FIM Search Event Tokens

actionaction

Use a text value ##### to define a file integrity event action that occurred (Attributes, Baseline, Content, Create, Delete, Rename, Security).

Example

Show events for delete action

action: Delete

OR,

Show events for files that have been newly created

action: Baseline

actor.imagePathactor.imagePath

Use a text value ##### to define the full path to the process that performed the event action.

Example

Show events performed by the process at this full path

actor.imagePath: C:\Windows\System32\dllhost.exe

actor.processactor.process

Use a text value ##### to define a process that performed the event action.

Example

Show events performed by this process

actor.process: dllhost.exe

actor.userIDactor.userID

Use a text value ##### to find a user ID of interest.

Example

Show events performed by the user with user ID "jsmith"

actor.userID: jsmith

actor.userNameactor.userName

Use a text value ##### to find the username you're looking for.

Examples

Show events performed by the user with username System

actor.userName: System

Show events with files that match exact value "NT AUTHORITY\SYSTEM"

actor.userName: `NT AUTHORITY\SYSTEM`

asset.agentIdasset.agentId

Use a text value ##### to find an agent ID of interest.

Example

Show events on the asset with this agent ID

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.agentVersionasset.agentVersion

Use a text value ##### to find the assets with a certain agent version you're interested in.

Example

Show agent version 1.3.2.0

asset.agentVersion: 1.3.2.0

asset.assetTypeasset.assetType

Select the name ##### of an asset type you're interested in.  Select from names in the drop-down menu.

Examples

Show VM assets

asset.assetType: "VM"

asset.createdasset.created

Use a date range or specific date to define when assets were created (i.e. when first scanned by a scanner appliance, or when agent was installed).

Examples

Show assets created within certain dates

asset.created: [2016-01-01 .. 2016-01-10]

Show assets created starting 2015-10-01, ending 1 month ago

asset.created: [2015-10-01 .. now-1M]

Show assets created starting 2 weeks ago, ending 1 second ago

asset.created: [now-2w .. now-1s]

Show assets created on specific date

asset.created:'2016-01-08'

actor.auditUserIDactor.auditUserID

Use the text value ##### to find events of the actual user using ID.

Example,

actor.auditUserID: '1001'

actor.auditUserNameactor.auditUserName

Use a text value ##### to find events of the actual user using user name. 

Example,

actor.auditUserNamee: "Root"

actor.actualUserIdactor.actualUserId

Use the text value ##### to find events of the actual user using ID. 

Example,

actor.actualUserId: '1001'

actor.actualUserNameactor.actualUserName

Use a text value ##### to find events of the actual user using user name. 

Example,

actor.actualUserName: "NT AUTHORITY\\SYSTEM "

actor.effectiveUserIdactor.effectiveUserId

Use a text value ##### to find events of the Effective user using ID. Note that Effective users are actually Impersonated users.

Example

actor.effectiveUserID: '1001'

actor.effectiveUserNameactor.effectiveUserName

Use a text value ##### to find events of the Effective user using user name. Note that Effective users are actually Impersonated users.

Example,

actor.effectiveUserName: "winodws/admin"

asset.lastCheckedInasset.lastCheckedIn

Use a date range or specific date to define when agents last checked in to the platform.

Example

Find assets with last check in within a specific date range.

asset.lastCheckedIn: [2020-01-01 .. 2020-01-10]

Find assets with last check in starting 2019-11-01, ending 1 month ago.

asset.lastCheckedIn: [2019-11-01 .. now-1M]

Find assets with last check in starting 2 weeks ago, ending 1 second ago.

asset.lastCheckedIn: [now-2w .. now-1s]

Find assets with last check in on a specific date.

asset.lastCheckedIn: '2020-02-11'

Find assets with last check in before (older than) last 30 days.

asset.lastCheckedIn: <now-30d

Note: In this case, we recommend not to use the NOT operator in your range search to form a query like NOT asset.lastCheckedIn:[now-30d .. now-2s].

Find assets with last check in within last 30 days excluding day 30.

asset.lastCheckedIn: >now-30d

Find assets with last check in within last 30 days including day 30.

asset.lastCheckedIn: >=now-30d

Find assets with last check in which is older than last 30 days excluding day 30.

asset.lastCheckedIn: <now-30d

Find assets with last check in which is older than last 30 days including day 30

asset.lastCheckedIn: <=now-30d

asset.nameasset.name

Use quotes or backticks within values to help you find the asset name you're looking for.

Examples

Show any findings related to name

asset.name: QK2K12QP3-65-53

Show any findings that contain parts of name

asset.name: "QK2K12QP3-65-53"

Show any findings that match exact value "QK2K12QP3-65-53"

asset.name: `QK2K12QP3-65-53`

asset.netbiosNameasset.netbiosName

Use a text value ##### to define the NetBIOS name you're interested in.

Examples

Show the asset with this name

asset.netbiosName: VISTASP2-24-208

asset.system.lastBootasset.system.lastBoot

Use a date range or specific date to define when assets were last booted.

