Events Search Tokens

You can use the following search tokens to search information about events on the Hunting tab.

amsi.commandline.lengthamsi.commandline.length

Use a number value to filter events by their loaded script length.

Example

To show any events related to AMSI commandline length, see the following example:

amsi.commandline.length: 1024

antimalware.enginesversionantimalware.enginesversion

Use an integer value to filter assets based on the antimalware engine version.

Example

To show assets based on the antimalware engine version, see the following example:

antimalware.enginesversion:1.2

event.hasAmsievent.hasAmsi

Use a boolean value to filter events that have loaded script.

Example

Show any events that have AMSI loaded script.

event.hasAmsi: true

event.idevent.id

Use a text value to help you find an event ID.

Example

Show an event ID

event.id: N_bf9ecb09-6e3a-3efe-b5aa-847cdf5a95ba

event.dateTimeevent.dateTime

Use a date range or specific date to define the date and time event occurred.

Examples

Show events found within certain dates

event.dateTime: [2017-06-15 ... 2017-06-30]

Show events found starting 2017-06-22, ending 1 month ago

event.dateTime: [2017-06-22 ... now-1M]

Show events found starting 2 weeks ago, ending 1 second ago

event.dateTime: [now-2w ... now-1s]

Show events found on specific date

event.dateTime:'2017-06-14'

event.sourceevent.source

Use a text value to find events based on the source of the event. Choose from Anti-malware | EDR.

Example

Show all EDR events

event.source: EDR

event.phishingURLevent.phishingURL

Use a text value to find events with the specified phishing URL.

Example

Show all events having this phishing URL

event.phishingURL: "www.amtso.org/check-desktop-phishing-page/"

event.phishingTypeevent.phishingType

Use a text value to find events for the specified phishing type. Choose from FRAUD, UNTRUST, PHISHING

Example

Show all events of the phishing type FRAUD

event.phishingType: FRAUD

event.actionevent.action

Use a text value to find events based on the action taken for Phishing url. Choose from CLOSED | ESTABLISHED

Example

Show all events with the phishing URL action Closed

event.action: CLOSED

event.threatNameevent.threatName

Use a text value to find events with the specified threat name for the traffic scan event.

Example

Show all events having the threat name No ROOTKIT

event.threatName: No ROOTKIT

event.threattypeevent.threattype

Use a text value to filter events based on threat type.

Example

To show events of a threat type see the following example:

event.threattype: virus

event.fileActionTakenevent.fileActionTaken

Use a text value to find events based on the action Taken for traffic scan event. Choose from ACTION_NONE, ACTION_DENY, ACTION_DISINFECT, ACTION_DELETE, ACTION_MOVE_TO_QUARANTINE, ACTION_DISINFECT_ONLY

Example

Show all events where the action taken on the traffic scan event is ACTION_DELETE

event.fileActionTaken: ACTION_DELETE

event.fileStateevent.fileState

Use a text value to find events based on the final state of the traffic scan event. Choose from IGNORED, PRESENT, DELETED, BLOCKED, QUARANTINED, CLEANED

Example

Show all events where the final state of the traffic scan event is IGNORED

event.fileState: IGNORED

event.networkUrlevent.networkUrl

Use a text value to find events with specified URL for the Network Monitor event.

Example

Show all events having this URL for Network Monitor events

event.networkUrl: "HTTP://:44646/nice/ports"

event.networkDetectionNameevent.networkDetectionName

Use a text value to find events with specified name of detection for the Network Monitor event.

Example

Show all events having the name for Network Monitor event Exploit.PentestingTool.HTTP.3

event.networkDetectionName: Exploit.PentestingTool.HTTP.3

event.networkAttackTechniqueevent.networkAttackTechnique

Use a text value to find events with specified techniques used for the Network Monitor event.

Example

Show all events having the technique used for Network Monitor event lateralMovement

event.networkAttackTechnique: lateralMovement

event.antiExploitTechniqueevent.antiExploitTechnique

Use a text value to find events with specified techniques used for Anti Exploit event.

Example

Show all events having the technique used for Anti Exploit event -

event.antiExploitTechnique: ROP/Emulation

exception.reasonexception.reason

Use the text value to select the reason to flag the unwanted events generated by non-malicious program. The exception reasons flag are, False Positive, Hide, and Risk Accepted.

