Search Events Tokens
Click to view navigation pane


FIM Search Event Tokens

actionaction

Use a text value ##### to define a file integrity event action that occurred (Attributes, Baseline, Content, Create, Delete, Rename, Security).

Example

Show events for delete action

action: Delete

OR,

Show events for files that have been newly created

action: Baseline

actor.imagePathactor.imagePath

Use a text value ##### to define the full path to the process that performed the event action.

Example

Show events performed by the process at this full path

actor.imagePath: C:\Windows\System32\dllhost.exe

actor.processactor.process

Use a text value ##### to define a process that performed the event action.

Example

Show events performed by this process

actor.process: dllhost.exe

actor.userIDactor.userID

Use a text value ##### to find a user ID of interest.

Example

Show events performed by the user with user ID "jsmith"

actor.userID: jsmith

actor.userNameactor.userName

Use a text value ##### to find the username you're looking for.

Examples

Show events performed by the user with username System

actor.userName: System

Show events with files that match exact value "NT AUTHORITY\SYSTEM"

actor.userName: `NT AUTHORITY\SYSTEM`

asset.agentIdasset.agentId

Use a text value ##### to find an agent ID of interest.

Example

Show events on the asset with this agent ID

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.agentVersionasset.agentVersion

Use a text value ##### to find the assets with a certain agent version you're interested in.

Example

Show agent version 1.3.2.0

asset.agentVersion: 1.3.2.0

asset.assetTypeasset.assetType

Select the name ##### of an asset type you're interested in.  Select from names in the drop-down menu.

Examples

Show VM assets

asset.assetType: "VM"

asset.createdasset.created

Use a date range or specific date to define when assets were created (i.e. when first scanned by a scanner appliance, or when agent was installed).

Examples

Show assets created within certain dates

asset.created: [2016-01-01 .. 2016-01-10]

Show assets created starting 2015-10-01, ending 1 month ago

asset.created: [2015-10-01 .. now-1M]

Show assets created starting 2 weeks ago, ending 1 second ago

asset.created: [now-2w .. now-1s]

Show assets created on specific date

asset.created:'2016-01-08'

asset.lastCheckedInasset.lastCheckedIn

Use a date range or specific date to define when agents last checked in to the platform.

Example

Find assets with last check in within a specific date range.

asset.lastCheckedIn: [2020-01-01 .. 2020-01-10]

Find assets with last check in starting 2019-11-01, ending 1 month ago.

asset.lastCheckedIn: [2019-11-01 .. now-1M]

Find assets with last check in starting 2 weeks ago, ending 1 second ago.

asset.lastCheckedIn: [now-2w .. now-1s]

Find assets with last check in on a specific date.

asset.lastCheckedIn: '2020-02-11'

Find assets with last check in before (older than) last 30 days.

asset.lastCheckedIn: <now-30d

Note: In this case, we recommend not to use the NOT operator in your range search to form a query like NOT asset.lastCheckedIn:[now-30d .. now-2s].

Find assets with last check in within last 30 days excluding day 30.

asset.lastCheckedIn: >now-30d

Find assets with last check in within last 30 days including day 30.

asset.lastCheckedIn: >=now-30d

Find assets with last check in which is older than last 30 days excluding day 30.

asset.lastCheckedIn: <now-30d

Find assets with last check in which is older than last 30 days including day 30

asset.lastCheckedIn: <=now-30d

asset.nameasset.name

Use quotes or backticks within values to help you find the asset name you're looking for.

Examples

Show any findings related to name

asset.name: QK2K12QP3-65-53

Show any findings that contain parts of name

asset.name: "QK2K12QP3-65-53"

Show any findings that match exact value "QK2K12QP3-65-53"

asset.name: `QK2K12QP3-65-53`

asset.netbiosNameasset.netbiosName

Use a text value ##### to define the NetBIOS name you're interested in.

