Events Search Token in EDR

You can use the following search tokens to search information about events on the Hunting tab.

action

Use a text value ##### to help you find an action that occurred (CONNECTED, CREATED, CHANGE, OPEN, READ, RENAME, RUNNING, WRITE or TERMINATED).

Example

Show events with created action

action: CREATED

asset.agentId

Use a text value ##### to find an agent ID of interest.

Example

Show events for a certain agent ID

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.hostName

Use quotes or backticks with value to find events with the hostname you're interested in.

Example

Show any events related to name

asset.hostName: WIN-BU2-4322

Show any events that contain parts of name

asset.hostName: "WIN-BU2-4322"

Show events that match exact name

asset.hostName: `WIN-BU2-4322`

amsi.type

Use a string value ##### to filter events by their loaded script type.

Example

Show any events related to AMSI type

amsi.type: ps

amsi.filename

Use a string value ##### to filter events by their loaded script name.

Example

Show any events related to AMSI file name

amsi.filename: mimicatz

amsi.arguments

Use a string value ##### to filter events by their loaded script arguments.

Example

Show any events related to AMSI arguments

amsi.arguments:--verbose

amsi.commandline

Use a string value ##### to filter events by their loaded script content.

Example

Show any events related to AMSI commandline content

amsi.commandline: base64

amsi.commandline.length

Use a number value ##### to filter events by their loaded script length.

Example

Show any events related to AMSI commandline length

amsi.commandline.length: 1024

event.hasAmsi

Use a boolean value ##### to filter events that have loaded script.

Example

Show any events that have AMSI loaded script.

event.hasAmsi: true

event.id

Use a text value ##### to help you find an event ID you're looking for.

Example

Show an event ID

event.id: N_bf9ecb09-6e3a-3efe-b5aa-847cdf5a95ba

event.dateTime

Use a date range or specific date to define the date and time event occurred.

Examples

Show events found within certain dates

event.dateTime: [2017-06-15 ... 2017-06-30]

Show events found starting 2017-06-22, ending 1 month ago

event.dateTime: [2017-06-22 ... now-1M]

Show events found starting 2 weeks ago, ending 1 second ago

event.dateTime: [now-2w ... now-1s]

Show events found on specific date

event.dateTime:'2017-06-14'

event.source

Use a text value ##### to find events based on the source of the event. Choose from Anti-malware | EDR.

Example

Show all EDR events

event.source: EDR

event.phishingURL

Use a text value ##### to find events with the specified phishing URL.

Example

Show all events having this phishing URL

event.phishingURL: "www.amtso.org/check-desktop-phishing-page/"

event.phishingType

Use a text value ##### to find events for the specified phishing type. Choose from FRAUD, UNTRUST, PHISHING

Example

Show all events of the phishing type FRAUD

event.phishingType: FRAUD

event.action

Use a text value ##### to find events based on the action taken for Phishing url. Choose from CLOSED | ESTABLISHED

Example

Show all events with the phishing URL action Closed

event.action: CLOSED

event.threatName

Use a text value ##### to find events with the specified threat name for the traffic scan event.

Example

Show all events having the threat name No ROOTKIT

event.threatName: No ROOTKIT

event.fileActionTaken

Use a text value ##### to find events based on the action Taken for traffic scan event. Choose from ACTION_NONE, ACTION_DENY, ACTION_DISINFECT, ACTION_DELETE, ACTION_MOVE_TO_QUARANTINE, ACTION_DISINFECT_ONLY

Example

Show all events where the action taken on the traffic scan event is ACTION_DELETE

event.fileActionTaken: ACTION_DELETE

event.fileState

Use a text value ##### to find events based on the final state of the traffic scan event. Choose from IGNORED, PRESENT, DELETED, BLOCKED, QUARANTINED, CLEANED

Example

Show all events where the final state of the traffic scan event is IGNORED

event.fileState: IGNORED

event.networkUrl

Use a text value ##### to find events with specified URL for the Network Monitor event.

Example

Show all events having this URL for Network Monitor events

event.networkUrl: "HTTP://:44646/nice/ports"

event.networkDetectionName

Use a text value ##### to find events with specified name of detection for the Network Monitor event.

