Activity and Quarantined Items Search Tokens
Use the following search tokens to search for information in the Activity and Quarantined Items page under the Responses tab:
Use a boolean query to express your query using AND logic.
Example
To show file created events on certain date and asset name, see the following example:
file.name: MWP_MALICIOUSJ.exe and response.status: success
Use a boolean query to express your query using NOT logic.
Example
To show events that are not on a certain asset name, see the following example:
not asset.hostName: `WIN-BU2-5555`
Use a boolean query to express your query using OR logic.
Example
To show events on files created by jsmith or kwang see the following example:
file.creator: jsmith or file.creator: kwang
Use a text value to find an agent ID.
Example
To show events for a certain agent ID see the following example:
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Use quotes or backticks with value to find events with the hostname.
Examples
To show any events related to name see the following example:
asset.hostName: WIN-BU2-4322
To show any events that contain parts of name see the following example:
asset.hostName: "WIN-BU2-4322"
To show events that match exact name see the following example:
asset.hostName: `WIN-BU2-4322`
Use a text value to find events based on the source of the event. Choose from Anti-malware, EDR, or VMDR.
Example
To show all EDR events see the following example:
event.source: EDR
Use a text value to define the MD5 hash of a file.
Example
To show events on files with this MD5 hash see the following example:
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
file.hash.sha256file.hash.sha256
Use a text value to define the SHA256 hash of a file.
Example
To show events on files with SHA256 hash see the following example:
file.hash.sha256: 813xxxx364c2xxxx86xxx2f5xxxxxxf4649ffxxxxx3e6
Use a text value to help you find events on a file name.
Example
To show events on file name see the following example:
file.name: myapp_log.txt
indicator.severityscoreindicator.severityscore
Use an integer value to define the threat score of an indicator based on all scoring engines.
Examples
Show events with this severity score
indicator.severityscore: 8
Show events with confirmed severity scores
indicator.severityscore >= 8
Use a string value to help you find events on a platform.
Example
To show events that took place on Windows platform see the following example:
platform: WINDOWS
Use a string value to define a process image name of interest.
Example
To show events with a process image name see the following example:
process.name: explorer.exe
response.actionresponse.action
Use a string value to help you find events with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).
Example
To show events with a response action see the following example:
response.action: `Kill Process`
response.statusresponse.status
Use a string value to help you find events with response status (failed, in_progress, success).
Example
To show events with a response status see the following example:
response.status: success
Use a string value to list response actions executed by a certain user.
Example
To show response actions for a user see the following example:
response.user: John Doe
response.userIdresponse.userId
Use a string value to list response actions executed by a certain username.
Example
To show response actions for a username see the following example:
response.userId: jdoe