Search FIM Event Tokens

event.actionevent.action

Use a text value ##### to define a file integrity event action that occurred (Attributes, Baseline, Content, Create, Delete, Rename, Security).

Example

Show events for delete action

event.action: Delete

OR,

Show events for files that have been newly created

event.action: Baseline

actor.imagePathactor.imagePath

Use a text value ##### to define the full path to the process that performed the event action.

Example

Show events performed by the process at this full path

actor.imagePath: C:\Windows\System32\dllhost.exe

actor.processactor.process

Use a text value ##### to define a process that performed the event action.

Example

Show events performed by this process

actor.process: dllhost.exe

actor.userIdactor.userId

Use a text value ##### to find a user ID of interest.

Example

Show events performed by the user with user ID "jsmith"

actor.userId: jsmith

actor.usernameactor.username

Use a text value ##### to find the username you are looking for.

Examples

Show events performed by the user with the username System

actor.username: System

Show events with files that match the exact value "NT AUTHORITY\SYSTEM"

actor.username: `NT AUTHORITY\SYSTEM`

actor.user.impersonatedactor.user.impersonated

Use a boolean value of true to filter events generated by impersonated users.

Example

Show events generated by impersonated users.

actor.user.impersonated: true

agent.idagent.id

Use a text value ##### to find an agent ID of interest.

Example

Show events on the asset with this agent ID

agent.id: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

agent.versionagent.version

Use a text value ##### to find the assets with a certain agent version you are interested in.

Example

Show agent version 1.3.2.0

agent.version: 1.3.2.0

asset.typeasset.type

Select the name ##### of an asset type you're interested in. Select from names in the drop-down menu.

Examples

Show VM assets

asset.type: "VM"

asset.createdasset.created

Use a date range or specific date to define when assets were created (i.e. when first scanned by a scanner appliance, or when agent was installed).

Examples

Show assets created within certain dates

asset.created: [2016-01-01 .. 2016-01-10]

Show assets created starting 2015-10-01, ending 1 month ago

asset.created: [2015-10-01 .. now-1M]

Show assets created starting 2 weeks ago, ending 1 second ago

asset.created: [now-2w .. now-1s]

Show assets created on specific date

asset.created:'2016-01-08'

actor.auditUserIdactor.auditUserId

Use the text value ##### to find events of the actual user using ID.

Example,

actor.auditUserId: '1001'

actor.auditUsernameactor.auditUsername

Use a text value ##### to find events of the actual user using the user name.

Example,

actor.auditUsername: "Root"

actor.actualUserIdactor.actualUserId

Use the text value ##### to find events of the actual user using ID.

Example

actor.actualUserId: '1001'

actor.actualUsernameactor.actualUsername

Use a text value ##### to find events of the actual user using the user name.

Example

actor.actualUsername: "NT AUTHORITY\\SYSTEM "

actor.effectiveUserIdactor.effectiveUserId

Use a text value ##### to find events of the Effective user using ID. Note that Effective users are actually Impersonated users.

Example

actor.effectiveUserId: '1001'

actor.effectiveUsernameactor.effectiveUsername

Use a text value ##### to find events of the Effective user using the user name. Note that Effective users are actually impersonated users.

Example

actor.effectiveUsername: "winodws/admin"

asset.lastCheckedInasset.lastCheckedIn

Use a date range or specific date to define when agents last checked in to the platform.

Example

Find assets with last check in within a specific date range.

asset.lastCheckedIn: [2020-01-01 .. 2020-01-10]

Find assets with last check in starting 2019-11-01, ending 1 month ago.

asset.lastCheckedIn: [2019-11-01 .. now-1M]

Find assets with last check in starting 2 weeks ago, ending 1 second ago.

asset.lastCheckedIn: [now-2w .. now-1s]

Find assets with last check in on a specific date.

asset.lastCheckedIn: '2020-02-11'

Find assets with last check in before (older than) last 30 days.

asset.lastCheckedIn: <now-30d

Note: In this case, we recommend not using the NOT operator in your range search to form a query like NOT asset.lastCheckedIn:[now-30d .. now-2s].

