Activity and Quarantined Items Search Tokens
Use the following search tokens to search for information in the Activity and Quarantined Items page under the Responses tab:
Use a boolean query to express your query using AND logic.
Example
To show file created events on certain date and asset name, see the following example:
file.name: MWP_MALICIOUSJ.exe and response.status: success
Use a boolean query to express your query using NOT logic.
Example
To show events that are not on a certain asset name, see the following example:
not asset.hostName: `WIN-BU2-5555`
Use a boolean query to express your query using OR logic.
Example
To show events on files created by jsmith or kwang see the following example:
file.creator: jsmith or file.creator: kwang
Use a text value to find an agent ID.
Example
To show events for a certain agent ID see the following example:
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
asset.interface.hostnameasset.interface.hostname
Use a string value to list alerts by hostname.
Examples
Show alerts for the specified hostname.
asset.interface.hostname:"DESKTOP-CM8KHGS"
Use a string value to list the assets with the asset name.
Example
asset.name: "WORKSTATION-PC01"
Use a text value to find events based on the source of the event. Choose from Anti-malware, EDR, or VMDR.
Example
To show all EDR events see the following example:
event.source: EDR
Use a text value to define the MD5 hash of a file.
Example
To show events on files with this MD5 hash see the following example:
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
file.hash.sha256file.hash.sha256
Use a text value to define the SHA256 hash of a file.
Example
To show events on files with SHA256 hash see the following example:
file.hash.sha256: 813xxxx364c2xxxx86xxx2f5xxxxxxf4649ffxxxxx3e6
Use a text value to help you find events on a file name.
Example
To show events on file name see the following example:
file.name: myapp_log.txt
indicator.severityscoreindicator.severityscore
Use an integer value to define the threat score of an indicator based on all scoring engines.
Examples
Show events with this severity score
indicator.severityscore: 8
Show events with confirmed severity scores
indicator.severityscore >= 8
indicator.scoreindicator.score
Use a numeric value to find remediation actions based on the indicator risk score.
Examples
Find remediation for high-score indicators.
indicator.score:>50
Find remediation for a specific score.
indicator.score:75
Find remediation for low-score indicators.
indicator.score:<20
Use a string value to find the remediation actions associated with a specific bulk job name.
Examples
Find remediation from a specific bulk job.
job.name:Ransomeware Response - June 2026
Find remediation from jobs matching a pattern.
job.name:*Ransomeware*
network.ipAddressnetwork.ipAddress
Use a string value to search a network IP.
Example
To show the remediated IP address:
network.ipAddress:"Fxxx::xxx:xxxx:xxxx:xxxF"
Use a string value to filter remediation action by platform.
Examples
Find remediation on Windows assets.
platform.type:Windows
Find remediation on Linux assets.
platform.type:Linux
Use a string value to define a process image name of interest.
Example
To show events with a process image name see the following example:
process.name: explorer.exe
response.actionresponse.action
Use a string value to help you find events with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).
Example
To show events with a response action see the following example:
response.action: `Kill Process`
response.statusresponse.status
Use a string value to help you find events with response status (failed, in_progress, success).
Example
To show events with a response status see the following example:
response.status: success
Use a string value to list response actions executed by a certain user.
Example
To show response actions for a user see the following example:
response.user: John Doe
response.userIdresponse.userId
Use a string value to list response actions executed by a certain username.
Example
To show response actions for a username see the following example:
response.userId: jdoe
Use a string value to list triggered remediations with rule name.
Examples
Find remediation triggered by a specific rule.
rule.name:SuspiciousProcessInjection
Find remediation for injection-related rules.
rule.name:*Injection*