antimalware.status.category:Enabled
antimalwareerrorCodeantimalwareerrorCode
Use this token to filter assets based on the antimalware error code.
Example>
To show assets based on their antimalware error code, see the following example:
antimalwareerrorCode
Success
Use a text value to find an agent ID.
Example
To show events for a certain agent ID, see the following example:
asset.agentId:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
antimalwareprofile.nameantimalwareprofile.name
Use this token to filter assets based on the antimalware profile name.
Example
To show assets based on their antimalware profile, see the following example:
antimalwareprofile.name:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
asset.createdonasset.createdon
Type your dropdown text here
Use quotes or backticks with value to find assets with the hostname.
Examples
To show any events related to name see the following example:
asset.hostname: WIN-BU2-4322
To show any events that contain parts of name see the following example:
asset.hostname: "WIN-BU2-4322"
To show events that match exact name see the following example:
asset.hostname: `WIN-BU2-4322`
asset.lastreportedtimeasset.lastreportedtime
Use this token to show last reported time of the asset, before the specific date and time.
Example
To show assets with the last reported time before 6:30 on 10th February 2023 see the following example:
asset.lastreportedtime>"2023-02-10T06:30:12Z"
asset.lastupdatedtimeasset.lastupdatedtime
Use this token to show last updated time of the asset.
Example
To show assets with the last updated time as 10:30 on 2nd April 2023
asset.lastupdatedtime:2023-04-02T10:30:12Z
Use quotes or backticks with value to find events with the platform.
Examples
To show any events related to platform WINDOWS see the following example:
asset.platform: `WINDOWS`
To show any events related to platform WINDOWS and LINUX see the following example:
asset.platform: ["WINDOWS", "LINUX"]
asset.score.criticalityasset.score.criticality
Use an integer value to filter assets based on criticality score.
Example
To show assets based on criticality score see the following example:
asset.score.criticality: 2
isantimalwareenabledisantimalwareenabled
Use a boolean value to find assets that have Antimalware enabled.
Example
To show the list of assets that have antimalware enabled see the following example:
isantimalwareenabled: true
response.actionresponse.action
Use a string value to find assets with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).
Example
To show assets with a response action see the following example:
response.action:Kill Process
response.statusresponse.status
Use a string value to find assets with response status (failed, in_progress, success).
Example
To show assets with a response status see the following example:
response.status:success
Use the text value to filter asset state.
Example
To show assets with a specific state see the following example:
state: ACTIVE
Was this topic helpful?