Examples

Show assets last booted within certain dates

asset.system.lastBoot: [2016-01-01 .. 2016-01-10]

Show assets last booted starting 2015-10-01, ending 1 month ago

asset.system.lastBoot: [2015-10-01 .. now-1M]

Show assets last booted starting 2 weeks ago, ending 1 second ago

asset.system.lastBoot: [now-2w .. now-1s]

Show assets last booted on a specific date

asset.system.lastBoot:'2016-01-08'

asset.tagsasset.tags

Use the tag ID to find assets having a certain asset tag.

Examples

Show any findings related to this tag ID

asset.tags: 7701016

asset.tags.nameasset.tags.name

Use a text value ##### to find assets with certain asset tag.

Example

Show assets with this tag name

asset.tags.name: `cloud agent`

asset.updatedasset.updated

Use a date range or specific date to define when assets were updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent) .

Examples

Show assets updated within certain dates

asset.updated: [2016-01-01 .. 2016-01-10]

Show assets updated starting 2015-10-01, ending 3 months ago

asset.updated: [2015-10-01 .. now-3M]

Show assets updated starting 2 weeks ago, ending 1 second ago

asset.updated: [now-2w .. now-1s]

Show assets updated on a specific date

asset.updated:'2016-01-10'

asset.interfaces.addressasset.interfaces.address

Use a text value ##### to define an IP address (IPv4 of IPv6) you're interested in.

Examples

Show events on the asset with IPv4 address

asset.interfaces.address: 10.10.100.20

Show events on the asset with IPv6 address (enclose value in single quotes)

asset.interfaces.address: 'fe80:0:0:0:2501:b53c:4139:404b'

asset.interfaces.hostnameasset.interfaces.hostname

Use quotes or backticks within values to help you find the hostname you're looking for.

Examples

Show any findings related to name

asset.interfaces.hostname: xpsp2-jp-26-111

Show any findings that contain parts of name

asset.interfaces.hostname: "xpsp2-jp-26-111"

Show any findings that match exact value "xpsp2-jp-26-111"

asset.interfaces.hostname: `xpsp2-jp-26-111`

Show any findings related to name (we'll match super domains)

asset.interfaces.hostname: qcentos71sqp3.rdlab.acme.com

Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"

asset.interfaces.hostname: `qcentos71sqp3.rdlab.acme.com`

asset.interfaces.interfaceNameasset.interfaces.interfaceName

Use a text value ##### to help you find a certain interface name.

Example

Show events on the asset with the interface name PRO/1000

asset.interfaces.interfaceName: PRO/1000

asset.interfaces.macAddressasset.interfaces.macAddress

Use a text value ##### to define a MAC address you're interested in.

Example

Show events on the asset with this MAC address

asset.interfaces.macAddress: 00-50-56-A9-73-5A

asset.lastLoggedOnUserasset.lastLoggedOnUser

Use a text value ##### to help you find assets last logged into by a user of interest.

Example

Show events on the asset that was last logged into by user asmith

asset.lastLoggedOnUser: asmith

asset.operatingSystemasset.operatingSystem

Use quotes or backticks within values to help you find the operating system you're looking for.

Examples

Show any findings with this OS name

asset.operatingSystem: Windows 2012

Show any findings that contain components of OS name

asset.operatingSystem: "Windows 2012"

Show any findings that match exact value "Windows 2012"

asset.operatingSystem: `Windows 2012`

baselinebaseline

Search for files that have been converted to baseline. Select 'True' or 'False' from the drop-down menu.

Example

Show files that have been marked as baseline:

baseline: true

classclass

Use a text value ##### to define file integrity event class of interest (Disk or Registry).

Example

Show events threatened by change on disk

class: Disk

commandExecutedcommandExecuted

Use a text value #### to get an executed command that resulted in the FIM event occurrence.

Example

commandExecute: chmod 555 log.txt

container.imageNamecontainer.imageName

Use this token to get the container events for given image name.  The container image name is displayed on the Event Detail page, indicating the source of generated events.

Example

container.imageName : ip-10-82-9-210

container.nodeNamecontainer.nodeName

Use this token to get the container events for given node name.  The container node name is displayed on the Event Detail page, indicating where image is running.

Example

container.nodeName: nginx

container.shacontainer.sha

Use this token to get the container events for the container with given SHA.

Example

container.sha : 4498aa02f0636df72cf9714c75db0de089709f29d939867ffd29f3f5203f8253

eventSourceeventSource

Use the token to get the FIM events from the selected source. Token values are agent | scanner | runtime_sensor

Example

Show the FIM events from Cloud Agent.

eventSource: agent

file.attribute.archivefile.attribute.archive

Use a token value Added or Removed to get all the attribute events where the archive attribute has been modified for file/folder.

Example

file.attribute.archive: Added

file.attribute.compressedfile.attribute.compressed

Use a token value Added or Removed to get all the attribute events where the compressed attribute has been modified for file/folder.

Example

file.attribute.compressed: Added

file.attribute.encryptedfile.attribute.encrypted

Use a token value Added or Removed to get all the attribute events where the encrypted attribute has been modified for file/folder.

