Search FIM Event Tokens
Use a text value ##### to define a file integrity event action that occurred (Attributes, Baseline, Content, Create, Delete, Rename, Security).
Example
Show events for delete action
event.action: Delete
OR,
Show events for files that have been newly created
event.action: Baseline
actor.imagePathactor.imagePath
Use a text value ##### to define the full path to the process that performed the event action.
Example
Show events performed by the process at this full path
actor.imagePath: C:\Windows\System32\dllhost.exe
Use a text value ##### to define a process that performed the event action.
Example
Show events performed by this process
actor.process: dllhost.exe
Use a text value ##### to find a user ID of interest.
Example
Show events performed by the user with user ID "jsmith"
actor.userId: jsmith
Use a text value ##### to find the username you are looking for.
Examples
Show events performed by the user with the username System
actor.username: System
Show events with files that match the exact value "NT AUTHORITY\SYSTEM"
actor.username: `NT AUTHORITY\SYSTEM`
actor.user.impersonatedactor.user.impersonated
Use a boolean value of true to filter events generated by impersonated users.
Example
Show events generated by impersonated users.
actor.user.impersonated: true
Use a text value ##### to find an agent ID of interest.
Example
Show events on the asset with this agent ID
agent.id: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Use a text value ##### to find the assets with a certain agent version you are interested in.
Example
Show agent version 1.3.2.0
agent.version: 1.3.2.0
Select the name ##### of an asset type you're interested in. Select from names in the drop-down menu.
Examples
Show VM assets
asset.type: "VM"
Use a date range or specific date to define when assets were created (i.e. when first scanned by a scanner appliance, or when agent was installed).
Examples
Show assets created within certain dates
asset.created: [2016-01-01 .. 2016-01-10]
Show assets created starting 2015-10-01, ending 1 month ago
asset.created: [2015-10-01 .. now-1M]
Show assets created starting 2 weeks ago, ending 1 second ago
asset.created: [now-2w .. now-1s]
Show assets created on specific date
asset.created:'2016-01-08'
actor.auditUserIdactor.auditUserId
Use the text value ##### to find events of the actual user using ID.
Example,
actor.auditUserId: '1001'
actor.auditUsernameactor.auditUsername
Use a text value ##### to find events of the actual user using the user name.
Example,
actor.auditUsername: "Root"
actor.actualUserIdactor.actualUserId
Use the text value ##### to find events of the actual user using ID.
Example
actor.actualUserId: '1001'
actor.actualUsernameactor.actualUsername
Use a text value ##### to find events of the actual user using the user name.
Example
actor.actualUsername: "NT AUTHORITY\\SYSTEM "
actor.effectiveUserIdactor.effectiveUserId
Use a text value ##### to find events of the Effective user using ID. Note that Effective users are actually Impersonated users.
Example
actor.effectiveUserId: '1001'
actor.effectiveUsernameactor.effectiveUsername
Use a text value ##### to find events of the Effective user using the user name. Note that Effective users are actually impersonated users.
Example
actor.effectiveUsername: "winodws/admin"
asset.lastCheckedInasset.lastCheckedIn
Use a date range or specific date to define when agents last checked in to the platform.
Example
Find assets with last check in within a specific date range.
asset.lastCheckedIn: [2020-01-01 .. 2020-01-10]
Find assets with last check in starting 2019-11-01, ending 1 month ago.
asset.lastCheckedIn: [2019-11-01 .. now-1M]
Find assets with last check in starting 2 weeks ago, ending 1 second ago.
asset.lastCheckedIn: [now-2w .. now-1s]
Find assets with last check in on a specific date.
asset.lastCheckedIn: '2020-02-11'
Find assets with last check in before (older than) last 30 days.
asset.lastCheckedIn: <now-30d
Note: In this case, we recommend not using the NOT operator in your range search to form a query like NOT asset.lastCheckedIn:[now-30d .. now-2s].
Find assets with last check in within the last 30 days, excluding day 30.
asset.lastCheckedIn: >now-30d
Find assets with last check in within the last 30 days, including day 30.
asset.lastCheckedIn: >=now-30d
Find assets with last check in which is older than last 30 days excluding day 30.
asset.lastCheckedIn: <now-30d
Find assets with last check in which is older than last 30 days including day 30
asset.lastCheckedIn: <=now-30d
Use quotes or backticks within values to help you find the asset name you are looking for.
