Auto Remediation Search Tokens
Use the following search tokens for the auto-remediation rule.
Use a text value to find an agent ID.
Example
To show events for a certain agent ID see the following example:
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Use quotes or backticks with value to find events with the hostname.
Examples
To show any events related to name see the following example:
asset.hostName: WIN-BU2-4322
To show any events that contain parts of name see the following example:
asset.hostName: "WIN-BU2-4322"
To show events that match exact name see the following example:
asset.hostName: `WIN-BU2-4322`
Use a text value to define the MD5 hash of a file.
Example
To show events on files with this MD5 hash see the following example:
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
file.hash.sha256file.hash.sha256
Use a text value to define the SHA256 hash of a file.
Example
To show events on files with SHA256 hash see the following example:
file.hash.sha256: 813xxxx364c2xxxx86xxx2f5xxxxxxf4649ffxxxxx3e6
Use a text value to help you find events on a file name.
Example
To show events on file name see the following example:
file.name: myapp_log.txt
Use a text value to define the full pathname to a file of interest.
Example
Show events on files at this full path
file.fullPath: C:\Windows\System32\LogFiles\myapp_log.txt
file.properties.certificate.hashfile.properties.certificate.hash
Use a text value to define a signed certificate hash of interest.
Example
Show events for this signed certificate hash
file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542
Use a text value to find events on files at a file path you are interested in.
Example
Show events on files at this path
file.path: C:\Windows\System32\LogFiles
Use quotes or backticks with value to define a malware family.
Example
Show events with this malware name
malware.family: CryptoMinerF
malware.categorymalware.category
Use quotes or backticks with value to define a malware category.
Example
Show events with this malware category
malware.category: File Infector
indicator.severityscoreindicator.severityscore
Use an integer value to define the threat score of an indicator based on all scoring engines.
Examples
Show events with this severity score
indicator.severityscore: 8
Show events with confirmed severity scores
indicator.severityscore >= 8
Use a string value to define a process image name of interest.
Example
To show events with a process image name see the following example:
process.name: explorer.exe
Use an integer value to define the process ID.
Example
Show events with this process ID
process.pid: 1655
process.image.fullpathprocess.image.fullpath
Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.
Example
Show events with image file at this full path
process.image.fullPath: C:\windows\system32\svchost.exe
process.processfile.sha256process.processfile.sha256
Use a text value to define the SHA256 associated with the file process.
Example
Show events for module with SHA256
process.processfile.sha256: 43f0af018dc498619222cf16e1c9bde2f7710732686dc361e4d692b7efb4ddf9
process.processfile.mdprocess.processfile.md
Use a text value to define the MD5 associated with the file process.
Example
Show events for module with this MD5
process.processfile.md: e5c3b321907c73e782280be427599f14
process.image.pathprocess.image.path
Use a string value to define the path to the folder containing the file that launched the process. Enclose the path in double quotes.
Example
Show events with image file contained in this folder
process.image.path: C:\windows\system32