Example

file.attribute.encrypted: Added

file.attribute.hiddenfile.attribute.hidden

Use a token value Added or Removed to get all the attribute events where the hidden attribute has been modified for file/folder.

Example

file.attribute.hidden: Added

file.attribute.notContentIndexedfile.attribute.notContentIndexed

Use a token value Added or Removed to get all the attribute events where the notContentIndexed attribute has been modified for file/folder.

Example

file.attribute.notContentIndexed: Added

file.attribute.readonlyfile.attribute.readonly

Use a token value Added or Removed to get all the attribute events where the readonly attribute has been modified for file/folder.

Example

file.attribute.readonly: Added

file.fullPathfile.fullPath

Use a text value ##### to define the full path to the file that you want to monitor for file integrity.

Example

Show events with file at this path

file.fullPath: C:\Windows\System32\LogFiles\qagent33_log.txt

file.hashfile.hash

Use an alpha-numeric value ##### to define the hash value of a file.

Example

Show events based on hash values calculated for file creation or content modification activities performed under your monitoring scope:

file.hash:45a565adc2535484070ba596c9e106243a58d6dfc3bd470a88774dfffa900369

file.namefile.name

Use a text value ##### to define the file name that you want to monitor for integrity.

Example

Show events on the file with this name

file.name: qagent33_log.txt

idid

Use a text value ##### to define the event ID.

Example

Show the event with this event ID

id: 3b8c2708-55ee-33eb-942c-aead057dd753

platformplatform

Use a text value ##### to define the platform (Windows, Linux or Unix).

Example

Show events for the platform Linux

platform: Linux

profile.categoryprofile.category

Use a text value ##### to find the monitoring profile category related to file integrity event.

Example

Show events matching a monitoring profile with profile category PCI

profile.category: PCI

profile.nameprofile.name

Use a text value ##### to find the monitoring profile name related to file integrity event.

Example

Show events matching the monitoring profile with this name

profile.name: PCI Monitoring Profile

profile.rule.descriptionprofile.rule.description

Use a text value ##### to define a profile rule description of interest.

Example

Show events matching this profile rule description

profile.rule.description: My Profile Rule

profile.rule.idprofile.rule.id

Use an integer value ##### to define a profile rule ID of interest.

Example

Show events matching this profile rule ID

profile.rule.id: 12345

profile.rule.nameprofile.rule.name

Use a text value ##### to find the monitoring profile rule name related to file integrity event.

Example

Show the events matching this profile rule name

profile.rule.name: rule01

profile.rule.typeprofile.rule.type

Use a one of the tokens to get the event based on a profile rule type. The token values are directory | file | key | symlink | value. 

Examples

Show the events based on the profile rule type as directory

profile.rule.type: directory

Show the Linux events of type symlink

profile.rule.type: symlink

registryKey.nameregistryKey.name

Use a text value ##### to find the registry key name related to the registry key integrity event.

Example

Show events matching the registry key with this name

registryKey.name: `QualysAgent.exe`

registryKey.pathregistryKey.path

Use a text value ##### to define the registry key path to the registry key threatened by key integrity event.

Example

Show events with key at this path

registryKey.path: `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QualysAgent.exe`

reputationStatusreputationStatus

Select a reputation to find events with this reputation. Select from values in the drop-down menu.

(SUSPICIOUS, MALICIOUS, KNOWN, UNKNOWN, UNAVAILABLE)

Example

Show events where reputation is Malicious

reputationStatus: 'MALICIOUS`

severityseverity

Select a severity (1-5) to find events with this severity. Select from values in the drop-down menu.

Example

Show events with severity 5

severity: 5

successStatussuccessStatus

Use a text value ##### to find success status of events.

Example

successStatus: `yes`

symlinksymlink

Filter events pf type symlink.

Example

Filter the symlink events.

profile.rule.type: 'Symlink'

typetype

Use a text value ##### to define the file integrity event type (File or Directory or Key or Value).

Example

Show events with event type File

type: File

trustStatustrustStatus

Select a status to find events with this trustStatus. Select from values in the drop-down menu.

(TRUSTED, UNAVAILABLE)

Example

Show events where trustStatus is TRUSTED

trustStatus: `TRUSTED`

qidqid

Use the a integer value #####  to fetch scan based events for the given qid.

Example

Show events with given qid

qid: '45601'

andand

Use a boolean query to express your query using AND logic.

Example

Show events with Write action performed by user ID akim

action: Write and actor.userID: akim

notnot

Use a boolean query to express your query using NOT logic.

Example

Show events for assets that don't have Windows operating system

not asset.operatingSystem: windows

oror

Use a boolean query to express your query using OR logic.

Example

Show events for assets with one of these operating systems

asset.operatingSystem: windows or asset.operatingSystem: linux

Show events for assets with operating system name "Windows 2012" or "Windows 7 Ultimate Service Pack 1"

operatingSystem: `Windows 2012` or operatingSystem: `Windows 7 Ultimate Service Pack 1`

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.