Example

Show all events having the name for Network Monitor event Exploit.PentestingTool.HTTP.3

event.networkDetectionName: Exploit.PentestingTool.HTTP.3

event.networkAttackTechnique

Use a text value ##### to find events with specified techniques used for the Network Monitor event.

Example

Show all events having the technique used for Network Monitor event lateralMovement

event.networkAttackTechnique: lateralMovement

event.antiExploitTechnique

Use a text value ##### to find events with specified techniques used for Anti Exploit event.

Example

Show all events having the technique used for Anti Exploit event -

event.antiExploitTechnique: ROP/Emulation

file.created

Use a date range or specific date to define when files were created.

Examples

Show events with file created on 2017-08-12

file.created: '2017-08-12'

Show events with file created between 2017-06-06 and 1 second ago

file.created: [2017-06-06 .. now-1s]

Show events with file created within date range

file.created: [2017-08-23 .. 2017-08-25]

file.creator

Use a text value ##### to help you find events on files created by a certain user.

Example

Show events on files created by this user

file.creator: admin

file.extension

Use a text value ##### to define a file extension you're interested in.

Example

Show events on files with pdf extension

file.extention: pdf

file.fullPath

Use a text value ##### to define the full pathname to a file of interest.

Example

Show events on files at this full path

file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'

file.hash.md5

Use a text value ##### to define the MD5 hash of a file you're interested in.

Example

Show events on files with this MD5 hash

file.hash.md5: 50714f6cbb72be3e432d58e543dd2632

file.hash.sha256

Use a text value ##### to define the SHA256 hash of a file you're interested in.

Example

Show events on files with this SHA256 hash

file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6

file.name

Use a text value ##### to help you find events on a file name of interest.

Example

Show events on this file name

file.name: myapp_log.txt

file.path

Use a text value ##### to find events on files at a file path you are interested in.

Example

Show events on files at this path

file.path: "C:\Windows\System32\LogFiles"

file.properties.certificate.hash

Use a text value ##### to define a signed certificate hash of interest.

Example

Show events for this signed certificate hash

file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542

file.properties.certificate.issuer

Use quotes or backticks with value to help you find a certificate issuer.

Example

Show any events that contain parts of issuer name

file.properties.certificate.issuer: "Verizon"

Show events that match exact issuer name

file.properties.certificate.issuer: `Verizon Certificate ABZ`

file.properties.certificate.signed

Use boolean string to help you find signed certificates (true) or unsigned (false).

Example

Show events with signed certificate

file.properties.certificate.signed: true

file.properties.certificate.signeddate

Use a date range or specific date to define when certificates were signed.

Examples

Show events with certificate signed on 2017-08-12

file.properties.certificate.signeddate: '2017-08-12'

Show events with certificate signed between 2017-06-06 and 1 second ago

file.properties.certificate.signeddate: [2017-06-06 .. now-1s]

Show events with certificate signed within date range

file.properties.certificate.signeddate: [2017-08-23 .. 2017-08-25]

file.properties.certificate.subject

Use quotes or backticks with value to help you find a certificate subject.

Example

Show any events that contain parts of subject

file.properties.certificate.subject: "Mycorp Technologies"

Show events that match exact subject

file.properties.certificate.subject: `CN = Mycorp Technologies, Inc O = Mycorp Technologies, Inc L = Menlo Park S = California C = US`

file.properties.certificate.valid

Use boolean string to help you find valid certificates (true) or invalid (false).

Example

Show events with valid certificate

file.properties.certificate.valid: true

file.type

Use a text value ##### to define files in a Portable Executable (PE) format.

Example

Show events for .exe files

file.type: exe

handle.name

Use a text value ##### to define a file handle name that you're interested in.

Example

Show events with this file handle name

handle.name: "Global\MsWinZonesCacheCounterMutexA0"

Note: The "handle.name"  token is available based on your subscription. For more information, contact Qualys Support.

handle.pid

Use an integer value ##### to define a file handle process ID that you're interested in.

