User Activity Search Tokens

Use the following search tokens to search for information in the User Activity tab under the Responses tab:

andand

Use a boolean query to express your query using AND logic.

Example

To show file created events on certain date and asset name, see the following example:

file.name: MWP_MALICIOUSJ.exe and response.status: success

notnot

Use a boolean query to express your query using NOT logic.

Example

To show events that are not on a certain asset name, see the following example:

not asset.hostName: `WIN-BU2-5555`

oror

Use a boolean query to express your query using OR logic.

Example

To show events on files created by jsmith or kwang see the following example:

file.creator: jsmith or file.creator: kwang

antimalwareerrorcodeantimalwareerrorcode

Use a text valuethis token to filter antimalware error code.

Example

To show assets with antimalware error code see the following example:

antimalwareerrorcode: ERROR_SUCCESS

antimalwareworkflowantimalwareworkflow

Use a text value to filter assets for filtering antimalware workflow.

Example

To show assets for filtering antimalware workflow see the following example:

antimalwareworkflow: INSTALLNG

antimalware.lastreportedtimeantimalware.lastreportedtime

Use this token to show last reported time of the antimalware, before specific date and time.

Example

To show assets that have last reported time as 6:30 on 10th February 2023 see the following example:

antimalware.lastreportedtime < "2023-02-10T06:30:12Z"

antimalware.lastScanDoneantimalware.lastScanDone

Use this token for filtering assets based on the last Antimalware scan time.

Example

To show assets that were last scanned on 10th April see the following example:

antimalware.lastScanDone:2023-04-10

antimalwareprofile.nameantimalwareprofile.name

Use this token to filter assets based on the profile name.

Example

To show assets that has antimalware profile name see the following example:

antimalwareprofile.name: QualysProfile

antimalware.status.categoryantimalware.status.category

Use this token to filter assets based on the antimalware status category of the asset.

Example

To show assets with antimalware category see the following example:

antimalware.status.category:Enabled

antimalware.scanStatusantimalware.scanStatus

Use this token to filter assets based on the antimalware scan status.

Example

To show assets based on antimalware scan see the following example:

antimalware.scanStatus:Pass

asset.agentIdasset.agentId

Use a text value to find an agent ID.

Example

To show events for a certain agent ID see the following example:

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.score.criticalityasset.score.criticality

Use an integer value to filter assets based on criticality score.

Example

To show assets based on criticality score see the following example:

asset.score.criticality: 2

asset.hostNameasset.hostName

Use quotes or backticks with value to find events with the hostname.

Examples

To show any events related to name see the following example:

asset.hostName: WIN-BU2-4322

To show any events that contain parts of name see the following example:

asset.hostName: "WIN-BU2-4322"

To show events that match exact name see the following example:

asset.hostName: `WIN-BU2-4322`

asset.operatingsystemasset.operatingsystem

Use an integer value to find events by their agent id.

Example

To show events with an agent id see the following example:

asset.operatingsystem: `Microsoft Windows 10 Pro 10.0.18363 64-bit N/A Build 18363`

asset.malware.categoryasset.malware.category

Use quotes or backticks with value to define an asset with a malware category you're interested in.

Example

To show events with a malware category see the following example:

asset.malware.category: `File Infector`

asset.malware.familyasset.malware.family

Use quotes or backticks with value to define an asset with the malware family.

Example

To show events with a malware name see the following example:

asset.malware.family: `cryptominerf`

asset.platformasset.platform

Use quotes or backticks with value to find events with the platform.

Examples

To show any events related to platform WINDOWS see the following example:

asset.platform: `WINDOWS`

To show any events related to platform WINDOWS and LINUX see the following example:

asset.platform: ["WINDOWS", "LINUX"]

asset.scoreasset.score

Use an integer value to define the threat score of an asset based on all scoring engines.

Examples

To show events with a score see the following example:

asset.score: 8

To show events with confirmed scores see the following example:

asset.score>= 8

asset.tags.nameasset.tags.name

Use quotes or backticks within values to help you find the asset with the tag name. Quotes can be used when the value has more than one word.

Examples

To show any findings related to this tag name see the following example:

asset.tags.name: Cloud Agent

To show any findings that contain "Cloud" or "Agent" in name see the following example:

asset.tags.name: "Cloud Agent"

To show any findings that match exact value see the following example:

asset.tags.name: `Cloud Agent`

event.sourceevent.source

Use a text value to find events based on the source of the event. Choose from Anti-malware | EDR.

Example

To show all EDR events see the following example:

event.source: EDR

file.fullPathfile.fullPath

Use a text value to define the full path name to a file of interest.

Example

To show events on files at this full path see the following example:

file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'

file.hash.md5file.hash.md5

Use a text value to define the MD5 hash of a file.

Example

To show events on files with this MD5 hash see the following example:

file.hash.md5: 50714f6cbb72be3e432d58e543dd2632

file.hash.sha256file.hash.sha256

Use a text value to define the SHA256 hash of a file.

Example

To show events on files with SHA256 hash see the following example:

file.hash.sha256: 813xxxx364c2xxxx86xxx2f5xxxxxxf4649ffxxxxx3e6

file.namefile.name

Use a text value to help you find events on a file name.

