You can use the following search tokens to search information about events on the Hunting tab.
Example
To show file created events on certain date and asset name see the following example:
file.created: '2017-08-12' and asset.hostName: `WIN-BU2-1233`
Example
To show events that are not on a certain asset name see the following example:
not asset.hostName: `WIN-BU2-5555`
Example
To show events on files created by jsmith or kwang see the following example:
file.creator: jsmith or file.creator: kwang
Example
To show events with created action see the following example:
action: CREATED
Example
To show events for a certain agent ID see the following example:
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Example
Show any events related to name
asset.hostName: WIN-BU2-4322
Show any events that contain parts of name
asset.hostName: "WIN-BU2-4322"
Show events that match exact name
asset.hostName: `WIN-BU2-4322`
Example
Show any events related to AMSI type
amsi.type: ps
Example
Show any events related to AMSI file name
amsi.filename: mimicatz
Example
Show any events related to AMSI arguments
amsi.arguments:--verbose
Example
Show any events related to AMSI commandline content
amsi.commandline: base64
Example
To show any events related to AMSI commandline length, see the following example:
amsi.commandline.length: 1024
Use an integer value to filter assets based on the antimalware engine version.
Example
To show assets based on the antimalware engine version, see the following example:
antimalware.enginesversion:1.2
Example
Show any events that have AMSI loaded script.
event.hasAmsi: true
Example
Show an event ID
event.id: N_bf9ecb09-6e3a-3efe-b5aa-847cdf5a95ba
Examples
Show events found within certain dates
event.dateTime: [2017-06-15 ... 2017-06-30]
Show events found starting 2017-06-22, ending 1 month ago
event.dateTime: [2017-06-22 ... now-1M]
Show events found starting 2 weeks ago, ending 1 second ago
event.dateTime: [now-2w ... now-1s]
Show events found on specific date
event.dateTime:'2017-06-14'
Example
Show all EDR events
event.source: EDR
Example
Show all events having this phishing URL
event.phishingURL: "www.amtso.org/check-desktop-phishing-page/"
Example
Show all events of the phishing type FRAUD
event.phishingType: FRAUD
Example
Show all events with the phishing URL action Closed
event.action: CLOSED
Example
Show all events having the threat name No ROOTKIT
event.threatName: No ROOTKIT
Use a text value to filter events based on threat type.
Example
To show events of a threat type see the following example:
event.threattype: virus
Example
Show all events where the action taken on the traffic scan event is ACTION_DELETE
event.fileActionTaken: ACTION_DELETE
Example
Show all events where the final state of the traffic scan event is IGNORED
event.fileState: IGNORED
Example
Show all events having this URL for Network Monitor events
event.networkUrl: "HTTP://:44646/nice/ports"
Example
Show all events having the name for Network Monitor event Exploit.PentestingTool.HTTP.3
event.networkDetectionName: Exploit.PentestingTool.HTTP.3
Example
Show all events having the technique used for Network Monitor event lateralMovement
event.networkAttackTechnique: lateralMovement
Example
Show all events having the technique used for Anti Exploit event -
event.antiExploitTechnique: ROP/Emulation
Example
To show False Positive events see the following example:
exception.reason: False Positive
Examples
Show events with file created on 2017-08-12
file.created: '2017-08-12'
Show events with file created between 2017-06-06 and 1 second ago
file.created: [2017-06-06 .. now-1s]
Show events with file created within date range
file.created: [2017-08-23 .. 2017-08-25]
Example
Show events on files created by this user
file.creator: admin
Example
Show events on files with pdf extension
file.extention: pdf
Example
Show events on files at this full path
file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'
Example
Show events on files with this MD5 hash
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
Example
Show events on files with this SHA256 hash
file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6
Example
Show events on this file name
file.name: myapp_log.txt
Example
Show events on files at this path
file.path: "C:\Windows\System32\LogFiles"
Example
Show events for this signed certificate hash
file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542
Example
Show any events that contain parts of issuer name
file.properties.certificate.issuer: "Verizon"
Show events that match exact issuer name
file.properties.certificate.issuer: `Verizon Certificate ABZ`
Example
Show events with signed certificate
file.properties.certificate.signed: true
Examples
Show events with certificate signed on 2017-08-12
file.properties.certificate.signeddate: '2017-08-12'
Show events with certificate signed between 2017-06-06 and 1 second ago
file.properties.certificate.signeddate: [2017-06-06 .. now-1s]
Show events with certificate signed within date range
file.properties.certificate.signeddate: [2017-08-23 .. 2017-08-25]
Example
Show any events that contain parts of subject
file.properties.certificate.subject: "Mycorp Technologies"
Show events that match exact subject
file.properties.certificate.subject: `CN = Mycorp Technologies, Inc O = Mycorp Technologies, Inc L = Menlo Park S = California C = US`
Example
Show events with valid certificate
file.properties.certificate.valid: true
Example
Show events for .exe files
file.type: exe
Example
Show events with this file handle name
handle.name: "Global\MsWinZonesCacheCounterMutexA0"
Example
Show events with this file handle name
handle.pid: 1388
Examples
Show events with this severity score
indicator.severityscore: 8
Show events with confirmed severity scores
indicator.severityscore >= 8
Examples
Show events with this score
indicator.threatfeed: 8
Show events with confirmed scores
indicator.threatfeed >= 8
Example
Show events with this malware category
malware.category: `File Infector`
Example
Show events with this malware name
malware.family: `CryptoMinerF`
Example
Show events with this tactic IDs.