Example

Show events with this file handle name

handle.pid: 1388

Note: The "handle.pid" token is available based on your subscription. For more information, contact Qualys Support.

indicator.score

Use an integer value ##### to define the threat score of an indicator based on all scoring engines.

Examples

Show events with this score

indicator.score: 8

Show events with confirmed scores

indicator.score >= 8

indicator.threatfeed

Use an integer value ##### to define the threat score of an indicator based on the threat feed scoring engine.

Examples

Show events with this score

indicator.threatfeed: 8

Show events with confirmed scores

indicator.threatfeed >= 8

malware.category

Use quotes or backticks with value to define a malware category you're interested in.

Example

Show events with this malware category

malware.category: `File Infector`

malware.family

Use quotes or backticks with value to define a malware family you're looking for.

Example

Show events with this malware name

malware.family: `CryptoMinerF`

mitre.attack.tactic.id

Use quotes to find events with the tactic ID from the MITRE ATT&CK framework.

Example

Show events with this tactic IDs.

mitre.attack.tactic.id: “TA0002”

Show events with any one or both of the following tactic IDs.

mitre.attack.tactic.id: [“TA0002”,”TA0003”]

mitre.attack.tactic.name

Use quotes to find events with the tactic name from the MITRE ATT&CK framework.

Example

Show events with this tactic name.

mitre.attack.tactic.name: “Execution”

Show events with any one or both of the following tactic names.

mitre.attack.tactic.name: [“Execution”,”Persistence”]

mitre.attack.technique.id

Use quotes to find events with the technique ID from the MITRE ATT&CK framework.

Example

Show events with this technique ID.

mitre.attack.technique.id: “T1059.001”

Show events with any one or both of the following technique IDs.

mitre.attack.technique.id: [“T1059.001”,”T1197”]

mitre.attack.technique.name

Use quotes to find events with the technique name from the MITRE ATT&CK framework.

Example

Show events with this technique name.

mitre.attack.technique.name: “Command and Scripting Interpreter: PowerShell”

Show events with any one or both of the following technique names.

mitre.attack.technique.name: [“Command and Scripting Interpreter: PowerShell”,”BITS Jobs”]

mitre.attack.software.id

Use quotes to find events with the softwar ID from the MITRE ATT&CK framework.

Example

Show events with this tactic IDs.

mitre.attack.software.id: “S0106”

Show events with any one or both of the following software IDs.

mitre.attack.software.id: [“S0106”,”S0469”]

mitre.attack.software.name

Use quotes to find events with the software name from the MITRE ATT&CK framework.

Example

Show events with this software name.

mitre.attack.software.name: “certutil”

Show events with any one or both of the following software names.

mitre.attack.software.name: [“certutil”,”CoinTicker”]

mitre.attack.group.id

Use quotes to find events with the group ID from the MITRE ATT&CK framework.

Example

Show events with this group IDs.

mitre.attack.group.id: “G0067”

Show events with any one or both of the following group IDs.

mitre.attack.group.id: [“G0067”,”G0082”]

mitre.attack.group.name

Use quotes to find events with the group name from the MITRE ATT&CK framework.

Example

Show events with this group names.

mitre.attack.group.name: “OilRig”

Show events with any one or both of the following group names.

mitre.attack.group.name: [“OilRig”,”Lazarus Group”]

mitre.attack.rule.name

Use quotes to find events with the rule name from the MITRE ATT&CK framework.

Example

Show events with this rule name.

mitre.attack.rule.name: “T1021_001_3”

Show events with any one or both of the following tactic IDs.

mitre.attack.rule.name: [“T1021_001_3”,”T1071_004_3”]

netbiosname

Use a text value ##### to define the NetBIOS name you're interested in.

Examples

Show the asset with this name

netbiosname: VISTASP2-24-208

network.local.address.ip

Use a text value ##### to define the local IP address of a process network connection. This token is applicable only for Network type events only.

Example

Show network events on this local network IP

network.local.address.ip: 10.10.10.54

network.local.address.port

Use an integer value ##### to define the local port number of a process network connection.

Example

Show events on this local network port

network.local.address.port: 80

network.process.name

Use a string value ##### to define the name of a network process connection.

