Incident Search Tokens in EDR

You can use search tokens to search information on the Incidents tab.

and

Use a boolean query to express your query using AND logic.

Example

Show file created events on certain date and asset name

asset.agentId:"d9440962-f4ff-4d53-b518-060d0f3137fc" and asset.score: 8

not

Use a boolean query to express your query using NOT logic.

Example

Show events that are not on a certain asset name

not asset.hostName: `WIN-BU2-5555`

or

Use a boolean query to express your query using OR logic.

Example

Show events on files created by jsmith or kwang

file.creator: jsmith or file.creator: kwang

Tokens for Incidents

incident.malware.family

Use a text value ##### to find incidents that belongs to a malware family.

Example

Show incidents for malware family, Trickbot

incident.malware.family: Trickbot

Show incidents for malware family, bscope

incident.malware.family: "bscope"

incident.malware.category

Use quotes or backticks with value to find incidents that belong to a certain malware category.

Examples

Show incident with this malware category

incident.malware.category: trojan

Show any incident that contain parts of malware category

incident.malware.category: "trojan"

Show incident that match exact name

incident.malware.category: `adware`

incident.id

Use a text value ##### to find incidents by its unique id.

Example

Show incidents with this unique id

incident.id: 59835863-7587-4dad-b61a-c35ed98959c0

incident.asset.agentid

Use a text value ##### to find incidents by agent id.

Example

Show incidents with this agent id

incident.asset.agentid: 81b16451-f33f-4a13-88be-f2fa99faef1e

incident.files

Use an integer value ##### to find incidents by number of file events present in the events time line.

Examples

Show incidents with files events greater than 2

incident.files > 2

Show incidents with 5 files events

incident.files: 5

incident.registry

Use an integer value ##### to find incidents by number of registry events present in the events time line.

Examples

Show incidents with registry events greater than 3

incident.registry > 3

Show incidents with 5 registry events

incident.registry: 5

incident.process

Use an integer value ##### to find incidents by number of process events present in the events time line.

Examples

Show incidents with process events greater than 3

incident.process > 3

Show incidents with 5 process events

incident.process: 5

incident.mutex

Use an integer value ##### to find incidents by number of mutex events present in the events time line.

Examples

Show incidents with mutex events greater than 3

incident.mutex > 3

Show incidents with 5 mutex events

incident.mutex: 5

incident.network

Use an integer value ##### to find incidents by number of network events present in the events time line.

Examples

Show incidents with network events greater than 3

incident.network > 3

Show incidents with 5 network events

incident.network: 5

incident.riskscore

Use an integer value ##### to find incidents by their risk score.

Examples

Show incidents with risk score greater than 3

incident.riskscore > 3

Show incidents with riskscore 5

incident.riskscore: 5

incident.detectedon

Use a text value ##### to find incidents by date and time on which the incident was detected.

Example

Show incidents detected in this time range

incident.detectedon: [‘2017-04-05T05:33:34’ … ‘2017-04-05T05:33:34’]

incident.eventtype

Use a text value ##### to find incidents by the type of the events present in the events time line. You can choose from: FILE, NETWORK, PROCESS, REGISTRY, MUTEX

Example

Show incidents of the event type File

incident.eventtype: FILE

Show incidents of the event types File and Network

incident.eventtype: ["FILE", "NETWORK"]

incident.asset.hostname

Use an integer value ##### to find incidents by their hostname.

Examples

Show incidents with hostname WIN-189

incident.asset.hostname: "WIN-189"

asset.operatingsystem

Use an integer value ##### to find incidents by their agent id.

Examples

Show incidents with agent id: Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363

asset.operatingsystem: `Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363`

incident.yara.rulename

Use a string value ##### to detect incidents containing specific Yara rules.

Examples

incident.yara.rulename: `HttpBrowser_RAT_Gen`

incident.mite.attack.rule.name

Use a string value ##### to detect incidents containing specific Siddhi rules.

Examples

incident.mite.attack.rule.name: `T1033_5`