mitre.attack.tactic.id: “TA0002”
Show events with any one or both of the following tactic IDs.
mitre.attack.tactic.id: [“TA0002”,”TA0003”]
Example
Show events with this tactic name.
mitre.attack.tactic.name: “Execution”
Show events with any one or both of the following tactic names.
mitre.attack.tactic.name: [“Execution”,”Persistence”]
Example
Show events with this technique ID.
mitre.attack.technique.id: “T1059.001”
Show events with any one or both of the following technique IDs.
mitre.attack.technique.id: [“T1059.001”,”T1197”]
Example
Show events with this technique name.
mitre.attack.technique.name: “Command and Scripting Interpreter: PowerShell”
Show events with any one or both of the following technique names.
mitre.attack.technique.name: [“Command and Scripting Interpreter: PowerShell”,”BITS Jobs”]
Example
Show events with this tactic IDs.
mitre.attack.software.id: “S0106”
Show events with any one or both of the following software IDs.
mitre.attack.software.id: [“S0106”,”S0469”]
Example
Show events with this software name.
mitre.attack.software.name: “certutil”
Show events with any one or both of the following software names.
mitre.attack.software.name: [“certutil”,”CoinTicker”]
Example
Show events with this group IDs.
mitre.attack.group.id: “G0067”
Show events with any one or both of the following group IDs.
mitre.attack.group.id: [“G0067”,”G0082”]
Example
Show events with this group names.
mitre.attack.group.name: “OilRig”
Show events with any one or both of the following group names.
mitre.attack.group.name: [“OilRig”,”Lazarus Group”]
Example
Show events with this rule name.
mitre.attack.rule.name: “T1021_001_3”
Show events with any one or both of the following tactic IDs.
mitre.attack.rule.name: [“T1021_001_3”,”T1071_004_3”]
Examples
Show the asset with this name
netbiosname: VISTASP2-24-208
Example
Show network events on this local network IP
network.local.address.ip: 10.10.10.54
Example
Show events on this local network port
network.local.address.port: 80
Example
Show events with this network process name
network.process.name: chrome.exe
Example
Show events with this network process ID
network.process.pid: 12345
Example
Show events with this network protocol name
network.protocol: TCP
Example
Show events with this network FQDN
network.remote.address.fqdn: 10567-T51.corp.acme.com
Example
Show events with this network IP address
network.remote.address.ip: 198.252.200.123
Example
Show events with this network remote port
network.remote.address.port: 443
Example
Show events with established network state
network.state: ESTABLISHED
Example
Show events for parent process ID
parent.event.id: RTP_fc0c02da-2982-4426-8140-be55d5f050f7_-5443330379451874079_11384
Example
Show events created by process
parent.name: Notepad.exe
Example
Show events with this parent process ID
parent.pid: 1272
Example
Show events with this parent process image path
parent.imagepath: "C:\Temp\abe.exe"
Example
Show events that took place on Windows platform
platform: WINDOWS
Example
Show events on a process with arguments
process.arguments: arguments
Example
Show events with process as elevated privileges
process.elevated: true
Example
Show events with file at this full path
process.fullPath: "C:\windows\system32\svchost.exe"
Example
Show events with image file at this full path
process.image.fullPath: "C:\windows\system32\svchost.exe"
Example
Show events with image file contained in this folder
process.image.path: "C:\windows\system32"
Example
Show any events related to loaded module
process.loadedmodule.name: advapi32
Show any events that contain parts of loaded module name
process.loadedmodule.name: "advapi32"
Show events that match exact name
process.loadedmodule.name: `advapi32`
Example
Show any events that contain parts of loaded module path
process.loadedmodule.path: "C:\Windows\System32"
Show events that match exact value
process.loadedmodule.path: `C:\Windows\System32`
Example
Show any events that contain parts of loaded module full path