Find assets with last check in within the last 30 days, excluding day 30.

asset.lastCheckedIn: >now-30d

Find assets with last check in within the last 30 days, including day 30.

asset.lastCheckedIn: >=now-30d

Find assets with last check in which is older than last 30 days excluding day 30.

asset.lastCheckedIn: <now-30d

Find assets with last check in which is older than last 30 days including day 30

asset.lastCheckedIn: <=now-30d

asset.nameasset.name

Use quotes or backticks within values to help you find the asset name you are looking for.

Examples

Show any findings related to name

asset.name: QK2K12QP3-65-53

Show any findings that contain parts of name

asset.name: "QK2K12QP3-65-53"

Show any findings that match exact value "QK2K12QP3-65-53"

asset.name: `QK2K12QP3-65-53`

asset.netbiosNameasset.netbiosName

Use a text value ##### to define the NetBIOS name you are interested in.

Examples

Show the asset with this name

asset.netbiosName: VISTASP2-24-208

asset.system.lastBootasset.system.lastBoot

Use a date range or a specific date to define when assets were last booted.

Examples

Show assets last booted within certain dates

asset.system.lastBoot: [2016-01-01 .. 2016-01-10]

Show assets last booted starting 2015-10-01, ending 1 month ago

asset.system.lastBoot: [2015-10-01 .. now-1M]

Show assets last booted starting 2 weeks ago, ending 1 second ago

asset.system.lastBoot: [now-2w .. now-1s]

Show assets last booted on a specific date

asset.system.lastBoot:'2016-01-08'

asset.tag.idasset.tag.id

Use the tag ID to find events having a certain asset tag.

Examples

Show any findings related to this tag ID

asset.tag.id: 7701016

asset.tag.nameasset.tag.name

Use a text value ##### to find events with certain asset tag.

Example

Show assets with this tag name:

asset.tag.name: `cloud agent`

asset.updatedasset.updated

Use a date range or specific date to define when assets were updated (i.e., when re-scanned by a scanner appliance, or when host data was uploaded to the Qualys Enterprise TruRisk™ Platform by an agent).

Examples

Show assets updated within certain dates

asset.updated: [2016-01-01 .. 2016-01-10]

Show assets updated starting 2015-10-01, ending 3 months ago

asset.updated: [2015-10-01 .. now-3M]

Show assets updated starting 2 weeks ago, ending 1 second ago

asset.updated: [now-2w .. now-1s]

Show assets updated on a specific date

asset.updated:'2016-01-10'

asset.interfaces.addressasset.interfaces.address

Use a text value ##### to define an IP address (IPv4 of IPv6) you're interested in.

Examples

Show events on the asset with IPv4 address

asset.interfaces.address: 10.10.100.20

Show events on the asset with IPv6 address (enclose value in single quotes)

asset.interfaces.address: 'fe80:0:0:0:2501:b53c:4139:404b'

asset.interfaces.hostnameasset.interfaces.hostname

Use quotes or backticks within values to help you find the hostname you are looking for.

Examples

Show any findings related to the name

asset.interfaces.hostname: xpsp2-jp-26-111

Show any findings that contain parts of the name

asset.interfaces.hostname: "xpsp2-jp-26-111"

Show any findings that match the exact value "xpsp2-jp-26-111"

asset.interfaces.hostname: `xpsp2-jp-26-111`

Show any findings related to the name (match super domains)

asset.interfaces.hostname: qcentos71sqp3.rdlab.acme.com

Show anthe y findings that match exact value "qcentos71sqp3.rdlab.acme.com"

asset.interfaces.hostname: `qcentos71sqp3.rdlab.acme.com`

asset.interfaces.interfaceNameasset.interfaces.interfaceName

Use a text value ##### to help you find a certain interface name.

Example

Show events on the asset with the interface name PRO/1000

asset.interfaces.interfaceName: PRO/1000

asset.interfaces.macAddressasset.interfaces.macAddress

Use a text value ##### to define a MAC address you are interested in.

