Use the following search tokens to search for information in the User Activity tab under the Responses tab:
Use a boolean query to express your query using AND logic.
Example
To show file created events on certain date and asset name, see the following example:
file.name: MWP_MALICIOUSJ.exe and response.status: success
Use a boolean query to express your query using NOT logic.
Example
To show events that are not on a certain asset name, see the following example:
not asset.hostName: `WIN-BU2-5555`
Use a boolean query to express your query using OR logic.
Example
To show events on files created by jsmith or kwang see the following example:
file.creator: jsmith or file.creator: kwang
antimalwareerrorcodeantimalwareerrorcode
Use a text valuethis token to filter antimalware error code.
Example
To show assets with antimalware error code see the following example:
antimalwareerrorcode: ERROR_SUCCESS
antimalwareworkflowantimalwareworkflow
Use a text value to filter assets for filtering antimalware workflow.
Example
To show assets for filtering antimalware workflow see the following example:
antimalwareworkflow: INSTALLNG
antimalware.lastreportedtimeantimalware.lastreportedtime
Use this token to show last reported time of the antimalware, before specific date and time.
Example
To show assets that have last reported time as 6:30 on 10th February 2023 see the following example:
antimalware.lastreportedtime < "2023-02-10T06:30:12Z"
antimalware.lastScanDoneantimalware.lastScanDone
Use this token for filtering assets based on the last Antimalware scan time.
Example
To show assets that were last scanned on 10th April see the following example:
antimalware.lastScanDone:2023-04-10
antimalwareprofile.nameantimalwareprofile.name
Use this token to filter assets based on the profile name.
Example
To show assets that has antimalware profile name see the following example:
antimalwareprofile.name: QualysProfile
antimalware.status.categoryantimalware.status.category
Use this token to filter assets based on the antimalware status category of the asset.
Example
To show assets with antimalware category see the following example:
antimalware.status.category:Enabled
antimalware.scanStatusantimalware.scanStatus
Use this token to filter assets based on the antimalware scan status.
Example
To show assets based on antimalware scan see the following example:
antimalware.scanStatus:Pass
Use a text value to find an agent ID.
Example
To show events for a certain agent ID see the following example:
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
asset.score.criticalityasset.score.criticality
Use an integer value to filter assets based on criticality score.
Example
To show assets based on criticality score see the following example:
asset.score.criticality: 2
Use quotes or backticks with value to find events with the hostname.
Examples
To show any events related to name see the following example:
asset.hostName: WIN-BU2-4322
To show any events that contain parts of name see the following example:
asset.hostName: "WIN-BU2-4322"
To show events that match exact name see the following example:
asset.hostName: `WIN-BU2-4322`
asset.malware.categoryasset.malware.category
Use quotes or backticks with value to define an asset with a malware category you're interested in.
Example
To show events with a malware category see the following example:
asset.malware.category: `File Infector`
asset.malware.familyasset.malware.family
Use quotes or backticks with value to define an asset with the malware family.
Example
To show events with a malware name see the following example:
asset.malware.family: `cryptominerf`
Use quotes or backticks with value to find events with the platform.
Examples
To show any events related to platform WINDOWS see the following example:
asset.platform: `WINDOWS`
To show any events related to platform WINDOWS and LINUX see the following example:
asset.platform: ["WINDOWS", "LINUX"]
Use an integer value to define the threat score of an asset based on all scoring engines.
Examples
To show events with a score see the following example:
asset.score: 8
To show events with confirmed scores see the following example:
asset.score>= 8
Use a text value to find events based on the source of the event. Choose from Anti-malware | EDR.
Example
To show all EDR events see the following example:
event.source: EDR
Use a text value to define the full path name to a file of interest.
Example
To show events on files at this full path see the following example:
file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'
Use a text value to define the MD5 hash of a file.
Example
To show events on files with this MD5 hash see the following example:
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
file.hash.sha256file.hash.sha256
Use a text value to define the SHA256 hash of a file.
Example
To show events on files with SHA256 hash see the following example:
file.hash.sha256: 813xxxx364c2xxxx86xxx2f5xxxxxxf4649ffxxxxx3e6
Use a text value to help you find events on a file name.
Example
To show events on file name see the following example:
file.name: myapp_log.txt
Use a text value to find events on files at a file path.
