Assets Search Tokens
This section includes the Assets and the Anti-malware specific search tokens that you can run on the Assets tab:
Generic Tokens
Use a boolean query to express your query using AND logic.
Example
To show file created events on certain date and asset name, see the following example:
file.name: MWP_MALICIOUSJ.exe and response.status: success
Use a boolean query to express your query using NOT logic.
Example
To show events that are not on a certain asset name, see the following example:
not asset.hostName: `WIN-BU2-5555`
Use a boolean query to express your query using OR logic.
Example
To show events on files created by jsmith or kwang, see the following example:
file.creator: jsmith or file.creator: kwang
Assets Tokens
Use a text value to find an agent ID.
Example
To show events for a certain agent ID, see the following example:
asset.agentId:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
asset.architectureasset.architecture
Use the string value to filter the Mac assets according to its architeture. For Mac assets ARM architecture is arm64 and for Intel Mac it is x86_64.
Example
Show the Mac asset with the architecture
asset.architecture:arm64
asset.createdonasset.createdon
Type your dropdown text here
Use quotes or backticks with value to find assets with the hostname.
Examples
To show any events related to name see the following example:
asset.hostname: WIN-BU2-4322
To show any events that contain parts of name see the following example:
asset.hostname: "WIN-BU2-4322"
To show events that match exact name see the following example:
asset.hostname: `WIN-BU2-4322`
asset.lastreportedtimeasset.lastreportedtime
Use this token to show last reported time of the asset, before the specific date and time.
Example
To show assets with the last reported time before 6:30 on 10th February 2023 see the following example:
asset.lastreportedtime>"2023-02-10T06:30:12Z"
asset.lastupdatedtimeasset.lastupdatedtime
Use this token to show last updated time of the asset.
Example
To show assets with the last updated time as 10:30 on 2nd April 2023
asset.lastupdatedtime:2023-04-02T10:30:12Z
Use quotes or backticks with value to find events with the platform.
Examples
To show any events related to platform WINDOWS see the following example:
asset.platform: `WINDOWS`
To show any events related to platform WINDOWS and LINUX see the following example:
asset.platform: ["WINDOWS", "LINUX"]
asset.score.criticalityasset.score.criticality
Use an integer value to filter assets based on criticality score.
Example
To show assets based on criticality score see the following example:
asset.score.criticality: 2
Use the string value to filter the assets that are of the type Hosts. You can select the asset type from the drop-down of the token in the EDR UI.
Example
To show any findings related to this asset of the type HOST see the following example:
assettype: HOST
asset.avprofile.nameasset.avprofile.name
Use the string value to filter the assets for which you have assigned an Anti-malware profile name.
Example
To show any findings related to this anti-malware profile name see the following example:
asset.avprofile.name: EDR-assets
asset.agentversionasset.agentversion
Use an integer value to filter assets based on the Agent Version.
Example
To show any findings related to this anti-malware profile name see the following example:
asset.agentversion: 4.6.1
Anti-malware Tokens
antimalware.enginesversionantimalware.enginesversion
Use an integer value to filter assets based on the antimalware engine version.
Example
To show assets based on the antimalware engine version, see the following example:
antimalware.enginesversion:1.2
antimalware.lastScanDoneantimalware.lastScanDone
Use this token for filtering assets based on the last Antimalware scan time.
Example
To show assets that were last scanned on 10th April see the following example:
antimalware.lastScanDone:2023-04-10
antimalware.lastreportedtimeantimalware.lastreportedtime
Use this token to show last reported time of the antimalware, before specific date and time. You can also view the last reported time in the Asset Details in EDR under the Security section as Last Signature Update Time.
Example
To show assets that have last reported time as 6:30 on 10th February 2023 see the following example:
antimalware.lastreportedtime < "2023-02-10T06:30:12Z"
antimalware.productversionantimalware.productversion
Use this token to filter assets based on the antimalware product version.
Example
To show assets based on the antimalware product version, see the following example:
antimalware.productversion:1.2.3
antimalware.scanStatusantimalware.scanStatus
Use this token to filter assets based on the antimalware scan status.
Example
To show assets based on antimalware scan see the following example:
antimalware.scanStatus:Pass
antimalware.statusantimalware.status
Use this token to filter assets based on their antimalware status.
Example
To show assets based on antimalware status, see the following example:
antimalware.status:Downloading
antimalware.status.categoryantimalware.status.category
Use this token to filter assets based on their antimalware status category.
Example
To show assets based on their antimalware status category, see the following example:
antimalware.status.category:Enabled
antimalwareerrorCodeantimalwareerrorCode
Use this token to filter assets based on the antimalware error code.
Example>
To show assets based on their antimalware error code, see the following example:
antimalwareerrorCode:Success
antimalwareworkflowantimalwareworkflow
Use the string values to get asset(s) with the Anti-Malware Status Workflow type. You can select the workflow type from the drop-down in the EDR UI. The anti-malware workflow values include the following:
- APP_REMOVER
- DOWNLOAD: The anti-malware is downloaded.
- DOWNLOADING: The anti-malware is in the process of getting downloaded.
- ENABLEMENT: The anti-malware is in the process of getting uninstall.
- INSTALLATION: The anti-malware is installed.
- INSTALLING: The anti-malware is in the process of getting installing.
- UNINSTALLATION: The anti-malware is uninstalled.
- UPDATE: The anti-malware is updated.
- UPDATING: The anti-malware is in the process of getting updated.
antimalwareprofile.idantimalwareprofile.id
Use the string value to filter assets based on the anti-malware profile id.
Example
To show assets based on their antimalware profile, see the following example:
antimalwareprofile.id:0b59cdac-814e-4f26-ac6f-f804e7c8d632
antimalwareprofile.nameantimalwareprofile.name
Use this token to filter assets based on the antimalware profile name.
Example
To show assets based on their antimalware profile, see the following example:
antimalwareprofile.name:Qualys EDR
isantimalwareenabledisantimalwareenabled
Use a boolean value to find assets that have Antimalware enabled.
Example
To show the list of assets that have antimalware enabled see the following example:
isantimalwareenabled: true
isantimalwareuptodateisantimalwareuptodate
Use a boolean value to find if the asset has latest antimalware installed.
Example
To show the list of assets that have latest antimalware see the following example:
isantimalwareuptodate: true
response.actionresponse.action
Use a string value to find assets with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).
Example
To show assets with a response action see the following example:
response.action:Kill Process
response.statusresponse.status
Use a string value to find assets with response status (failed, in_progress, success).
Example
To show assets with a response status see the following example:
response.status:success
Use the text value to filter asset state.
Example
To show assets with a specific state see the following example:
state: ACTIVE