Activity and Quarantined Items Search Tokens

Use the following search tokens to search for information in the Activity and Quarantined Items page under the Responses tab:

andand

Use a boolean query to express your query using AND logic.

Example

To show file created events on certain date and asset name, see the following example:

file.name: MWP_MALICIOUSJ.exe and response.status: success

notnot

Use a boolean query to express your query using NOT logic.

Example

To show events that are not on a certain asset name, see the following example:

not asset.hostName: `WIN-BU2-5555`

oror

Use a boolean query to express your query using OR logic.

Example

To show events on files created by jsmith or kwang see the following example:

file.creator: jsmith or file.creator: kwang

asset.agentIdasset.agentId

Use a text value to find an agent ID.

Example

To show events for a certain agent ID see the following example:

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.hostNameasset.hostName

Use quotes or backticks with value to find events with the hostname.

Examples

To show any events related to name see the following example:

asset.hostName: WIN-BU2-4322

To show any events that contain parts of name see the following example:

asset.hostName: "WIN-BU2-4322"

To show events that match exact name see the following example:

asset.hostName: `WIN-BU2-4322`

event.sourceevent.source

Use a text value to find events based on the source of the event. Choose from Anti-malware, EDR, or VMDR.

Example

To show all EDR events see the following example:

event.source: EDR

file.hash.md5file.hash.md5

Use a text value to define the MD5 hash of a file.

Example

To show events on files with this MD5 hash see the following example:

file.hash.md5: 50714f6cbb72be3e432d58e543dd2632

file.hash.sha256file.hash.sha256

Use a text value to define the SHA256 hash of a file.

Example

To show events on files with SHA256 hash see the following example:

file.hash.sha256: 813xxxx364c2xxxx86xxx2f5xxxxxxf4649ffxxxxx3e6

file.namefile.name

Use a text value to help you find events on a file name.

Example

To show events on file name see the following example:

file.name: myapp_log.txt

indicator.severityscoreindicator.severityscore

Use an integer value to define the threat score of an indicator based on all scoring engines.

Examples

Show events with this severity score

indicator.severityscore: 8

Show events with confirmed severity scores

indicator.severityscore >= 8

platformplatform

Use a string value to help you find events on a platform.

Example

To show events that took place on Windows platform see the following example:

platform: WINDOWS

process.nameprocess.name

Use a string value to define a process image name of interest.

Example

To show events with a process image name see the following example:

process.name: explorer.exe

response.actionresponse.action

Use a string value to help you find events with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).

Example

To show events with a response action see the following example:

response.action: `Kill Process`

response.statusresponse.status

Use a string value to help you find events with response status (failed, in_progress, success).

Example

To show events with a response status see the following example:

response.status: success

response.userresponse.user

Use a string value to list response actions executed by a certain user.

Example

To show response actions for a user see the following example:

response.user: John Doe

response.userIdresponse.userId

Use a string value to list response actions executed by a certain username.

Example

To show response actions for a username see the following example:

response.userId: jdoe