Example

Show events on the asset with this MAC address

asset.interfaces.macAddress: 00-50-56-A9-73-5A

asset.lastLoggedOnUserasset.lastLoggedOnUser

Use a text value ##### to help you find assets last logged into by a user of interest.

Example

Show events on the asset that was last logged into by user asmith

asset.lastLoggedOnUser: asmith

asset.operatingSystemasset.operatingSystem

Use quotes or backticks within values to help you find the operating system you are looking for.

Examples

Show any findings with this OS name

asset.operatingSystem: Windows 2012

Show any findings that contain components of the OS name

asset.operatingSystem: "Windows 2012"

Show any findings that match the exact value "Windows 2012"

asset.operatingSystem: `Windows 2012`

file.baselinefile.baseline

Search for files that have been converted to baseline. Select 'True' or 'False' from the drop-down menu.

Example

Show files that have been marked as baseline:

file.baseline: true

event.classevent.class

Use a text value ##### to define the file integrity event class of interest (Disk or Registry).

Example

Show events threatened by change on disk

event.class: Disk

event.commandExecutedevent.commandExecuted

Use a text value #### to get an executed command that resulted in the FIM event occurrence.

Example

commandExecute: chmod 555 log.txt

container.image.namecontainer.image.name

Use this token to get the container events for the given image name. The container image name is displayed on the Event Detail page, indicating the source of generated events.

Example

container.image.name: ip-10-82-9-210

container.nodeNamecontainer.nodeName

Use this token to get the container events for the given node name. The container node name is displayed on the Event Detail page, indicating where the image is running.

Example

container.nodeName: nginx

container.image.shacontainer.image.sha

Use this token to get the container events for the container with the given SHA.

Example

container.image.sha: 4498aa02f0636df72cf9714c75db0de089709f29d939867ffd29f3f5203f8253

event.sourceevent.source

Use the token to get the FIM events from the selected source. Token values: agent, scanner, and runtime_sensor

Example

Show the FIM events from Cloud Agent.

event.source: agent

event.hostTypeevent.hostType

Use this token to search events using the host type. Token values are: Network Device and Database.

This token is applicable only to the Scan Based events.

Example

Show events from databases.

event.hostType: Database

file.attribute.archivefile.attribute.archive

Use a token value Added or Removed to get all the attribute events where the archive attribute has been modified for file/folder.

Example

file.attribute.archive: Added

file.attribute.compressedfile.attribute.compressed

Use a token value Added or Removed to get all the attribute events where the compressed attribute has been modified for file/folder.

Example

file.attribute.compressed: Added

file.attribute.encryptedfile.attribute.encrypted

Use a token value Added or Removed to get all the attribute events where the encrypted attribute has been modified for file/folder.

Example

file.attribute.encrypted: Added

file.attribute.hiddenfile.attribute.hidden

Use a token value Added or Removed to get all the attribute events where the hidden attribute has been modified for file/folder.

Example

file.attribute.hidden: Added

file.attribute.notContentIndexedfile.attribute.notContentIndexed

Use a token value Added or Removed to get all the attribute events where the notContentIndexed attribute has been modified for a file/folder.

Example

file.attribute.notContentIndexed: Added

file.attribute.readonlyfile.attribute.readonly

Use a token value Added or Removed to get all the attribute events where the readonly attribute has been modified for file/folder.

Example

file.attribute.readonly: Added

file.fullPathfile.fullPath

Use a text value ##### to define the full path to the file that you want to monitor for file integrity.

Example

Show events the with file at this path

file.fullPath: C:\Windows\System32\LogFiles\qagent33_log.txt

file.hashfile.hash

Use an alpha-numeric value ##### to define the hash value of a file.

Example

Show events based on hash values calculated for file creation or content modification activities performed under your monitoring scope.

file.hash:45a565adc2535484070ba596c9e106243a58d6dfc3bd470a88774dfffa900369

file.namefile.name

Use a text value ##### to define the file name that you want to monitor for integrity.

