User Activity Search Tokens
Click to view navigation pane


User Activity Search Tokens in EDR

Use the following Asset search tokens to search for information in the Assets tab:

andand

Use a boolean query to express your query using AND logic.

Example

Show file created events on certain date and asset name

file.name: MWP_MALICIOUSJ.exe and response.status: success

notnot

Use a boolean query to express your query using NOT logic.

Example

Show events that are not on a certain asset name

not asset.hostName: `WIN-BU2-5555`

oror

Use a boolean query to express your query using OR logic.

Example

Show events on files created by jsmith or kwang

file.creator: jsmith or file.creator: kwang

asset.agentIdasset.agentId

Use a text value to find an agent ID.

Example

Show events for a certain agent ID

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.hostNameasset.hostName

Use quotes or backticks with value to find events with the hostname.

Examples

Show any events related to name

asset.hostName: WIN-BU2-4322

Show any events that contain parts of name

asset.hostName: "WIN-BU2-4322"

Show events that match exact name

asset.hostName: `WIN-BU2-4322`

asset.lastreportedtimeasset.lastreportedtime

Show assets for which last reported time is before specific date and time.

Example

asset.lastreportedtime < "2023-02-10T06:38:12Z"

asset.operatingsystemasset.operatingsystem

Use an integer value to find events by their agent id.

Example

Show events with agent id: Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363

asset.operatingsystem: `Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363`

asset.malware.categoryasset.malware.category

Use quotes or backticks with value to define an asset with a malware category you're interested in.

Example

Show events with this malware category

asset.malware.category: `File Infector`

asset.malware.familyasset.malware.family

Use quotes or backticks with value to define an asset with the malware family.

Example

Show events with this malware name

asset.malware.family: `cryptominerf`

asset.scoreasset.score

Use an integer value to define the threat score of an asset based on all scoring engines.

Examples

Show events with this score

asset.score: 8

Show events with confirmed scores

asset.score>= 8

asset.tags.nameasset.tags.name

Use Use quotes or backticks within values to help you find the asset with the tag name. Quotes can be used when the value has more than one word.

Examples

Show any findings related to this tag name

asset.tags.name: Cloud Agent

Show any findings that contain "Cloud" or "Agent" in name

asset.tags.name: "Cloud Agent"

Show any findings that match exact value

asset.tags.name: `Cloud Agent`

event.sourceevent.source

Use a text value to find events based on the source of the event. Choose from Anti-malware | EDR.

Example

Show all EDR events

event.source: EDR

file.fullPathfile.fullPath

Use a text value to define the full path name to a file of interest.

Example

Show events on files at this full path

file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'

file.hash.md5file.hash.md5

Use a text value to define the MD5 hash of a file.

Example

Show events on files with this MD5 hash

file.hash.md5: 50714f6cbb72be3e432d58e543dd2632

file.hash.sha256file.hash.sha256

Use a text value to define the SHA256 hash of a file.

Example

Show events on files with this SHA256 hash

file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6

file.namefile.name

Use a text value to help you find events on a file name.

Example

Show events on this file name

file.name: myapp_log.txt

file.pathfile.path

Use a text value to find events on files at a file path.

Example

Show events on files at this path

file.path: "C:\Windows\System32\LogFiles\"

file.properties.certificate.hashfile.properties.certificate.hash

Use a text value to define a signed certificate hash of interest.

Example

Show events for this signed certificate hash

file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542

isAntiMalwareInstalledisAntiMalwareInstalled

Use a boolean value to find assets that have Antimalware installed.

Example

Show the list of assets that have Anti-malware installed and have asset tag as Cloud Agent

isAntiMalwareInstalled: true and tags.name: "Cloud Agent"

platformplatform

Use a string value to help you find events on a platform.

Example

Show events that took place on Windows platform

platform: WINDOWS

process.image.fullPathprocess.image.fullPath

Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with image file at this full path

process.image.fullPath: "C:\windows\system32\svchost.exe"

process.nameprocess.name

Use a string value to define a process image name of interest.

Example

Show events with this process image name

process.name: explorer.exe

process.fullPathprocess.fullPath

Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with file at this full path

process.fullPath: "C:\windows\system32\svchost.exe"

response.userresponse.user

Use a string value to list response actions executed by a certain user.

Example

Shows response actions for this user

response.user: John Doe

response.userIdresponse.userId

Use a string value to list response actions executed by a certain username.

Example

Shows response actions for this username

response.userId: jdoe

response.timestampresponse.timestamp

Use a date range or specific date to find when a response action on event occurred.

Examples

Show response action found within certain dates

response.timestamp: [2020-06-15 ... 2020-06-30]

Show response action found starting 2020-06-22, ending 1 month ago

response.timestamp: [2020-06-22 ... now-1M]

Show response action found starting 2 weeks ago, ending 1 second ago

response.timestamp: [now-2w ... now-1s]

Show response action found on specific date

response.timestamp:'2020-06-14'

response.commentsresponse.comments

Use a string value to list events by comments added while initiating the response action.

Example

Show events that contain parts of the comment

response.comments: "malicious"

Show events that match exact comment

response.comments: `killing malicious process`

response.priorScoreresponse.priorScore

Use an integer value to search events by the score before executing the response action.

Examples

Show events with this prior score

response.priorScore: 8

Show events with prior scores less than equal to this value

response.priorScore >= 8

response.statusMessageresponse.statusMessage

Use a string value to search events by status message displayed after the response action is completed.

Examples

Show events that contain parts of the status message

response.statusMessage:"Process"

Shows events with this status message

response.statusMessage:`Process does not exist`