process.loadedmodule.fullpath: "C:\Windows\System32\advapi32.dll"
Show events that match exact value
process.loadedmodule.fullpath: `C:\Windows\System32\advapi32.dll`
Example
Show events for loaded module with this MD5 hash
process.loadedmodule.hash.md5: c102a6ff0fe651242be9a4be3e579106
Example
Show events for loaded module with this SHA256 hash
process.loadedmodule.hash.sha256: ef117b762c2c680d181cf4119ff611c9de46fcea6b60775e746541f5dd8f1cd0
Example
Show events with this process image name
process.name: explorer.exe
Example
Show events with this parent process image name
process.parentname: explorer.exe
Example
Show events with this process parent ID
process.parentPid: 676
Example
Show events with this process ID
process.pid: 1655
Examples
Show events with process started on 2017-08-12
process.started: '2017-08-12'
Show events with process started between 2017-06-06 and 1 second ago
process.started: [2017-06-06 .. now-1s]
Show events with process started within date range
process.started: [2017-08-23 .. 2017-08-25]
Examples
Show events with process terminated on 2017-08-12
process.terminated: '2017-08-12'
Show events with process terminated between 2017-06-06 and 1 second ago
process.terminated: [2017-06-06 .. now-1s]
Show events with process terminated within date range
process.terminated: [2017-08-23 .. 2017-08-25]
Example
Show events with this process image name
process.username: sslong
Example
Show events with this registry key name
registry.key: HKEY_CURRENT_CONFIG
Example
Show events with this registry value
registry.value: "C:\Program Files"
Example
Show events with this registry data
registry.data: "filename.exe"
Example
Show events with this response action
response.action: Kill Process
Example
Shows events with this response status
response.status: success
Example
Shows response actions for this user
response.user: John Doe
Example
Shows response actions for this username
response.userId: jdoe
Examples
Show events with this prior score
response.priorScore: 8
Show events with prior scores less than equal to this value
response.priorScore >= 8
Examples
Show events that contain parts of the status message
response.statusMessage:"Process"
Shows events with this status message
response.statusMessage:`Process does not exist`
Example
Show events with this object type
type: FILE
Use a text value to help you find a Yara rule with a name.
Example
Show a Yara rule
yara.ruleName: SHA3_constants
Example
Show files that are created using Microsoft Office Word
file.creatingapplication: Microsoft Office Word
Example
Show file that were last modified by this author
file.lastmodifiedby: ABC
Examples
Show files that have more than one page.
file.numofpages > 1
Show files that have 20 pages.
file.numofpages: 20
Example
Show files that are non PE.
file.nonpefile: True
Examples
Show files that have zero automatic actions to be performed when a given page of the document is viewed.
file.pdf.aa: 0
Examples
Show files that have more than one JavaScript block present in the PDF file.
file.pdf.javascript > 1
Show files that have 20 JavaScript blocks present in the PDF file.
file.pdf.javascript: 20
Examples
Show files that have more than one /JS present in the PDF file.
file.pdf.js > 1
Show files that have 20 /JS present in the PDF file.
file.pdf.js: 20
Examples
Show files that have zero /ObjStm files in the PDF file.
file.pdf.objstm: 0
Examples
Show files that have zero open actions to be performed when the document is viewed.
file.pdf.openaction: 0
Examples
Show PDF files that have more than one page.
file.pdf.pages > 1
Show PDF files that have 20 pages.
file.pdf.pages: 20
Example
Show events with this file title
file.title: myapp
response.commentsresponse.comments
Use a string value to list events by comments added while initiating the response action.
Example
Show events that contain parts of the comment
response.comments: "malicious"
Show events that match exact comment
response.comments: `killing malicious process`