Forensics Search Tokens

You can use the following search tokens in the Forensics tab:

asset.agentidasset.agentid

Use a string value to filter forensic request by asset agent ID.

Example

To show events for an agent ID, see the following example:

asset.agentId:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.hostnameasset.hostname

Use a string value with backticks or quotes to filter forensic request asset hostname.

Examples

To show any events related to name see the following example:

asset.hostname: WIN-BU2-4322

To show any events that contain parts of name see the following example:

asset.hostname: "WIN-BU2-4322"

To show events that match exact name see the following example:

asset.hostname: `WIN-BU2-4322`

request.requesttimerequest.requesttime

Use an integer value to filter forensic request by requested time.

Example

To show forensic request by requested time see the following example:

request.requesttime:2023-03-31

request.expirytimerequest.expirytime

Use an integer value to filter forensic request by expiry time.

Example

To show forensic request by expiry time see the following example:

request.expirytime:2023-04-02

request.statusrequest.status

Use a string value to filter forensic request by status. The statuses can be filtered as IN_PROGRESS, FAILED, and SUCCESS.

Example

To show forensic request by status see the following example:

request.status:IN_PROGRESS

request.useridrequest.userid

Use a string value to filter forensic request by requested user id.

Example

To show forensic request by user id see the following example:

request.userid:analyst_123

request.usernamerequest.username

Use a string value to filter forensic request by username.

To show forensic request by username see the following example:

request.username:Joe


 

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
failed We appreciate your feedback. We'll work to make this topic better for you in the future.