Forensics Search Tokens

You can use the following search tokens in the Forensics tab:

qualys.agent.idqualys.agent.id

Use a string value to filter forensic request by asset agent ID.

Example

To show events for an agent ID, see the following example:

qualys.agent.id:f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.interface.hostnameasset.interface.hostname

Use a string value to list incidents by their hostname.

Example

asset.interface.hostname: "DESKTOP-CM8KHGS"

asset.nameasset.name

Use a string value to list the assets with the asset name.

Example

asset.name: "WORKSTATION-PC01"

request.requestTimerequest.requestTime

Use an integer value to filter forensic request by requested time.

Example

To show forensic request by requested time see the following example:

request.requestTime:2023-03-31

request.expiryTimerequest.expiryTime

Use an integer value to filter forensic request by expiry time.

Example

To show forensic request by expiry time see the following example:

request.expiryTime:2023-04-02

request.statusrequest.status

Use a string value to filter forensic request by status. The statuses can be filtered as IN_PROGRESS, FAILED, and SUCCESS.

Example

To show forensic request by status see ,the following example:

request.status:IN_PROGRESS

request.userIdrequest.userId

Use a string value to filter forensic request by requested user id.

Example

To show forensic request by user id see the following example:

request.userId:analyst_123

request.usernamerequest.username

Use a string value to filter forensic request by username.

To show forensic request by username see the following example:

request.username:Joe

request.logTyperequest.logType

Use a string value to find forensic requests based on the collection type.

Examples

Options available are System, Forensics Process Dump, and Incident Number.

request.logType:System Forensics

request.incidentNumberrequest.incidentNumber

Use a string value to list forensic data associated with a specific incident number.

Examples

Options available are System, Forensics Process Dump, and Incident Number.

request.incidentNumber:INC-12345