Forensics Search Tokens

You can use the following search tokens in the Forensics tab:

Use a string value to filter forensic request by asset agent ID.

Example

To show events for an agent ID, see the following example:

asset.agentId:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

Use a string value with backticks or quotes to filter forensic request asset hostname.

Examples

To show any events related to name see the following example:

asset.hostname: WIN-BU2-4322

To show any events that contain parts of name see the following example:

asset.hostname: "WIN-BU2-4322"

To show events that match exact name see the following example:

asset.hostname: `WIN-BU2-4322`

Use an integer value to filter forensic request by requested time.

Example

To show forensic request by requested time see the following example:

request.requesttime:2023-03-31

Use an integer value to filter forensic request by expiry time.

Example

To show forensic request by expiry time see the following example:

request.expirytime:2023-04-02

Use a string value to filter forensic request by status. The statuses can be filtered as IN_PROGRESS, FAILED, and SUCCESS.

Example

To show forensic request by status see ,the following example:

request.status:IN_PROGRESS

Use a string value to filter forensic request by requested user id.

Example

To show forensic request by user id see the following example:

request.userid:analyst_123

Use a string value to filter forensic request by username.

To show forensic request by username see the following example:

request.username:Joe