Example

To show False Positive events see the following example:

exception.reason: False Positive

file.createdfile.created

Use a date range or specific date to define when files were created.

Examples

Show events with file created on 2017-08-12

file.created: '2017-08-12'

Show events with file created between 2017-06-06 and 1 second ago

file.created: [2017-06-06 .. now-1s]

Show events with file created within date range

file.created: [2017-08-23 .. 2017-08-25]

file.creatorfile.creator

Use a text value to help you find events on files created by a certain user.

Example

Show events on files created by this user

file.creator: admin

file.extensionfile.extension

Use a text value to define a file extension you're interested in.

Example

Show events on files with pdf extension

file.extention: pdf

file.fullPathfile.fullPath

Use a text value to define the full pathname to a file of interest.

Example

Show events on files at this full path

file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'

file.hash.md5file.hash.md5

Use a text value to define the MD5 hash of a file you're interested in.

Example

Show events on files with this MD5 hash

file.hash.md5: 50714f6cbb72be3e432d58e543dd2632

file.hash.sha256file.hash.sha256

Use a text value to define the SHA256 hash of a file you're interested in.

Example

Show events on files with this SHA256 hash

file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6

file.namefile.name

Use a text value to help you find events on a file name of interest.

Example

Show events on this file name

file.name: myapp_log.txt

file.pathfile.path

Use a text value to find events on files at a file path you are interested in.

Example

Show events on files at this path

file.path: "C:\Windows\System32\LogFiles"

file.properties.certificate.hashfile.properties.certificate.hash

Use a text value to define a signed certificate hash of interest.

Example

Show events for this signed certificate hash

file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542

file.properties.certificate.issuerfile.properties.certificate.issuer

Use quotes or backticks with value to help you find a certificate issuer.

Example

Show any events that contain parts of issuer name

file.properties.certificate.issuer: "Verizon"

Show events that match exact issuer name

file.properties.certificate.issuer: `Verizon Certificate ABZ`

file.properties.certificate.signedfile.properties.certificate.signed

Use boolean string to help you find signed certificates (true) or unsigned (false).

Example

Show events with signed certificate

file.properties.certificate.signed: true

file.properties.certificate.signeddatefile.properties.certificate.signeddate

Use a date range or specific date to define when certificates were signed.

Examples

Show events with certificate signed on 2017-08-12

file.properties.certificate.signeddate: '2017-08-12'

Show events with certificate signed between 2017-06-06 and 1 second ago

file.properties.certificate.signeddate: [2017-06-06 .. now-1s]

Show events with certificate signed within date range

file.properties.certificate.signeddate: [2017-08-23 .. 2017-08-25]

file.properties.certificate.subjectfile.properties.certificate.subject

Use quotes or backticks with value to help you find a certificate subject.

Example

Show any events that contain parts of subject

file.properties.certificate.subject: "Mycorp Technologies"

Show events that match exact subject

file.properties.certificate.subject: `CN = Mycorp Technologies, Inc O = Mycorp Technologies, Inc L = Menlo Park S = California C = US`

file.properties.certificate.validfile.properties.certificate.valid

Use boolean string to help you find valid certificates (true) or invalid (false).

Example

Show events with valid certificate

file.properties.certificate.valid: true

file.typefile.type

Use a text value to define files in a Portable Executable (PE) format.

Example

Show events for .exe files

file.type: exe

handle.namehandle.name

Use a text value to define a file handle name.

Example

Show events with this file handle name

handle.name: "Global\MsWinZonesCacheCounterMutexA0"

Note: The "handle.name" token is available based on your subscription. For more information, contact Qualys Support.

handle.pidhandle.pid

Use an integer value to define a file handle process ID.

Example

Show events with this file handle name

handle.pid: 1388

Note: The "handle.pid" token is available based on your subscription. For more information, contact Qualys Support.

indicator.severityscoreindicator.severityscore

Use an integer value to define the threat score of an indicator based on all scoring engines.

Examples

Show events with this severity score

indicator.severityscore: 8

Show events with confirmed severity scores

indicator.severityscore >= 8

indicator.threatfeedindicator.threatfeed

Use an integer value to define the threat score of an indicator based on the threat feed scoring engine.