Examples

Show the asset with this name

asset.netbiosName: VISTASP2-24-208

asset.system.lastBootasset.system.lastBoot

Use a date range or specific date to define when assets were last booted.

Examples

Show assets last booted within certain dates

asset.system.lastBoot: [2016-01-01 .. 2016-01-10]

Show assets last booted starting 2015-10-01, ending 1 month ago

asset.system.lastBoot: [2015-10-01 .. now-1M]

Show assets last booted starting 2 weeks ago, ending 1 second ago

asset.system.lastBoot: [now-2w .. now-1s]

Show assets last booted on a specific date

asset.system.lastBoot:'2016-01-08'

asset.tagsasset.tags

Use the tag ID to find assets having a certain asset tag.

Examples

Show any findings related to this tag ID

asset.tags: 7701016

asset.updatedasset.updated

Use a date range or specific date to define when assets were updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent) .

Examples

Show assets updated within certain dates

asset.updated: [2016-01-01 .. 2016-01-10]

Show assets updated starting 2015-10-01, ending 3 months ago

asset.updated: [2015-10-01 .. now-3M]

Show assets updated starting 2 weeks ago, ending 1 second ago

asset.updated: [now-2w .. now-1s]

Show assets updated on a specific date

asset.updated:'2016-01-10'

asset.interfaces.addressasset.interfaces.address

Use a text value ##### to define an IP address (IPv4 of IPv6) you're interested in.

Examples

Show events on the asset with IPv4 address

asset.interfaces.address: 10.10.100.20

Show events on the asset with IPv6 address (enclose value in single quotes)

asset.interfaces.address: 'fe80:0:0:0:2501:b53c:4139:404b'

asset.interfaces.hostnameasset.interfaces.hostname

Use quotes or backticks within values to help you find the hostname you're looking for.

Examples

Show any findings related to name

asset.interfaces.hostname: xpsp2-jp-26-111

Show any findings that contain parts of name

asset.interfaces.hostname: "xpsp2-jp-26-111"

Show any findings that match exact value "xpsp2-jp-26-111"

asset.interfaces.hostname: `xpsp2-jp-26-111`

Show any findings related to name (we'll match super domains)

asset.interfaces.hostname: qcentos71sqp3.rdlab.acme.com

Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"

asset.interfaces.hostname: `qcentos71sqp3.rdlab.acme.com`

asset.interfaces.interfaceNameasset.interfaces.interfaceName

Use a text value ##### to help you find a certain interface name.

Example

Show events on the asset with the interface name PRO/1000

asset.interfaces.interfaceName: PRO/1000

asset.interfaces.macAddressasset.interfaces.macAddress

Use a text value ##### to define a MAC address you're interested in.

Example

Show events on the asset with this MAC address

asset.interfaces.macAddress: 00-50-56-A9-73-5A

asset.lastLoggedOnUserasset.lastLoggedOnUser

Use a text value ##### to help you find assets last logged into by a user of interest.

Example

Show events on the asset that was last logged into by user asmith

asset.lastLoggedOnUser: asmith

asset.operatingSystemasset.operatingSystem

Use quotes or backticks within values to help you find the operating system you're looking for.

Examples

Show any findings with this OS name

asset.operatingSystem: Windows 2012

Show any findings that contain components of OS name

asset.operatingSystem: "Windows 2012"

Show any findings that match exact value "Windows 2012"

asset.operatingSystem: `Windows 2012`

baselinebaseline

Search for files that have been converted to baseline. Select 'True' or 'False' from the drop-down menu.

Example

Show files that have been marked as baseline:

baseline: true

classclass

Use a text value ##### to define file integrity event class of interest (Disk or Registry).

Example

Show events threatened by change on disk

class: Disk

file.fullPathfile.fullPath

Use a text value ##### to define the full path to the file that you want to monitor for file integrity.

Example

Show events with file at this path

file.fullPath: C:\Windows\System32\LogFiles\qagent33_log.txt

file.hashfile.hash

Use an alpha-numeric value ##### to define the hash value of a file.

