Activity and Quarantined Items Search Tokens

Use the following search tokens to search for information in the Activity and Quarantined Items page under the Responses tab:

andand

Use a boolean query to express your query using AND logic.

Example

To show file created events on certain date and asset name, see the following example:

file.name: MWP_MALICIOUSJ.exe and response.status: success

notnot

Use a boolean query to express your query using NOT logic.

Example

To show events that are not on a certain asset name, see the following example:

not asset.hostName: `WIN-BU2-5555`

oror

Use a boolean query to express your query using OR logic.

Example

To show events on files created by jsmith or kwang see the following example:

file.creator: jsmith or file.creator: kwang

asset.agentIdasset.agentId

Use a text value to find an agent ID.

Example

To show events for a certain agent ID see the following example:

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.interface.hostnameasset.interface.hostname

Use a string value to list alerts by hostname.

Examples

Show alerts for the specified hostname.

asset.interface.hostname:"DESKTOP-CM8KHGS"

asset.nameasset.name

Use a string value to list the assets with the asset name.

Example

asset.name: "WORKSTATION-PC01"

event.sourceevent.source

Use a text value to find events based on the source of the event. Choose from Anti-malware, EDR, or VMDR.

Example

To show all EDR events see the following example:

event.source: EDR

file.hash.md5file.hash.md5

Use a text value to define the MD5 hash of a file.

Example

To show events on files with this MD5 hash see the following example:

file.hash.md5: 50714f6cbb72be3e432d58e543dd2632

file.hash.sha256file.hash.sha256

Use a text value to define the SHA256 hash of a file.

Example

To show events on files with SHA256 hash see the following example:

file.hash.sha256: 813xxxx364c2xxxx86xxx2f5xxxxxxf4649ffxxxxx3e6

file.namefile.name

Use a text value to help you find events on a file name.

Example

To show events on file name see the following example:

file.name: myapp_log.txt

indicator.severityscoreindicator.severityscore

Use an integer value to define the threat score of an indicator based on all scoring engines.

Examples

Show events with this severity score

indicator.severityscore: 8

Show events with confirmed severity scores

indicator.severityscore >= 8

indicator.scoreindicator.score

Use a numeric value to find remediation actions based on the indicator risk score.

Examples

Find remediation for high-score indicators.

indicator.score:>50

Find remediation for a specific score.

indicator.score:75

Find remediation for low-score indicators.

indicator.score:<20

job.namejob.name

Use a string value to find the remediation actions associated with a specific bulk job name.

Examples

Find remediation from a specific bulk job.

job.name:Ransomeware Response - June 2026

Find remediation from jobs matching a pattern.

job.name:*Ransomeware*

network.ipAddressnetwork.ipAddress

Use a string value to search a network IP.

Example

To show the remediated IP address:

network.ipAddress:"Fxxx::xxx:xxxx:xxxx:xxxF"

platform.typeplatform.type

Use a string value to filter remediation action by platform.

Examples

Find remediation on Windows assets.

platform.type:Windows

Find remediation on Linux assets.

platform.type:Linux

process.nameprocess.name

Use a string value to define a process image name of interest.

Example

To show events with a process image name see the following example:

process.name: explorer.exe

response.actionresponse.action

Use a string value to help you find events with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).

Example

To show events with a response action see the following example:

response.action: `Kill Process`

response.statusresponse.status

Use a string value to help you find events with response status (failed, in_progress, success).

Example

To show events with a response status see the following example:

response.status: success

response.userresponse.user

Use a string value to list response actions executed by a certain user.

Example

To show response actions for a user see the following example:

response.user: John Doe

response.userIdresponse.userId

Use a string value to list response actions executed by a certain username.

Example

To show response actions for a username see the following example:

response.userId: jdoe

rule.namerule.name

Use a string value to list triggered remediations with rule name.

Examples

Find remediation triggered by a specific rule.

rule.name:SuspiciousProcessInjection

Find remediation for injection-related rules.

rule.name:*Injection*