Tokens Supported for Event Type

Tokens Applicable for All Events

Tokens for File Events

Tokens for Network Events

Tokens for Mutex Events

Tokens for Process Events

Tokens for Registry Events

"action"

"type"

"event.dateTime"

"event.id"

"asset.hostName"

"netbiosname"

"platform"

"operatingsystem.fullname"

"asset.agentId"

"indicator.score"

"indicator.threatfeed"

"malware.category"

"malware.family"

"response.action"

"response.status"

"response.user"

"response.userId"

"response.timestamp"

"response.comments"

"response.priorScore"

"response.statusMessage"

"file.created"

"file.creator"

"file.extension"

"file.fullPath"

"file.hash.md5"

"file.hash.sha256"

"file.name"

"file.path"

"network.local.address.ip"

"network.local.address.port"

"network.process.name"

"network.process.pid"

"network.protocol"

"network.remote.address.fqdn"

"network.remote.address.ip"

"network.remote.address.port"

"network.state"

"process.arguments"

"process.elevated"

"process.image.path"

"process.image.fullPath"

"process.name"

"process.pid"

"process.started"

"process.terminated"

"process.username"

"process.fullPath"

"parent.name"

"parent.pid"

"parent.imagepath"

"parent.event.id"

"handle.name"

"handle.pid"

"process.arguments"

"process.elevated"

"process.image.path"

"process.image.fullPath"

"process.name"

"process.pid"

"process.started"

"process.terminated"

"process.username"

"process.fullPath"

"parent.name"

"parent.pid"

"parent.imagepath"

"parent.event.id"

"process.arguments"

"process.elevated"

"process.image.path"

"process.image.fullPath"

"process.name"

"process.parentname"

"process.parentPid"

"process.pid"

"process.started"

"process.terminated"

"process.username"

"process.fullPath"

"parent.name"

"parent.pid"

"parent.imagepath"

"parent.event.id"

"process.loadedmodule.name"

"process.loadedmodule.path"

"process.loadedmodule.fullpath"

"process.loadedmodule.hash.md5"

"process.loadedmodule.hash.sha256"

"registry.key"

"registry.value"

"registry.data"