Examples

Show events with this score

indicator.threatfeed: 8

Show events with confirmed scores

indicator.threatfeed >= 8

malware.categorymalware.category

Use quotes or backticks with value to define a malware category.

Example

Show events with this malware category

malware.category: `File Infector`

malware.familymalware.family

Use quotes or backticks with value to define a malware family.

Example

Show events with this malware name

malware.family: `CryptoMinerF`

mitre.attack.tactic.idmitre.attack.tactic.id

Use quotes to find events with the tactic ID from the MITRE ATT&CK framework.

Example

Show events with this tactic IDs.

mitre.attack.tactic.id: “TA0002”

Show events with any one or both of the following tactic IDs.

mitre.attack.tactic.id: [“TA0002”,”TA0003”]

mitre.attack.tactic.namemitre.attack.tactic.name

Use quotes to find events with the tactic name from the MITRE ATT&CK framework.

Example

Show events with this tactic name.

mitre.attack.tactic.name: “Execution”

Show events with any one or both of the following tactic names.

mitre.attack.tactic.name: [“Execution”,”Persistence”]

mitre.attack.technique.idmitre.attack.technique.id

Use quotes to find events with the technique ID from the MITRE ATT&CK framework.

Example

Show events with this technique ID.

mitre.attack.technique.id: “T1059.001”

Show events with any one or both of the following technique IDs.

mitre.attack.technique.id: [“T1059.001”,”T1197”]

mitre.attack.technique.namemitre.attack.technique.name

Use quotes to find events with the technique name from the MITRE ATT&CK framework.

Example

Show events with this technique name.

mitre.attack.technique.name: “Command and Scripting Interpreter: PowerShell”

Show events with any one or both of the following technique names.

mitre.attack.technique.name: [“Command and Scripting Interpreter: PowerShell”,”BITS Jobs”]

mitre.attack.software.idmitre.attack.software.id

Use quotes to find events with the softwar ID from the MITRE ATT&CK framework.

Example

Show events with this tactic IDs.

mitre.attack.software.id: “S0106”

Show events with any one or both of the following software IDs.

mitre.attack.software.id: [“S0106”,”S0469”]

mitre.attack.software.namemitre.attack.software.name

Use quotes to find events with the software name from the MITRE ATT&CK framework.

Example

Show events with this software name.

mitre.attack.software.name: “certutil”

Show events with any one or both of the following software names.

mitre.attack.software.name: [“certutil”,”CoinTicker”]

mitre.attack.group.idmitre.attack.group.id

Use quotes to find events with the group ID from the MITRE ATT&CK framework.

Example

Show events with this group IDs.

mitre.attack.group.id: “G0067”

Show events with any one or both of the following group IDs.

mitre.attack.group.id: [“G0067”,”G0082”]

mitre.attack.group.namemitre.attack.group.name

Use quotes to find events with the group name from the MITRE ATT&CK framework.

Example

Show events with this group names.

mitre.attack.group.name: “OilRig”

Show events with any one or both of the following group names.

mitre.attack.group.name: [“OilRig”,”Lazarus Group”]

mitre.attack.rule.namemitre.attack.rule.name

Use quotes to find events with the rule name from the MITRE ATT&CK framework.

Example

Show events with this rule name.

mitre.attack.rule.name: “T1021_001_3”

Show events with any one or both of the following tactic IDs.

mitre.attack.rule.name: [“T1021_001_3”,”T1071_004_3”]

netbiosnamenetbiosname

Use a text value ##### to define the NetBIOS name you're interested in.

Examples

Show the asset with this name

netbiosname: VISTASP2-24-208

network.local.address.ipnetwork.local.address.ip

Use a text value to define the local IP address of a process network connection. This token is applicable only for Network type events only.

Example

Show network events on this local network IP

network.local.address.ip: 10.10.10.54

network.local.address.portnetwork.local.address.port

Use an integer value to define the local port number of a process network connection.

Example

Show events on this local network port

network.local.address.port: 80

network.process.namenetwork.process.name

Use a string value to define the name of a network process connection.

Example

Show events with this network process name

network.process.name: chrome.exe

network.process.pidnetwork.process.pid

Use an integer value to define the process ID of a network process connection.

Example

Show events with this network process ID

network.process.pid: 12345

network.protocolnetwork.protocol

Use a string value to find events with a network protocol name you're looking for (TCP or UDP).