Example

Show events with this network process name

network.process.name: chrome.exe

network.process.pid

Use an integer value ##### to define the process ID of a network process connection.

Example

Show events with this network process ID

network.process.pid: 12345

network.protocol

Use a string value ##### to find events with a network protocol name you're looking for (TCP or UDP).

Example

Show events with this network protocol name

network.protocol: TCP

network.remote.address.fqdn

Use a string value ##### to define the FQDN of a process remote connection.

Example

Show events with this network FQDN

network.remote.address.fqdn: 10567-T51.corp.acme.com

network.remote.address.ip

Use a string value ##### to define the IP address of a process remote connection.

Example

Show events with this network IP address

network.remote.address.ip: 198.252.200.123

network.remote.address.port

Use an integer value ##### to define the port of a process remote connection.

Example

Show events with this network remote port

network.remote.address.port: 443

network.state

Use a string value ##### to define the state of a process network connection (TIME_WAIT or ESTABLISHED).

Example

Show events with established network state

network.state: ESTABLISHED

operatingsystem.fullname

Use quotes or backticks within values to help you find the operating system you're looking for.

Examples

Show any findings with this OS name

operatingsystem.fullname: Windows 2012

how any findings that contain components of OS name

operatingsystem.fullname: "Windows 2012"

Show any findings that match exact value "Windows 2012"

operatingsystem.fullname: `Windows 2012`

parent.event.id

Use a string value ##### to help you find events with parent process ID.

Example

Show events for parent process ID

parent.event.id: RTP_fc0c02da-2982-4426-8140-be55d5f050f7_-5443330379451874079_11384

parent.name

Use string value to display events created by a process.

Example

Show events created by process

parent.name: Notepad.exe

parent.pid

Use an integer value ##### to display the events with parent process ID.

Example

Show events with this parent process ID

parent.pid: 1272

parent.imagepath

Use a string value ##### to display events with the parent process image path.

Example

Show events with this parent process image path

parent.imagepath: "C:\Temp\abe.exe"

platform

Use a string value ##### to help you find events on a platform of interest.

Example

Show events that took place on Windows platform

platform: WINDOWS

process.arguments

Use a string value ##### to help you find events on a process running with certain arguments.

Example

Show events on a process with arguments

process.arguments: arguments

process.elevated

Use boolean string to define events with process running as elevated privileges (true) or not (false).

Example

Show events with process as elevated privileges

process.elevated: true

process.fullPath

Use a string value ##### to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with file at this full path

process.fullPath: "C:\windows\system32\svchost.exe"

process.image.fullPath

Use a string value ##### to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with image file at this full path

process.image.fullPath: "C:\windows\system32\svchost.exe"

process.image.path

Use a string value ##### to define the path to the folder containing the file that launched the process. Enclose the path in double quotes.

Example

Show events with image file contained in this folder

process.image.path: "C:\windows\system32"

process.loadedmodule.name

Use quotes or backticks with value to find events with the name of a loaded module running in a process.

Example

Show any events related to loaded module

process.loadedmodule.name: advapi32

Show any events that contain parts of loaded module name

process.loadedmodule.name: "advapi32"

Show events that match exact name

process.loadedmodule.name: `advapi32`

Note: The "process.loadedmodule.name" token is available based on your subscription. For more information, contact Qualys Support.

process.loadedmodule.path

Use quotes or backticks with value to find events on the path to the directory containing the loaded module you are interested in.

Example

Show any events that contain parts of loaded module path

process.loadedmodule.path: "C:\Windows\System32"

Show events that match exact value

process.loadedmodule.path: `C:\Windows\System32`

Note: The "process.loadedmodule.path" token is available based on your subscription. For more information, contact Qualys Support.

process.loadedmodule.fullpath

Use quotes or backticks with value to find events on the full path to the loaded module image you are interested in.

Example

Show any events that contain parts of loaded module full path

process.loadedmodule.fullpath: "C:\Windows\System32\advapi32.dll"

Show events that match exact value

process.loadedmodule.fullpath: `C:\Windows\System32\advapi32.dll`

Note: The "process.loadedmodule.fullpath" token is available based on your subscription. For more information, contact Qualys Support.

process.loadedmodule.hash.md5

Use a text value ##### to define the MD5 hash of a loaded module you're interested in.

