Forensics Search Tokens
You can use the following search tokens in the Forensics tab:
Use a string value to filter forensic request by asset agent ID.
Example
To show events for an agent ID, see the following example:
asset.agentId:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Use a string value with backticks or quotes to filter forensic request asset hostname.
Examples
To show any events related to name see the following example:
asset.hostname: WIN-BU2-4322
To show any events that contain parts of name see the following example:
asset.hostname: "WIN-BU2-4322"
To show events that match exact name see the following example:
asset.hostname: `WIN-BU2-4322`
request.requesttimerequest.requesttime
Use an integer value to filter forensic request by requested time.
Example
To show forensic request by requested time see the following example:
request.requesttime:2023-03-31
request.expirytimerequest.expirytime
Use an integer value to filter forensic request by expiry time.
Example
To show forensic request by expiry time see the following example:
request.expirytime:2023-04-02
Use a string value to filter forensic request by status. The statuses can be filtered as IN_PROGRESS, FAILED, and SUCCESS.
Example
To show forensic request by status see the following example:
request.status:IN_PROGRESS
Use a string value to filter forensic request by requested user id.
Example
To show forensic request by user id see the following example:
request.userid:analyst_123
request.usernamerequest.username
Use a string value to filter forensic request by username.
To show forensic request by username see the following example:
request.username:Joe