Forensics Search Tokens
You can use the following search tokens in the Forensics tab:
qualys.agent.idqualys.agent.id
Use a string value to filter forensic request by asset agent ID.
Example
To show events for an agent ID, see the following example:
qualys.agent.id:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
asset.interface.hostnameasset.interface.hostname
Use a string value to list incidents by their hostname.
Example
asset.interface.hostname: "DESKTOP-CM8KHGS"
Use a string value to list the assets with the asset name.
Example
asset.name: "WORKSTATION-PC01"
request.requestTimerequest.requestTime
Use an integer value to filter forensic request by requested time.
Example
To show forensic request by requested time see the following example:
request.requestTime:2023-03-31
request.expiryTimerequest.expiryTime
Use an integer value to filter forensic request by expiry time.
Example
To show forensic request by expiry time see the following example:
request.expiryTime:2023-04-02
Use a string value to filter forensic request by status. The statuses can be filtered as IN_PROGRESS, FAILED, and SUCCESS.
Example
To show forensic request by status see ,the following example:
request.status:IN_PROGRESS
Use a string value to filter forensic request by requested user id.
Example
To show forensic request by user id see the following example:
request.userId:analyst_123
request.usernamerequest.username
Use a string value to filter forensic request by username.
To show forensic request by username see the following example:
request.username:Joe
request.logTyperequest.logType
Use a string value to find forensic requests based on the collection type.
Examples
Options available are System, Forensics Process Dump, and Incident Number.
request.logType:System Forensics
request.incidentNumberrequest.incidentNumber
Use a string value to list forensic data associated with a specific incident number.
Examples
Options available are System, Forensics Process Dump, and Incident Number.
request.incidentNumber:INC-12345