Example

Show events with this network protocol name

network.protocol: TCP

network.remote.address.fqdnnetwork.remote.address.fqdn

Use a string value to define the FQDN of a process remote connection.

Example

Show events with this network FQDN

network.remote.address.fqdn: 10567-T51.corp.acme.com

network.remote.address.ipnetwork.remote.address.ip

Use a string value to define the IP address of a process remote connection.

Example

Show events with this network IP address

network.remote.address.ip: 198.252.200.123

network.remote.address.portnetwork.remote.address.port

Use an integer value ##### to define the port of a process remote connection.

Example

Show events with this network remote port

network.remote.address.port: 443

network.statenetwork.state

Use a string value to define the state of a process network connection (TIME_WAIT or ESTABLISHED).

Example

Show events with established network state

network.state: ESTABLISHED

operatingsystem.fullnameoperatingsystem.fullname

Use quotes or backticks within values to help you find the operating system.

Examples

Show any findings with this OS name

operatingsystem.fullname: Windows 2012

how any findings that contain components of OS name

operatingsystem.fullname: "Windows 2012"

Show any findings that match exact value "Windows 2012"

operatingsystem.fullname: `Windows 2012`

parent.event.idparent.event.id

Use a string value to help you find events with parent process ID.

Example

Show events for parent process ID

parent.event.id: RTP_fc0c02da-2982-4426-8140-be55d5f050f7_-5443330379451874079_11384

parent.nameparent.name

Use string value to display events created by a process.

Example

Show events created by process

parent.name: Notepad.exe

parent.pidparent.pid

Use an integer value to display the events with parent process ID.

Example

Show events with this parent process ID

parent.pid: 1272

parent.imagepathparent.imagepath

Use a string value to display events with the parent process image path.

Example

Show events with this parent process image path

parent.imagepath: "C:\Temp\abe.exe"

platformplatform

Use a string value to help you find events on a platform of interest.

Example

Show events that took place on Windows platform

platform: WINDOWS

process.argumentsprocess.arguments

Use a string value to help you find events on a process running with certain arguments.

Example

Show events on a process with arguments

process.arguments: arguments

process.elevatedprocess.elevated

Use boolean string to define events with process running as elevated privileges (true) or not (false).

Example

Show events with process as elevated privileges

process.elevated: true

process.fullPathprocess.fullPath

Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with file at this full path

process.fullPath: "C:\windows\system32\svchost.exe"

process.image.fullPathprocess.image.fullPath

Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with image file at this full path

process.image.fullPath: "C:\windows\system32\svchost.exe"

process.image.pathprocess.image.path

Use a string value to define the path to the folder containing the file that launched the process. Enclose the path in double quotes.

Example

Show events with image file contained in this folder

process.image.path: "C:\windows\system32"

process.loadedmodule.nameprocess.loadedmodule.name

Use quotes or backticks with value to find events with the name of a loaded module running in a process.

Example

Show any events related to loaded module

process.loadedmodule.name: advapi32

Show any events that contain parts of loaded module name

process.loadedmodule.name: "advapi32"

Show events that match exact name

process.loadedmodule.name: `advapi32`

Note: The "process.loadedmodule.name" token is available based on your subscription. For more information, contact Qualys Support.

process.loadedmodule.pathprocess.loadedmodule.path

Use quotes or backticks with value to find events on the path to the directory containing the loaded module.

Example

Show any events that contain parts of loaded module path

process.loadedmodule.path: "C:\Windows\System32"

Show events that match exact value

process.loadedmodule.path: `C:\Windows\System32`

Note: The "process.loadedmodule.path" token is available based on your subscription. For more information, contact Qualys Support.

process.loadedmodule.fullpathprocess.loadedmodule.fullpath

Use quotes or backticks with value to find events on the full path to the loaded module image.

Example

Show any events that contain parts of loaded module full path

process.loadedmodule.fullpath: "C:\Windows\System32\advapi32.dll"

Show events that match exact value

process.loadedmodule.fullpath: `C:\Windows\System32\advapi32.dll`

Note: The "process.loadedmodule.fullpath" token is available based on your subscription. For more information, contact Qualys Support.

process.loadedmodule.hash.md5process.loadedmodule.hash.md5

Use a text value to define the MD5 hash of a loaded module.

