Incident Search Tokens

You can use the following search tokens to search for information on the Incidents tab:

andand

Use a boolean query to express your query using AND logic.

Example

Show file created events on certain date and asset name

asset.agentId:"d9440962-f4ff-4d53-b518-060d0f3137fc" and asset.score: 8

notnot

Use a boolean query to express your query using NOT logic.

Example

Show events that are not on a certain asset name

not asset.hostName: `WIN-BU2-5555`

oror

Use a boolean query to express your query using OR logic.

Example

Show events on files created by jsmith or kwang

file.creator: jsmith or file.creator: kwang

Tokens for Incidents

asset.operatingsystemasset.operatingsystem

Use an integer value to find incidents by their agent id.

Example

Show incidents with agent id: Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363

asset.operatingsystem: `Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363`

incident.assigneeincident.assignee

Use a string value to get the list of assignees.

Example

incident.assignee: `test_user`

incident.asset.hostnameincident.asset.hostname

Use an integer value to find incidents by their hostname.

Example

Show incidents with hostname WIN-189

incident.asset.hostname: "WIN-189"

incident.asset.agentidincident.asset.agentid

Use a text value to find incidents by agent id.

Example

Show incidents with this agent id

incident.asset.agentid: 81b16451-f33f-4a13-88be-f2fa99faef1e

incident.detectedonincident.detectedon

Use a text value to find incidents by date and time on which the incident was detected.

Example

Show incidents detected in this time range

incident.detectedon: [‘2017-04-05T05:33:34’ … ‘2017-04-05T05:33:34’]

incident.descriptionincident.description

Use the string value to filter incidents based on the incident description.

Example

Show incidents based on the incident description

incident.description: EICAR

incident.eventtypeincident.eventtype

Use a text value to find incidents by the type of the events present in the events time line. You can choose from: FILE, NETWORK, MUTEX, PROCESS, REGISTRY

Examples

Show incidents of the event type File

incident.eventtype: FILE

Show incidents of the event types File and Process

incident.eventtype: ["FILE", "Process"]

incident.idincident.id

Use a text value to find incidents by its unique id.

Example

Show incidents with this unique id

incident.id: 59835863-7587-4dad-b61a-c35ed98959c0

incident.malware.familyincident.malware.family

Use a text value to find incidents that belongs to a malware family.

Examples

Show incidents for malware family, Trickbot

incident.malware.family: Trickbot

Show incidents for malware family, bscope

incident.malware.family: "bscope"

incident.malware.categoryincident.malware.category

Use quotes or backticks with value to find incidents that belong to a certain malware category.

Examples

Show incident with this malware category

incident.malware.category: trojan

Show any incident that contain parts of malware category

incident.malware.category: "trojan"

Show incident that match exact name

incident.malware.category: `adware`

incident.mitre.attack.technique.nameincident.mitre.attack.technique.name

Use the text value within quotes or backticks to view for the technique name that represents it's respective technique id.

Example

incident.mitre.attack.technique.name: "Downgrade Attack"

incident.mitre.attack.technique.idincident.mitre.attack.technique.id

Use the text value within quotes or backticks for the technique id that represents how a tactical goal can be achieved.

Example

incident.mitre.attack.technique.id:`T1033_5`

incident.numberincident.number

Use an integer value to find an Incident with the specific number.

Example

Show incident with the following incident number value

incident.number: 22393

incident.platformincident.platform

Use the string value to filter incidents based on the asset platform.

Example

Show incidents for the assets that are on Windows platform

incident.platform: Windows

incident.severityscoreincident.severityscore

Use an integer value to find incidents by severity score.

Examples

Show incidents with severity score greater than 3

incident.severityscore > 3

Show incidents with severity score 5

incident.severityscore: 5

incident.sourceincident.source

Use a text value to find incidents based on the source. Choose from Anti-malware | EDR.

Example

incident.source: EDR

incident.statusincident.status

Use a string value to get the list of incident status. You can view the incident status as Open, Closed, Under_Investigation.

Example

incident.status: `Open`

incident.updatedonincident.updatedon

Use the string value to filter incidents based on the date and time it was last updated.

Example

incident.updatedon: 2023-07-14T13:58:25.683+0000

incident.yara.rulenameincident.yara.rulename

Use a string value to detect incidents containing specific Yara rules.

Example

incident.yara.rulename: `HttpBrowser_RAT_Gen`