Example

Show events for loaded module with this MD5 hash

process.loadedmodule.hash.md5: c102a6ff0fe651242be9a4be3e579106

Note: The "process.loadedmodule.hash.md5" token is available based on your subscription. For more information, contact Qualys Support.

process.loadedmodule.hash.sha256

Use a text value ##### to define the SHA256 hash of a loaded module you're interested in.

Example

Show events for loaded module with this SHA256 hash

process.loadedmodule.hash.sha256: ef117b762c2c680d181cf4119ff611c9de46fcea6b60775e746541f5dd8f1cd0

Note: The "process.loadedmodule.hash.sha256" token is available based on your subscription. For more information, contact Qualys Support.

process.name

Use a string value ##### to define a process image name of interest.

Example

Show events with this process image name

process.name: explorer.exe

process.parentname

Use a string value ##### to define a parent process image name of interest.

Example

Show events with this parent process image name

process.parentname: explorer.exe

process.parentPid

Use an integer value ##### to define the process parent ID you're looking for.

Example

Show events with this process parent ID

process.parentPid: 676

process.pid

Use an integer value ##### to define the process ID you're looking for.

Example

Show events with this process ID

process.pid: 1655

process.started

Use a date range or specific date to define when a process was started.

Examples

Show events with process started on 2017-08-12

process.started: '2017-08-12'

Show events with process started between 2017-06-06 and 1 second ago

process.started: [2017-06-06 .. now-1s]

Show events with process started within date range

process.started: [2017-08-23 .. 2017-08-25]

process.terminated

Use a date range or specific date to define when a process was terminated.

Examples

Show events with process terminated on 2017-08-12

process.terminated: '2017-08-12'

Show events with process terminated between 2017-06-06 and 1 second ago

process.terminated: [2017-06-06 .. now-1s]

Show events with process terminated within date range

process.terminated: [2017-08-23 .. 2017-08-25]

process.username

Use a string value ##### to help you find a process username.

Example

Show events with this process image name

process.username: sslong

registry.key

Use a string value ##### to help you find events with a registry name of interest.

Example

Show events with this registry key name

registry.key: HKEY_CURRENT_CONFIG

Note: The "registry.key" token is available based on your subscription. For more information, contact Qualys Support.

registry.value

Use a string value ##### to help you find events with a certain registry value in the key.

Example

Show events with this registry value

registry.value: "C:\Program Files"

Note: The "registry.value" token is available based on your subscription. For more information, contact Qualys Support.

registry.data

Use a string value ##### to help you find events with certain registry data.

Example

Show events with this registry data

registry.data: "filename.exe"

Note: The "registry.data" token is available based on your subscription. For more information, contact Qualys Support.

response.action

Use a string value ##### to help you find events with response action (Delete File, Kill Process,or Quarantine File).

Example

Show events with this response action

response.action: Kill Process

response.status

Use a string value ##### to help you find events with response status (failed, in_progress, success).

Example

Shows events with this response status

response.status: success

response.user

Use a string value ##### to list response actions executed by a certain user.

Example

Shows response actions for this user

response.user: John Doe

response.userId

Use a string value ##### to list response actions executed by a certain username.

Example

Shows response actions for this username

response.userId: jdoe

response.timestamp

Use a date range or specific date to find when a response action on event occurred.

Examples

Show response action found within certain dates

response.timestamp: [2020-06-15 ... 2020-06-30]

Show response action found starting 2020-06-22, ending 1 month ago

response.timestamp: [2020-06-22 ... now-1M]

Show response action found starting 2 weeks ago, ending 1 second ago

response.timestamp: [now-2w ... now-1s]

Show response action found on specific date

response.timestamp:'2020-06-14'

response.comments

Use a string value ##### to list events by comments added while initiating the response action.

Example

Show events that contain parts of the comment

response.comments: "malicious"

Show events that match exact comment

response.comments: `killing malicious process`

response.priorScore

Use an integer value ##### to search events by the score before executing the response action.