Example
To show events on files at the path see the following example:
file.path: "C:\Windows\System32\LogFiles\"
file.properties.certificate.hashfile.properties.certificate.hash
Use a text value to define a signed certificate hash of interest.
Example
Show events for this signed certificate hash
file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542
isAntiMalwareInstalledisAntiMalwareInstalled
Use a boolean value to find assets that have Antimalware installed.
Example
Show the list of assets that have Anti-malware installed and have asset tag as Cloud Agent
isAntiMalwareInstalled: true and tags.name: "Cloud Agent"
isantimalwareenabledisantimalwareenabled
Use a boolean value to find assets that have Antimalware enabled.
Example
To show the list of assets that have antimalware enabled see the following example:
isantimalwareenabled: true
Use a string value to help you find events on a platform.
Example
To show events that took place on Windows platform see the following example:
platform: WINDOWS
process.image.fullPathprocess.image.fullPath
Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.
Example
To show events with image file at a full path see the following example:
process.image.fullPath: "C:\windows\system32\svchost.exe"
Use a string value to define a process image name of interest.
Example
To show events with a process image name see the following example:
process.name: explorer.exe
process.fullPathprocess.fullPath
Use a string value to define the full path to the file that launched the process. Enclose the path in double quotes.
Example
To show events with process at a full path see the following example:
process.fullPath: "C:\windows\system32\svchost.exe"
process.processfile.certificate.hashprocess.processfile.certificate.hash
Use a string value to list the process events with the specific process certificate hash.
Example
To show process events with the specific certificate hash, see the following example:
process.processfile.certificate.hash: 7e9572xxxxxxxx862ebxxxxxx782fcxxxb9
process.processfile.certificate.issuerprocess.processfile.certificate.issuer
Use a string value to list a specific certificate issuer for the process event.
Example
To show process events with the specific certificate isuer, see the following example:
process.processfile.certificate.issuer: Microsoft
process.processfile.certificate.signedprocess.processfile.certificate.signed
Use a boolean value to list the processes that has certificate signed.
Example
To show process events with the specific certificate isuer, see the following example:
process.processfile.certificate.signed: true
process.processfile.certificate.signeddateprocess.processfile.certificate.signeddate
Use an integer value to list the processes that had certificates signed by the certificate issuer on a specific date.
Example
To show process events that has certificate signed on specific date, see the following example:
process.processfile.certificate.signeddate: '2017-08-12'
process.processfile.certificate.validprocess.processfile.certificate.valid
Use a boolean value to list the processes that have valid certificates.
Example
To show process events that has valid certificate, see the following example:
process.processfile.certificate.valid: true
process.processfile.certificate.subjectprocess.processfile.certificate.subject
Use a string value to list the processes that have certificate subject.
Examples
To show process events that contains part of subject, see the following example:
process.processfile.certificate.subject: "Mycorp Technologies"
To show process events that match exact subject, see the following example:
process.processfile.certificate.subject: `CN=MYcorp technologies, Inc O=MyCorp Technologies`
response.actionresponse.action
Use a string value to help you find events with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).
Example
To show events with a response action see the following example:
response.action: Kill Process
response.priorScoreresponse.priorScore
Use an integer value to search events by the score before executing the response action.
Examples
To show events with a prior score see the following example:
response.priorScore: 8
To show events with prior scores less than equal to a value see the following example:
response.priorScore >= 8
response.statusresponse.status
Use a string value to help you find events with response status (failed, in_progress, success).
Example
To show events with a response status see the following example:
response.status: success
response.statusMessageresponse.statusMessage
Use a string value to search events by status message displayed after the response action is completed.
Examples
To show events that contain parts of the status message see the following example:
response.statusMessage:"Process"
To show events with a status message see the following example:
response.statusMessage:`Process does not exist`
Use a string value to list response actions executed by a certain user.
Example
To show response actions for a user see the following example:
response.user: John Doe
response.userIdresponse.userId
Use a string value to list response actions executed by a certain username.
Example
To show response actions for a username see the following example:
response.userId: jdoe
Use the text value to filter asset state.
Example
To show assets with a specific state see the following example:
state: ACTIVE
response.commentsresponse.comments
Use a string value to list events by comments added while initiating the response action.
Example
To show events that contain parts of the comment see the following example:
response.comments: "malicious"To show events that match exact comment see the following example:
response.comments: `killing malicious process`