Tokens Supported for Event Type
Here is a list of tokens supported for each event type. For detailed information on each token, see Event Tokens, User Activity Tokens, and Incidents Search Tokens.
Tokens Applicable for All Events |
Tokens for File Events |
Tokens for Network Events |
Tokens for Mutex Events |
Tokens for Process Events |
Tokens for Registry Events |
"action" "type" "event.dateTime" "event.id" "asset.hostName" "netbiosname" "platform" "operatingsystem.fullname" "asset.agentId" "indicator.score" "indicator.threatfeed" "malware.category" "malware.family" "response.action" "response.status" "response.user" "response.userId" "response.timestamp" "response.comments" "response.priorScore" "response.statusMessage" |
"file.created" "file.creator" "file.extension" "file.fullPath" "file.hash.md5" "file.hash.sha256" "file.name" "file.path" |
"network.local.address.ip" "network.local.address.port" "network.process.name" "network.process.pid" "network.protocol" "network.remote.address.fqdn" "network.remote.address.ip" "network.remote.address.port" "network.state" "process.arguments" "process.elevated" "process.image.path" "process.image.fullPath" "process.name" "process.pid" "process.started" "process.terminated" "process.username" "process.fullPath" "parent.name" "parent.pid" "parent.imagepath" "parent.event.id" |
"handle.name" "handle.pid" "process.arguments" "process.elevated" "process.image.path" "process.image.fullPath" "process.name" "process.pid" "process.started" "process.terminated" "process.username" "process.fullPath" "parent.name" "parent.pid" "parent.imagepath" "parent.event.id" |
"process.arguments" "process.elevated" "process.image.path" "process.image.fullPath" "process.name" "process.parentname" "process.parentPid" "process.pid" "process.started" "process.terminated" "process.username" "process.fullPath" "parent.name" "parent.pid" "parent.imagepath" "parent.event.id" "process.loadedmodule.name" "process.loadedmodule.path" "process.loadedmodule.fullpath" "process.loadedmodule.hash.md5" "process.loadedmodule.hash.sha256" |
"registry.key" "registry.value" "registry.data" |