You can use the following search tokens in the Forensics tab:
Example
To show events for an agent ID, see the following example:
asset.agentId:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Examples
To show any events related to name see the following example:
asset.hostname: WIN-BU2-4322
To show any events that contain parts of name see the following example:
asset.hostname: "WIN-BU2-4322"
To show events that match exact name see the following example:
asset.hostname: `WIN-BU2-4322`
request.requesttimerequest.requesttime
Example
To show forensic request by requested time see the following example:
request.requesttime:2023-03-31
request.expirytimerequest.expirytime
Example
To show forensic request by expiry time see the following example:
request.expirytime:2023-04-02
Example
To show forensic request by status see the following example:
request.status:
IN_PROGRESS
Example
To show forensic request by user id see the following example:
request.userid:analyst_123
request.usernamerequest.username
To show forensic request by username see the following example:
request.username:Joe
Was this topic helpful?