Incident Search Tokens

You can use following search tokens to search information on the Incidents tab:

andand

Use a boolean query to express your query using AND logic.

Example

Show file created events on certain date and asset name

asset.agentId:"d9440962-f4ff-4d53-b518-060d0f3137fc" and asset.score: 8

notnot

Use a boolean query to express your query using NOT logic.

Example

Show events that are not on a certain asset name

not asset.hostName: `WIN-BU2-5555`

oror

Use a boolean query to express your query using OR logic.

Example

Show events on files created by jsmith or kwang

file.creator: jsmith or file.creator: kwang

Tokens for Incidents

asset.operatingsystemasset.operatingsystem

Use an integer value to find incidents by their agent id.

Example

Show incidents with agent id: Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363

asset.operatingsystem: `Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363`

incident.assigneeincident.assignee

Use a string value to get the list of assignees.

Example

incident.assignee: `test_user`

incident.asset.hostnameincident.asset.hostname

Use an integer value to find incidents by their hostname.

Example

Show incidents with hostname WIN-189

incident.asset.hostname: "WIN-189"

incident.asset.agentidincident.asset.agentid

Use a text value to find incidents by agent id.

Example

Show incidents with this agent id

incident.asset.agentid: 81b16451-f33f-4a13-88be-f2fa99faef1e

incident.detectedonincident.detectedon

Use a text value to find incidents by date and time on which the incident was detected.

Example

Show incidents detected in this time range

incident.detectedon: [‘2017-04-05T05:33:34’ … ‘2017-04-05T05:33:34’]

incident.eventtypeincident.eventtype

Use a text value to find incidents by the type of the events present in the events time line. You can choose from: FILE, NETWORK, MUTEX, PROCESS, REGISTRY

Examples

Show incidents of the event type File

incident.eventtype: FILE

Show incidents of the event types File and Process

incident.eventtype: ["FILE", "Process"]

incident.filesincident.files

Use an integer value to find incidents by number of file events present in the events time line.

Examples

Show incidents with files events greater than 2

incident.files > 2

Show incidents with 5 files events

incident.files: 5

incident.idincident.id

Use a text value to find incidents by its unique id.

Example

Show incidents with this unique id

incident.id: 59835863-7587-4dad-b61a-c35ed98959c0

incident.malware.familyincident.malware.family

Use a text value to find incidents that belongs to a malware family.

Examples

Show incidents for malware family, Trickbot

incident.malware.family: Trickbot

Show incidents for malware family, bscope

incident.malware.family: "bscope"

incident.malware.categoryincident.malware.category

Use quotes or backticks with value to find incidents that belong to a certain malware category.

Examples

Show incident with this malware category

incident.malware.category: trojan

Show any incident that contain parts of malware category

incident.malware.category: "trojan"

Show incident that match exact name

incident.malware.category: `adware`

incident.mitre.attack.technique.nameincident.mitre.attack.technique.name

Use the text value within quotes or backticks to view for the technique name that represents it's respective technique id.

Example

incident.mitre.attack.technique.name: "Downgrade Attack"

incident.mitre.attack.technique.idincident.mitre.attack.technique.id

Use the text value within quotes or backticks for the technique id that represents how a tactical goal can be achieved.

Example

incident.mitre.attack.technique.id:`T1033_5`

incident.mutexincident.mutex

Use an integer value to find incidents by number of mutex events present in the events time line.

Examples

Show incidents with mutex events greater than 3

incident.mutex > 3

Show incidents with 5 mutex events

incident.mutex: 5

incident.networkincident.network

Use an integer value to find incidents by number of network events present in the events time line.

Examples

Show incidents with network events greater than 3

incident.network > 3

Show incidents with 5 network events

incident.network: 5

incident.numberincident.number

Use an integer value to find an Incident with the specific number.

Example

Show incident with the following incident number value

incident.network: 22393

incident.processincident.process

Use an integer value to find incidents by number of process events present in the events time line.

Examples

Show incidents with process events greater than 3

incident.process > 3

Show incidents with 5 process events

incident.process: 5

incident.registryincident.registry

Use an integer value to find incidents by number of registry events present in the events time line.

Examples

Show incidents with registry events greater than 3

incident.registry > 3

Show incidents with 5 registry events

incident.registry: 5

incident.severityscoreincident.severityscore

Use an integer value to find incidents by severity score.

Examples

Show incidents with severity score greater than 3

incident.severityscore > 3

Show incidents with severity score 5

incident.severityscore: 5

incident.statusincident.status

Use a string value to get the list of incident status. You can view the incident status as Open, Closed, Under_Investigation.

Example

incident.status: `Open`

incident.yara.rulenameincident.yara.rulename

Use a string value to detect incidents containing specific Yara rules.

Example

incident.yara.rulename: `HttpBrowser_RAT_Gen`


 

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
failed We appreciate your feedback. We'll work to make this topic better for you in the future.