User Activity Search Tokens in EDR

You can use Asset search tokens to search information in the Assets tab.

asset.agentId

Use a text value ##### to find an agent ID of interest.

Example

Show events for a certain agent ID

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.hostName

Use quotes or backticks with value to find events with the hostname you're interested in.

Examples

Show any events related to name

asset.hostName: WIN-BU2-4322

Show any events that contain parts of name

asset.hostName: "WIN-BU2-4322"

Show events that match exact name

asset.hostName: `WIN-BU2-4322`

asset.operatingsystem

Use an integer value ##### to find events by their agent id.

Examples

Show events with agent id: Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363

asset.operatingsystem: `Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363`

asset.malware.category

Use quotes or backticks with value to define an asset with a malware category you're interested in.

Example

Show events with this malware category

asset.malware.category: `File Infector`

asset.malware.family

Use quotes or backticks with value to define an asset with the malware family you're looking for.

Example

Show events with this malware name

asset.malware.family: `cryptominerf`

asset.platform

Use quotes or backticks with value to find events with the platform you're interested in.

Examples

Show any events related to platform WINDOWS

asset.platform: `WINDOWS`

Show any events related to platform WINDOWS and LINUX

asset.platform: ["WINDOWS", "LINUX"]

asset.score

Use an integer value ##### to define the threat score of an asset based on all scoring engines.

Examples

Show events with this score

asset.score: 8

Show events with confirmed scores

asset.score>= 8

asset.tags.name

Use Use quotes or backticks within values to help you find the asset with the tag name you're looking for. Quotes can be used when the value has more than one word.

Examples

Show any findings related to this tag name

asset.tags.name: Cloud Agent

Show any findings that contain "Cloud" or "Agent" in name

asset.tags.name: "Cloud Agent"

Show any findings that match exact value

asset.tags.name: `Cloud Agent`

event.source

Use a text value ##### to find events based on the source of the event. Choose from Anti-malware | EDR.

Example

Show all EDR events

event.source: EDR

file.fullPath

Use a text value ##### to define the full path name to a file of interest.

Example

Show events on files at this full path

file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'

file.hash.md5

Use a text value ##### to define the MD5 hash of a file you're interested in.

Example

Show events on files with this MD5 hash

file.hash.md5: 50714f6cbb72be3e432d58e543dd2632

file.hash.sha256

Use a text value ##### to define the SHA256 hash of a file you're interested in/h4>

Example

Show events on files with this SHA256 hash

file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6

file.name

Use a text value ##### to help you find events on a file name of interest.

Example

Show events on this file name

file.name: myapp_log.txt

file.path

Use a text value ##### to find events on files at a file path you are interested in.

Example

Show events on files at this path

file.path: "C:\Windows\System32\LogFiles\"

file.properties.certificate.hash

Use a text value ##### to define a signed certificate hash of interest.

Example

Show events for this signed certificate hash

file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542

isAntiMalwareInstalled

Use a boolean value ##### to find assets that have Antimalware enabled.

Example

Show the list of assets that have Anti-malware enabled and have asset tag as Cloud Agent

isAntiMalwareInstalled: true and tags.name: "Cloud Agent"

platform

Use a string value ##### to help you find events on a platform of interest.

Example

Show events that took place on Windows platform

platform: WINDOWS

process.image.fullPath

Use a string value ##### to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with image file at this full path

process.image.fullPath: "C:\windows\system32\svchost.exe"

process.name

Use a string value ##### to define a process image name of interest.

Example

Show events with this process image name

process.name: explorer.exe

process.fullPath

Use a string value ##### to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with file at this full path

process.fullPath: "C:\windows\system32\svchost.exe"

response.action

Use a string value ##### to help you find events with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).

Example

Show events with this response action

response.action: Kill Process

response.status

Use a string value ##### to help you find events with response status (failed, in_progress, success).

Example

Shows events with this response status

response.status: success

response.user

Use a string value ##### to list response actions executed by a certain user.

Example

Shows response actions for this user

response.user: John Doe

response.userId

Use a string value ##### to list response actions executed by a certain username.

Example

Shows response actions for this username

response.userId: jdoe

response.timestamp

Use a date range or specific date to find when a response action on event occurred.

Examples

Show response action found within certain dates

response.timestamp: [2020-06-15 ... 2020-06-30]

Show response action found starting 2020-06-22, ending 1 month ago

response.timestamp: [2020-06-22 ... now-1M]

Show response action found starting 2 weeks ago, ending 1 second ago

response.timestamp: [now-2w ... now-1s]

Show response action found on specific date

response.timestamp:'2020-06-14'

response.comments

Use a string value ##### to list events by comments added while initiating the response action.

Example

Show events that contain parts of the comment

response.comments: "malicious"

Show events that match exact comment

response.comments: `killing malicious process`

response.priorScore

Use an integer value ##### to search events by the score before executing the response action.

Examples

Show events with this prior score

response.priorScore: 8

Show events with prior scores less than equal to this value

response.priorScore >= 8

response.statusMessage

Use a string value ##### to search events by status message displayed after the response action is completed.

Examples

Show events that contain parts of the status message

response.statusMessage:"Process"

Shows events with this status message

response.statusMessage:`Process does not exist`

and

Use a boolean query to express your query using AND logic.

Example

Show file created events on certain date and asset name

file.name: MWP_MALICIOUSJ.exe and response.status: success

not

Use a boolean query to express your query using NOT logic.

Example

Show events that are not on a certain asset name

not asset.hostName: `WIN-BU2-5555`

or

Use a boolean query to express your query using OR logic.

Example

Show events on files created by jsmith or kwang

file.creator: jsmith or file.creator: kwang