Examples

Show events with this prior score

response.priorScore: 8

Show events with prior scores less than equal to this value

response.priorScore >= 8

response.statusMessage

Use a string value ##### to search events by status message displayed after the response action is completed.

Examples

Show events that contain parts of the status message

response.statusMessage:"Process"

Shows events with this status message

response.statusMessage:`Process does not exist`

type

Use a string value ##### to help you find events with the object type you're looking for (FILE, MUTEX, NETWORK, REGISTRY,etc).

Example

Show events with this object type

type: FILE

Note: "MUTEX" and "REGISTRY" values are available based on your subscription. For more information, contact Qualys Support.

and

Use a boolean query to express your query using AND logic.

Example

Show file created events on certain date and asset name

file.created: '2017-08-12' and asset.hostName: `WIN-BU2-1233`

not

Use a boolean query to express your query using NOT logic.

Example

Show events that are not on a certain asset name

not asset.hostName: `WIN-BU2-5555`

or

Use a boolean query to express your query using OR logic.

Example

Show events on files created by jsmith or kwang

file.creator: jsmith or file.creator: kwang

yara.ruleName

 

Use a text value #### to help you find a Yara rule with a name.

Example

Show a Yara rule

yara.ruleName: SHA3_constants

 

Tokens for Non PE Files

file.title

Use a text value ##### to help you find events of the specified file title.

Example

Show events with this file title

file.title: myapp

file.author

Use a text value ##### to help you find events of the specified file author.

Example

Show events with this file author

file.author: ABC

file.lastmodifiedby

Use a text value ##### to help you find files that were last modified by the specified author.

Example

Show file that were last modified by this author

file.lastmodifiedby: ABC

file.creatingapplication

Use a text value ##### to help you find files that are created by using the specified application.

Example

Show files that are created using Microsoft Office Word

file.creatingapplication: Microsoft Office Word

file.numofpages

Use an integer value ##### to help you find files by the number of pages present in the file.

Examples

Show files that have more than one page.

file.numofpages > 1

Show files that have 20 pages.

file.numofpages: 20

file.ismacroembedded

Use the values true | false to find files that have Macro code embedded in the file.

Example

Show files that have Macro code embedded in the file.

file.ismacroembedded: True

file.nonpefile

Use the values true | false to find files that are of non PE file type.

Example

Show files that are non PE.

file.nonpefile: True

file.pdf.pages

Use an integer value ##### to help you find files by the number of pages present in the PDF file.

Examples

Show PDF files that have more than one page.

file.pdf.pages > 1

Show PDF files that have 20 pages.

file.pdf.pages: 20

file.pdf.js

Use an integer value ##### to help you find files by the value of /JS field in the PDF file header.

Examples

Show files that have more than one /JS present in the PDF file.

file.pdf.js > 1

Show files that have 20 /JS present in the PDF file.

file.pdf.js: 20

file.pdf.javascript

Use an integer value ##### to help you find files by the value of /JavaScript field in the PDF file header.

Examples

Show files that have more than one JavaScript block present in the PDF file.

file.pdf.javascript > 1

Show files that have 20 JavaScript blocks present in the PDF file.

file.pdf.javascript: 20

file.pdf.embeddedfile

Use an integer value ##### to help you find files by the value of /EmbeddedFile field in the PDF file header.

Examples

Show files that have one embedded file in the PDF file.

file.pdf.embeddedfile: 1

file.pdf.objstm

Use an integer value ##### to help you find files by the value of /ObjStm field in the PDF file header.

Examples

Show files that have zero /ObjStm files in the PDF file.

file.pdf.objstm: 0

file.pdf.aa

Use an integer value ##### to help you find files by the value of /AA field in the PDF file header.

Examples

Show files that have zero automatic actions to be performed when a given page of the document is viewed.

file.pdf.aa: 0

file.pdf.openaction

Use an integer value ##### to help you find files by the value of /OpenAction field in the PDF file header.

Examples

Show files that have zero open actions to be performed when the document is viewed.

file.pdf.openaction: 0