Example

Show events for loaded module with this MD5 hash

process.loadedmodule.hash.md5: c102a6ff0fe651242be9a4be3e579106

Note: The "process.loadedmodule.hash.md5" token is available based on your subscription. For more information, contact Qualys Support.

process.loadedmodule.hash.sha256process.loadedmodule.hash.sha256

Use a text value to define the SHA256 hash of a loaded module.

Example

Show events for loaded module with this SHA256 hash

process.loadedmodule.hash.sha256: ef117b762c2c680d181cf4119ff611c9de46fcea6b60775e746541f5dd8f1cd0

Note: The "process.loadedmodule.hash.sha256" token is available based on your subscription. For more information, contact Qualys Support.

process.nameprocess.name

Use a string value to define a process image name of interest.

Example

Show events with this process image name

process.name: explorer.exe

process.parentnameprocess.parentname

Use a string value to define a parent process image name of interest.

Example

Show events with this parent process image name

process.parentname: explorer.exe

process.parentPidprocess.parentPid

Use an integer value to define the process parent ID.

Example

Show events with this process parent ID

process.parentPid: 676

process.pidprocess.pid

Use an integer value to define the process ID.

Example

Show events with this process ID

process.pid: 1655

process.startedprocess.started

Use a date range or specific date to define when a process was started.

Examples

Show events with process started on 2017-08-12

process.started: '2017-08-12'

Show events with process started between 2017-06-06 and 1 second ago

process.started: [2017-06-06 .. now-1s]

Show events with process started within date range

process.started: [2017-08-23 .. 2017-08-25]

process.terminatedprocess.terminated

Use a date range or specific date to define when a process was terminated.

Examples

Show events with process terminated on 2017-08-12

process.terminated: '2017-08-12'

Show events with process terminated between 2017-06-06 and 1 second ago

process.terminated: [2017-06-06 .. now-1s]

Show events with process terminated within date range

process.terminated: [2017-08-23 .. 2017-08-25]

process.usernameprocess.username

Use a string value to help you find a process username.

Example

Show events with this process image name

process.username: sslong

registry.keyregistry.key

Use a string value to help you find events with a registry name.

Example

Show events with this registry key name

registry.key: HKEY_CURRENT_CONFIG

Note: The "registry.key" token is available based on your subscription. For more information, contact Qualys Support.

registry.valueregistry.value

Use a string value to help you find events with a certain registry value in the key.

Example

Show events with this registry value

registry.value: "C:\Program Files"

Note: The "registry.value" token is available based on your subscription. For more information, contact Qualys Support.

registry.dataregistry.data

Use a string value to help you find events with certain registry data.

Example

Show events with this registry data

registry.data: "filename.exe"

Note: The "registry.data" token is available based on your subscription. For more information, contact Qualys Support.

response.actionresponse.action

Use a string value to help you find events with response action (Delete File, Kill Process,or Quarantine File).

Example

Show events with this response action

response.action: Kill Process

response.statusresponse.status

Use a string value to help you find events with response status (failed, in_progress, success).

Example

Shows events with this response status

response.status: success

response.userresponse.user

Use a string value to list response actions executed by a certain user.

Example

Shows response actions for this user

response.user: John Doe

response.userIdresponse.userId

Use a string value to list response actions executed by a certain username.

Example

Shows response actions for this username

response.userId: jdoe

response.timestampresponse.timestamp

Use a date range or specific date to find when a response action on event occurred.

Examples

Show response action found within certain dates

response.timestamp: [2020-06-15 ... 2020-06-30]

Show response action found starting 2020-06-22, ending 1 month ago

response.timestamp: [2020-06-22 ... now-1M]

Show response action found starting 2 weeks ago, ending 1 second ago

response.timestamp: [now-2w ... now-1s]

Show response action found on specific date

response.timestamp:'2020-06-14'

response.commentsresponse.comments

Use a string value to list events by comments added while initiating the response action.

Example

Show events that contain parts of the comment

response.comments: "malicious"

Show events that match exact comment

response.comments: `killing malicious process`

response.priorScoreresponse.priorScore

Use an integer value to search events by the score before executing the response action.

Examples

Show events with this prior score

response.priorScore: 8

Show events with prior scores less than equal to this value

response.priorScore >= 8

response.statusMessageresponse.statusMessage

Use a string value to search events by status message displayed after the response action is completed.