Example

Show events based on hash values calculated for file creation or content modification activities performed under your monitoring scope:

file.hash:45a565adc2535484070ba596c9e106243a58d6dfc3bd470a88774dfffa900369

file.namefile.name

Use a text value ##### to define the file name that you want to monitor for integrity.

Example

Show events on the file with this name

file.name: qagent33_log.txt

idid

Use a text value ##### to define the event ID.

Example

Show the event with this event ID

id: 3b8c2708-55ee-33eb-942c-aead057dd753

platformplatform

Use a text value ##### to define the platform (Windows, Linux or Unix).

Example

Show events for the platform Linux

platform: Linux

profile.categoryprofile.category

Use a text value ##### to find the monitoring profile category related to file integrity event.

Example

Show events matching a monitoring profile with profile category PCI

profile.category: PCI

profile.nameprofile.name

Use a text value ##### to find the monitoring profile name related to file integrity event.

Example

Show events matching the monitoring profile with this name

profile.name: PCI Monitoring Profile

profile.rule.descriptionprofile.rule.description

Use a text value ##### to define a profile rule description of interest.

Example

Show events matching this profile rule description

profile.rule.description: My Profile Rule

profile.rule.idprofile.rule.id

Use an integer value ##### to define a profile rule ID of interest.

Example

Show events matching this profile rule ID

profile.rule.id: 12345

profile.rule.nameprofile.rule.name

Use a text value ##### to find the monitoring profile rule name related to file integrity event.

Example

Show events matching this profile rule name

profile.rule.name: rule01

severityseverity

Select a severity (1-5) to find events with this severity. Select from values in the drop-down menu.

Example

Show events with severity 5

severity: 5

typetype

Use a text value ##### to define the file integrity event type (File or Directory or Key or Value).

Example

Show events with event type File

type: File

andand

Use a boolean query to express your query using AND logic.

Example

Show events with Write action performed by user ID akim

action: Write and actor.userID: akim

notnot

Use a boolean query to express your query using NOT logic.

Example

Show events for assets that don't have Windows operating system

not asset.operatingSystem: windows

oror

Use a boolean query to express your query using OR logic.

Example

Show events for assets with one of these operating systems

asset.operatingSystem: windows or asset.operatingSystem: linux

Show events for assets with operating system name "Windows 2012" or "Windows 7 Ultimate Service Pack 1"

operatingSystem: `Windows 2012` or operatingSystem: `Windows 7 Ultimate Service Pack 1`

reputationStatusreputationStatus

Select a reputation to find events with this reputation. Select from values in the drop-down menu.

(SUSPICIOUS, MALICIOUS, KNOWN, UNKNOWN, UNAVAILABLE)

Example

Show events where reputation is Malicious

reputationStatus: 'MALICIOUS`

trustStatustrustStatus

Select a status to find events with this trustStatus. Select from values in the drop-down menu.

(TRUSTED, UNAVAILABLE)

Example

Show events where trustStatus is TRUSTED

trustStatus: `TRUSTED`

registryKey.nameregistryKey.name

Use a text value ##### to find the registry key name related to the registry key integrity event.

Example

Show events matching the registry key with this name

registryKey.name: `QualysAgent.exe`

registryKey.pathregistryKey.path

Use a text value ##### to define the registry key path to the registry key threatened by key integrity event.

Example

Show events with key at this path

registryKey.path: `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QualysAgent.exe`

 

 

asset.tags.nameasset.tags.name

Use a text value ##### to find assets with certain asset tag.

Example

Show assets with this tag name

asset.tags.name: `cloud agent`

commandExecutedcommandExecuted

It is the executed command that results in the event occurrence. Use a text value #### to get an executed command that resulted in the FIM event occurrence. example, commandExecuted:'bash'

actor.auditUserIDactor.auditUserID

Use a text value ##### to find the id of the user performing the actual action. This user-assigned ID is inherited by each process.

Example,
actor. auditUserID:'1001'