Example

Show events on the file with this name

file.name: qagent33_log.txt

event.idevent.id

Use a text value ##### to define the event ID.

Example

Show the event with this event ID

event.id: 3b8c2708-55ee-33eb-942c-aead057dd753

agent.platformagent.platform

Use a text value ##### to define the platform (Windows, Linux, or Unix).

Example

Show events for the platform Linux

agent.platform: Linux

profile.categoryprofile.category

Use a text value ##### to find the monitoring profile category related to the file integrity event.

Example

Show events matching a monitoring profile the with profile category PCI

profile.category: PCI

profile.nameprofile.name

Use a text value ##### to find the monitoring profile name related to the file integrity event.

Example

Show events matching the monitoring profile with this name

profile.name: PCI Monitoring Profile

profile.rule.descriptionprofile.rule.description

Use a text value ##### to define a profile rule description of interest.

Example

Show events matching this profile rule description

profile.rule.description: My Profile Rule

profile.rule.idprofile.rule.id

Use an integer value ##### to define a profile rule ID of interest.

Example

Show events matching this profile rule ID

profile.rule.id: 12345

profile.rule.nameprofile.rule.name

Use a text value ##### to find the monitoring profile rule name related to the file integrity event.

Example

Show the events matching this profile rule name

profile.rule.name: rule01

profile.rule.typeprofile.rule.type

Use one of the tokens values to get the event based on a profile rule type.
The token values are directory, file, key, symlink, value.

Examples

Show the events based on the profile rule type as directory

profile.rule.type: directory

Show the Linux events of type symlink

profile.rule.type: symlink

registryKey.nameregistryKey.name

Use a text value ##### to find the registry key name related to the registry key integrity event.

Example

Show events matching the registry key with this name

registryKey.name: `QualysAgent.exe`

registryKey.pathregistryKey.path

Use a text value ##### to define the registry key path to the registry key threatened by key integrity event.

Example

Show events with key at this path

registryKey.path: `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QualysAgent.exe`

file.reputationStatusfile.reputationStatus

Select a reputation to find events with this reputation.
Token values:Â SUSPICIOUS, MALICIOUS, KNOWN, UNKNOWN, UNAVAILABLE

Example

Show events where the reputation is Malicious

file.reputationStatus: 'MALICIOUS`

script.namescript.name

Use the script name to find the events related to the database.

Example

Show events related to the database change using the script name.

script.name: Monitor Database Events

event.severityevent.severity

Select a event.severity (1-5) to find events with this severity. Select from values in the drop-down menu.

Example

Show events with severity 5

event.severity: 5

event.successStatusevent.successStatus

Use a text value ##### to find the success status of events.

Example

event.successStatus: `yes`

event.typeevent.type

Use a text value ##### to define the file integrity event type (File or Directory or Key or Value).

Example

Show events with event type as File

event.type: File

file.trustStatusfile.trustStatus

Select a status to find events with a trustStatus. Select from values in the drop-down menu: TRUSTED, UNAVAILABLE

Example

Show events where the file trustStatus is TRUSTED

file.trustStatus: `TRUSTED`

finding.qidfinding.qid

Use the integer value ##### to fetch scan-based events for the given qid.

Example

Show events with given finding.qid

finding.qid: '45601'

andand

Use a boolean query to express your query using AND logic.

Example

Show events with Write event.action performed by user ID akim

event.action: Write and actor.userId: akim

notnot

Use a boolean query to express your query using NOT logic.

Example

Show events for assets that don't have Windows operating system

not asset.operatingSystem: windows

oror

Use a boolean query to express your query using OR logic.

Example

Show events for assets with one of these operating systems

asset.operatingSystem: windows or asset.operatingSystem: linux

Show events for assets with operating system name "Windows 2012" or "Windows 7 Ultimate Service Pack 1"

operatingSystem: `Windows 2012` or operatingSystem: `Windows 7 Ultimate Service Pack 1`