Examples

Show events that contain parts of the status message

response.statusMessage:"Process"

Shows events with this status message

response.statusMessage:`Process does not exist`

typetype

Use a string value to help you find events with the object type you're looking for (FILE, MUTEX, NETWORK, REGISTRY,etc).

Example

Show events with this object type

type: FILE

Note: "MUTEX" and "REGISTRY" values are available based on your subscription. For more information, contact Qualys Support.

yara.ruleNameyara.ruleName

Use a text value to help you find a Yara rule with a name.

Example

Show a Yara rule

yara.ruleName: SHA3_constants

Tokens for Non PE Files

file.authorfile.author

Use a text value to help you find events of the specified file author.

Example

Show events with this file author

file.author: ABC

file.creatingapplicationfile.creatingapplication

Use a text value to help you find files that are created by using the specified application.

Example

Show files that are created using Microsoft Office Word

file.creatingapplication: Microsoft Office Word

file.ismacroembeddedfile.ismacroembedded

Use the values true | false to find files that have Macro code embedded in the file.

Example

Show files that have Macro code embedded in the file.

file.ismacroembedded: True

file.lastmodifiedbyfile.lastmodifiedby

Use a text value to help you find files that were last modified by the specified author.

Example

Show file that were last modified by this author

file.lastmodifiedby: ABC

file.numofpagesfile.numofpages

Use an integer value to help you find files by the number of pages present in the file.

Examples

Show files that have more than one page.

file.numofpages > 1

Show files that have 20 pages.

file.numofpages: 20

file.nonpefilefile.nonpefile

Use the values true | false to find files that are of non PE file type.

Example

Show files that are non PE.

file.nonpefile: True

file.pdf.aafile.pdf.aa

Use an integer value to help you find files by the value of /AA field in the PDF file header.

Examples

Show files that have zero automatic actions to be performed when a given page of the document is viewed.

file.pdf.aa: 0

file.pdf.embeddedfilefile.pdf.embeddedfile

Use an integer value to help you find files by the value of /EmbeddedFile field in the PDF file header.

Examples

Show files that have one embedded file in the PDF file.

file.pdf.embeddedfile: 1

file.pdf.javascriptfile.pdf.javascript

Use an integer value to help you find files by the value of /JavaScript field in the PDF file header.

Examples

Show files that have more than one JavaScript block present in the PDF file.

file.pdf.javascript > 1

Show files that have 20 JavaScript blocks present in the PDF file.

file.pdf.javascript: 20

file.pdf.jsfile.pdf.js

Use an integer value to help you find files by the value of /JS field in the PDF file header.

Examples

Show files that have more than one /JS present in the PDF file.

file.pdf.js > 1

Show files that have 20 /JS present in the PDF file.

file.pdf.js: 20

file.pdf.objstmfile.pdf.objstm

Use an integer value to help you find files by the value of /ObjStm field in the PDF file header.

Examples

Show files that have zero /ObjStm files in the PDF file.

file.pdf.objstm: 0

file.pdf.openactionfile.pdf.openaction

Use an integer value to help you find files by the value of /OpenAction field in the PDF file header.

Examples

Show files that have zero open actions to be performed when the document is viewed.

file.pdf.openaction: 0

file.pdf.pagesfile.pdf.pages

Use an integer value to help you find files by the number of pages present in the PDF file.

Examples

Show PDF files that have more than one page.

file.pdf.pages > 1

Show PDF files that have 20 pages.

file.pdf.pages: 20

file.titlefile.title

Use a text value to help you find events of the specified file title.

Example

Show events with this file title

file.title: myapp

Events Search Token in EDR

Use a boolean query to express your query using AND logic.

Use a boolean query to express your query using NOT logic.

Use a boolean query to express your query using OR logic.

Use a text value to help you find an action that occurred (CONNECTED, CREATED, CHANGE, OPEN, READ, RENAME, RUNNING, WRITE or TERMINATED).

Use a text value to find an agent ID.

Use quotes or backticks with value to find events with the hostname.

Use a string value to list the assets with the tag name.

Use a string value to filter events by their loaded script type.

Use a string value to filter events by their loaded script name.

Use a string value to filter events by their loaded script arguments.

