Tokens Supported for Event Type

Here is a list of tokens supported for each event type. For detailed information on each token, see Event Tokens, User Activity Tokens, and Incidents Search Tokens.

Tokens Applicable for All Events

Tokens for File Events

Tokens for Network Events

Tokens for Mutex Events

Tokens for Process Events

Tokens for Registry Events

"action"

"type"

"event.dateTime"

"event.id"

"asset.hostName"

"netbiosname"

"platform"

"operatingsystem.fullname"

"asset.agentId"

"indicator.score"

"indicator.threatfeed"

"malware.category"

"malware.family"

"response.action"

"response.status"

"response.user"

"response.userId"

"response.timestamp"

"response.comments"

"response.priorScore"

"response.statusMessage"

"file.created"

"file.creator"

"file.extension"

"file.fullPath"

"file.hash.md5"

"file.hash.sha256"

"file.name"

"file.path"

"network.local.address.ip"

"network.local.address.port"

"network.process.name"

"network.process.pid"

"network.protocol"

"network.remote.address.fqdn"

"network.remote.address.ip"

"network.remote.address.port"

"network.state"

"process.arguments"

"process.elevated"

"process.image.path"

"process.image.fullPath"

"process.name"

"process.pid"

"process.started"

"process.terminated"

"process.username"

"process.fullPath"

"parent.name"

"parent.pid"

"parent.imagepath"

"parent.event.id"

"handle.name"

"handle.pid"

"process.arguments"

"process.elevated"

"process.image.path"

"process.image.fullPath"

"process.name"

"process.pid"

"process.started"

"process.terminated"

"process.username"

"process.fullPath"

"parent.name"

"parent.pid"

"parent.imagepath"

"parent.event.id"

"process.arguments"

"process.elevated"

"process.image.path"

"process.image.fullPath"

"process.name"

"process.parentname"

"process.parentPid"

"process.pid"

"process.started"

"process.terminated"

"process.username"

"process.fullPath"

"parent.name"

"parent.pid"

"parent.imagepath"

"parent.event.id"

"process.loadedmodule.name"

"process.loadedmodule.path"

"process.loadedmodule.fullpath"

"process.loadedmodule.hash.md5"

"process.loadedmodule.hash.sha256"

"registry.key"

"registry.value"

"registry.data"