Use the following Asset search tokens to search for information in the Assets tab:
Example
Show file created events on certain date and asset name
file.name: MWP_MALICIOUSJ.exe and response.status: success
Example
Show events that are not on a certain asset name
not asset.hostName: `WIN-BU2-5555`
Example
Show events on files created by jsmith or kwang
file.creator: jsmith or file.creator: kwang
Example
Show events for a certain agent ID
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Examples
Show any events related to name
asset.hostName: WIN-BU2-4322
Show any events that contain parts of name
asset.hostName: "WIN-BU2-4322"
Show events that match exact name
asset.hostName: `WIN-BU2-4322`
Example
asset.lastreportedtime <
"2023-02-10T06:38:12Z"
Example
Show events with this malware category
asset.malware.category: `File Infector`
Example
Show events with this malware name
asset.malware.family: `cryptominerf`
Examples
Show events with this score
asset.score: 8
Show events with confirmed scores
asset.score>= 8
Example
Show all EDR events
event.source: EDR
Example
Show events on files at this full path
file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'
Example
Show events on files with this MD5 hash
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
Example
Show events on files with this SHA256 hash
file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6
Example
Show events on this file name
file.name: myapp_log.txt
Example
Show events on files at this path
file.path: "C:\Windows\System32\LogFiles\"
Example
Show events for this signed certificate hash
file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542
Example
Show the list of assets that have Anti-malware installed and have asset tag as Cloud Agent
isAntiMalwareInstalled: true and tags.name: "Cloud Agent"
Example
Show events that took place on Windows platform
platform: WINDOWS
Example
Show events with image file at this full path
process.image.fullPath: "C:\windows\system32\svchost.exe"
Example
Show events with this process image name
process.name: explorer.exe
Example
Show events with file at this full path
process.fullPath: "C:\windows\system32\svchost.exe"
Example
Shows response actions for this user
response.user: John Doe
Example
Shows response actions for this username
response.userId: jdoe
Examples
Show events with this prior score
response.priorScore: 8
Show events with prior scores less than equal to this value
response.priorScore >= 8
Examples
Show events that contain parts of the status message
response.statusMessage:"Process"
Shows events with this status message
response.statusMessage:`Process does not exist`
response.commentsresponse.comments
Use a string value to list events by comments added while initiating the response action.
Example
Show events that contain parts of the comment
response.comments: "malicious"
Show events that match exact comment
response.comments: `killing malicious process`