Use a string value to filter events by their loaded script content.

Use a number value to filter events by their loaded script length.

Use a boolean value to filter events that have loaded script.

Use a text value to help you find an event ID.

Use a date range or specific date to define the date and time event occurred.

Use a text value to find events based on the source of the event. Choose from Anti-malware | EDR.

Use a text value to find events with the specified phishing URL.

Use a text value to find events for the specified phishing type. Choose from FRAUD, UNTRUST, PHISHING

Use a text value to find events based on the action taken for Phishing url. Choose from CLOSED | ESTABLISHED

Use a text value to find events with the specified threat name for the traffic scan event.

Use a text value to find events based on the action Taken for traffic scan event. Choose from ACTION_NONE, ACTION_DENY, ACTION_DISINFECT, ACTION_DELETE, ACTION_MOVE_TO_QUARANTINE, ACTION_DISINFECT_ONLY

Use a text value to find events based on the final state of the traffic scan event. Choose from IGNORED, PRESENT, DELETED, BLOCKED, QUARANTINED, CLEANED

Use a text value to find events with specified URL for the Network Monitor event.

Use a text value to find events with specified name of detection for the Network Monitor event.

Use a text value to find events with specified techniques used for the Network Monitor event.

Use a text value to find events with specified techniques used for Anti Exploit event.

Use the text value to select the reason to flag the unwanted events generated by non-malicious program. The exception reasons flag are, False Positive, Hide, and Risk Accepted.

Use a date range or specific date to define when files were created.

Use a text value to help you find events on files created by a certain user.

Use a text value to define a file extension you're interested in.

Use a text value to define the full pathname to a file of interest.

Use a text value to define the MD5 hash of a file you're interested in.

Use a text value to define the SHA256 hash of a file you're interested in.

Use a text value to help you find events on a file name of interest.

Use a text value to find events on files at a file path you are interested in.

Use a text value to define a signed certificate hash of interest.

Use quotes or backticks with value to help you find a certificate issuer.

Use boolean string to help you find signed certificates (true) or unsigned (false).

Use a date range or specific date to define when certificates were signed.

Use quotes or backticks with value to help you find a certificate subject.

Use boolean string to help you find valid certificates (true) or invalid (false).

Use a text value to define files in a Portable Executable (PE) format.

Use a text value to define a file handle name.

Note: The "handle.name" token is available based on your subscription. For more information, contact Qualys Support.

Use an integer value to define a file handle process ID.

Note: The "handle.pid" token is available based on your subscription. For more information, contact Qualys Support.

Use an integer value to define the threat score of an indicator based on all scoring engines.

Use an integer value to define the threat score of an indicator based on the threat feed scoring engine.

Use quotes or backticks with value to define a malware category.

Use quotes or backticks with value to define a malware family.

Use quotes to find events with the tactic ID from the MITRE ATT&CK framework.

Use quotes to find events with the tactic name from the MITRE ATT&CK framework.

Use quotes to find events with the technique ID from the MITRE ATT&CK framework.

Use quotes to find events with the technique name from the MITRE ATT&CK framework.

Use quotes to find events with the softwar ID from the MITRE ATT&CK framework.

Use quotes to find events with the software name from the MITRE ATT&CK framework.

Use quotes to find events with the group ID from the MITRE ATT&CK framework.

Use quotes to find events with the group name from the MITRE ATT&CK framework.

Use quotes to find events with the rule name from the MITRE ATT&CK framework.

Use a text value ##### to define the NetBIOS name you're interested in.

Use a text value to define the local IP address of a process network connection. This token is applicable only for Network type events only.

Use an integer value to define the local port number of a process network connection.

Use a string value to define the name of a network process connection.

Use an integer value to define the process ID of a network process connection.

Use a string value to find events with a network protocol name you're looking for (TCP or UDP).

Use a string value to define the FQDN of a process remote connection.

Use a string value to define the IP address of a process remote connection.

Use an integer value ##### to define the port of a process remote connection.

Use a string value to define the state of a process network connection (TIME_WAIT or ESTABLISHED).

Use quotes or backticks within values to help you find the operating system.

Use a string value to help you find events with parent process ID.

Use string value to display events created by a process.

Use an integer value to display the events with parent process ID.

Use a string value to display events with the parent process image path.