Example

To show events on file name see the following example:

file.name: myapp_log.txt

file.pathfile.path

Use a text value to find events on files at a file path.

Example

To show events on files at the path see the following example:

file.path: "C:\Windows\System32\LogFiles\"

file.properties.certificate.hashfile.properties.certificate.hash

Use a text value to define a signed certificate hash of interest.

Example

Show events for this signed certificate hash

file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542

isAntiMalwareInstalledisAntiMalwareInstalled

Use a boolean value to find assets that have Antimalware installed.

Example

Show the list of assets that have Anti-malware installed and have asset tag as Cloud Agent

isAntiMalwareInstalled: true and tags.name: "Cloud Agent"

isantimalwareenabledisantimalwareenabled

Use a boolean value to find assets that have Antimalware enabled.

Example

To show the list of assets that have antimalware enabled see the following example:

isantimalwareenabled: true

platformplatform

Use a string value to help you find events on a platform.

Example

To show events that took place on Windows platform see the following example:

platform: WINDOWS

process.image.fullPathprocess.image.fullPath

Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

To show events with image file at a full path see the following example:

process.image.fullPath: "C:\windows\system32\svchost.exe"

process.nameprocess.name

Use a string value to define a process image name of interest.

Example

To show events with a process image name see the following example:

process.name: explorer.exe

process.fullPathprocess.fullPath

Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

To show events with process at a full path see the following example:

process.fullPath: "C:\windows\system32\svchost.exe"

process.processfile.certificate.hashprocess.processfile.certificate.hash

Use a string value to list the process events with the specific process certificate hash.

Example

To show process events with the specific certificate hash, see the following example:

process.processfile.certificate.hash: 7e9572xxxxxxxx862ebxxxxxx782fcxxxb9

process.processfile.certificate.issuerprocess.processfile.certificate.issuer

Use a string value to list a specific certificate issuer for the process event.

Example

To show process events with the specific certificate isuer, see the following example:

process.processfile.certificate.issuer: Microsoft

process.processfile.certificate.signedprocess.processfile.certificate.signed

Use a boolean value to list the processes that has certificate signed.

Example

To show process events with the specific certificate isuer, see the following example:

process.processfile.certificate.signed: true

process.processfile.certificate.signeddateprocess.processfile.certificate.signeddate

Use an integer value to list the processes that had certificates signed by the certificate issuer on a specific date.

Example

To show process events that has certificate signed on specific date, see the following example:

process.processfile.certificate.signeddate: '2017-08-12'

process.processfile.certificate.validprocess.processfile.certificate.valid

Use a boolean value to list the processes that have valid certificates.

Example

To show process events that has valid certificate, see the following example:

process.processfile.certificate.valid: true

process.processfile.certificate.subjectprocess.processfile.certificate.subject

Use a string value to list the processes that have certificate subject.

Examples

To show process events that contains part of subject, see the following example:

process.processfile.certificate.subject: "Mycorp Technologies"

To show process events that match exact subject, see the following example:

process.processfile.certificate.subject: `CN=MYcorp technologies, Inc O=MyCorp Technologies`

response.actionresponse.action

Use a string value to help you find events with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).

Example

To show events with a response action see the following example:

response.action: Kill Process

response.commentsresponse.comments

Use a string value to list events by comments added while initiating the response action.

Example

To show events that contain parts of the comment see the following example:

response.comments: "malicious"

To show events that match exact comment see the following example:

response.comments: `killing malicious process`

response.priorScoreresponse.priorScore

Use an integer value to search events by the score before executing the response action.

Examples

To show events with a prior score see the following example:

response.priorScore: 8

To show events with prior scores less than equal to a value see the following example:

response.priorScore >= 8

response.statusresponse.status

Use a string value to help you find events with response status (failed, in_progress, success).

Example

To show events with a response status see the following example:

response.status: success

response.statusMessageresponse.statusMessage

Use a string value to search events by status message displayed after the response action is completed.

Examples

To show events that contain parts of the status message see the following example:

response.statusMessage:"Process"

To show events with a status message see the following example:

response.statusMessage:`Process does not exist`

response.timestampresponse.timestamp

Use a date range or specific date to find when a response action on event occurred.

Examples

To show response action found within certain dates see the following example:

response.timestamp: [2020-06-15 ... 2020-06-30]

To show response action found starting 2020-06-22, ending 1 month ago see the following example:

response.timestamp: [2020-06-22 ... now-1M]

To show response action found starting 2 weeks ago, ending 1 second ago see the following example:

response.timestamp: [now-2w ... now-1s]

To show response action found on specific date see the following example:

response.timestamp:'2020-06-14'

response.userresponse.user

Use a string value to list response actions executed by a certain user.

Example

To show response actions for a user see the following example:

response.user: John Doe

response.userIdresponse.userId

Use a string value to list response actions executed by a certain username.

Example

To show response actions for a username see the following example:

response.userId: jdoe

statestate

Use the text value to filter asset state.

Example

To show assets with a specific state see the following example:

state: ACTIVE