You can use following search tokens to search information on the Incidents tab:
Use a boolean query to express your query using AND logic.
Example
Show file created events on certain date and asset name
asset.agentId:"d9440962-f4ff-4d53-b518-060d0f3137fc" and asset.score: 8
Use a boolean query to express your query using NOT logic.
Example
Show events that are not on a certain asset name
not asset.hostName: `WIN-BU2-5555`
Use a boolean query to express your query using OR logic.
Example
Show events on files created by jsmith or kwang
file.creator: jsmith or file.creator: kwang
incident.assigneeincident.assignee
Use a string value to get the list of assignees.
Example
incident.assignee: `test_user`
incident.asset.hostnameincident.asset.hostname
Use an integer value to find incidents by their hostname.
Example
Show incidents with hostname WIN-189
incident.asset.hostname: "WIN-189"
incident.asset.agentidincident.asset.agentid
Use a text value to find incidents by agent id.
Example
Show incidents with this agent id
incident.asset.agentid: 81b16451-f33f-4a13-88be-f2fa99faef1e
incident.detectedonincident.detectedon
Use a text value to find incidents by date and time on which the incident was detected.
Example
Show incidents detected in this time range
incident.detectedon: [‘2017-04-05T05:33:34’ … ‘2017-04-05T05:33:34’]
incident.eventtypeincident.eventtype
Use a text value to find incidents by the type of the events present in the events time line. You can choose from: FILE, NETWORK, MUTEX, PROCESS, REGISTRY
Examples
Show incidents of the event type File
incident.eventtype: FILE
Show incidents of the event types File and Process
incident.eventtype: ["FILE", "Process"]
Use an integer value to find incidents by number of file events present in the events time line.
Examples
Show incidents with files events greater than 2
incident.files > 2
Show incidents with 5 files events
incident.files: 5
Use a text value to find incidents by its unique id.
Example
Show incidents with this unique id
incident.id: 59835863-7587-4dad-b61a-c35ed98959c0
incident.malware.familyincident.malware.family
Use a text value to find incidents that belongs to a malware family.
Examples
Show incidents for malware family, Trickbot
incident.malware.family: Trickbot
Show incidents for malware family, bscope
incident.malware.family: "bscope"
incident.malware.categoryincident.malware.category
Use quotes or backticks with value to find incidents that belong to a certain malware category.
Examples
Show incident with this malware category
incident.malware.category: trojan
Show any incident that contain parts of malware category
incident.malware.category: "trojan"
Show incident that match exact name
incident.malware.category: `adware`
incident.mitre.attack.technique.nameincident.mitre.attack.technique.name
Use the text value within quotes or backticks to view for the technique name that represents it's respective technique id.
Example
incident.mitre.attack.technique.name: "Downgrade Attack"
incident.mitre.attack.technique.idincident.mitre.attack.technique.id
Use the text value within quotes or backticks for the technique id that represents how a tactical goal can be achieved.
Example
incident.mitre.attack.technique.id:`T1033_5`
Use an integer value to find incidents by number of mutex events present in the events time line.
Examples
Show incidents with mutex events greater than 3
incident.mutex > 3
Show incidents with 5 mutex events
incident.mutex: 5
incident.networkincident.network
Use an integer value to find incidents by number of network events present in the events time line.
Examples
Show incidents with network events greater than 3
incident.network > 3
Show incidents with 5 network events
incident.network: 5
incident.numberincident.number
Use an integer value to find an Incident with the specific number.
Example
Show incident with the following incident number value
incident.network: 22393
incident.processincident.process
Use an integer value to find incidents by number of process events present in the events time line.
Examples
Show incidents with process events greater than 3
incident.process > 3
Show incidents with 5 process events
incident.process: 5
incident.registryincident.registry
Use an integer value to find incidents by number of registry events present in the events time line.
Examples
Show incidents with registry events greater than 3
incident.registry > 3
Show incidents with 5 registry events
incident.registry: 5
incident.severityscoreincident.severityscore
Use an integer value to find incidents by severity score.
Examples
Show incidents with severity score greater than 3
incident.severityscore > 3
Show incidents with severity score 5
incident.severityscore: 5
incident.statusincident.status
Use a string value to get the list of incident status. You can view the incident status as Open, Closed, Under_Investigation.
Example
incident.status: `Open`
incident.yara.rulenameincident.yara.rulename
Use a string value to detect incidents containing specific Yara rules.
Example
incident.yara.rulename: `HttpBrowser_RAT_Gen`
Was this topic helpful?