Examples
Show any findings related to name
asset.name: QK2K12QP3-65-53
Show any findings that contain parts of name
asset.name: "QK2K12QP3-65-53"
Show any findings that match exact value "QK2K12QP3-65-53"
asset.name: `QK2K12QP3-65-53`
asset.netbiosNameasset.netbiosName
Use a text value ##### to define the NetBIOS name you are interested in.
Examples
Show the asset with this name
asset.netbiosName: VISTASP2-24-208
asset.system.lastBootasset.system.lastBoot
Use a date range or a specific date to define when assets were last booted.
Examples
Show assets last booted within certain dates
asset.system.lastBoot: [2016-01-01 .. 2016-01-10]
Show assets last booted starting 2015-10-01, ending 1 month ago
asset.system.lastBoot: [2015-10-01 .. now-1M]
Show assets last booted starting 2 weeks ago, ending 1 second ago
asset.system.lastBoot: [now-2w .. now-1s]
Show assets last booted on a specific date
asset.system.lastBoot:'2016-01-08'
Use the tag ID to find events having a certain asset tag.
Examples
Show any findings related to this tag ID
asset.tag.id: 7701016
Use a text value ##### to find events with certain asset tag.
Example
Show assets with this tag name:
asset.tag.name: `cloud agent`
Use a date range or specific date to define when assets were updated (i.e., when re-scanned by a scanner appliance, or when host data was uploaded to the Qualys Enterprise TruRisk™ Platform by an agent).
Examples
Show assets updated within certain dates
asset.updated: [2016-01-01 .. 2016-01-10]
Show assets updated starting 2015-10-01, ending 3 months ago
asset.updated: [2015-10-01 .. now-3M]
Show assets updated starting 2 weeks ago, ending 1 second ago
asset.updated: [now-2w .. now-1s]
Show assets updated on a specific date
asset.updated:'2016-01-10'
asset.interfaces.addressasset.interfaces.address
Use a text value ##### to define an IP address (IPv4 of IPv6) you're interested in.
Examples
Show events on the asset with IPv4 address
asset.interfaces.address: 10.10.100.20
Show events on the asset with IPv6 address (enclose value in single quotes)
asset.interfaces.address: 'fe80:0:0:0:2501:b53c:4139:404b'
asset.interfaces.hostnameasset.interfaces.hostname
Use quotes or backticks within values to help you find the hostname you are looking for.
Examples
Show any findings related to the name
asset.interfaces.hostname: xpsp2-jp-26-111
Show any findings that contain parts of the name
asset.interfaces.hostname: "xpsp2-jp-26-111"
Show any findings that match the exact value "xpsp2-jp-26-111"
asset.interfaces.hostname: `xpsp2-jp-26-111`
Show any findings related to the name (match super domains)
asset.interfaces.hostname: qcentos71sqp3.rdlab.acme.com
Show anthe y findings that match exact value "qcentos71sqp3.rdlab.acme.com"
asset.interfaces.hostname: `qcentos71sqp3.rdlab.acme.com`
asset.interfaces.interfaceNameasset.interfaces.interfaceName
Use a text value ##### to help you find a certain interface name.
Example
Show events on the asset with the interface name PRO/1000
asset.interfaces.interfaceName: PRO/1000
asset.interfaces.macAddressasset.interfaces.macAddress
Use a text value ##### to define a MAC address you are interested in.
Example
Show events on the asset with this MAC address
asset.interfaces.macAddress: 00-50-56-A9-73-5A
asset.lastLoggedOnUserasset.lastLoggedOnUser
Use a text value ##### to help you find assets last logged into by a user of interest.
Example
Show events on the asset that was last logged into by user asmith
asset.lastLoggedOnUser: asmith
Search for files that have been converted to baseline. Select 'True' or 'False' from the drop-down menu.
Example
Show files that have been marked as baseline:
file.baseline: true
Use a text value ##### to define the file integrity event class of interest (Disk or Registry).
Example
Show events threatened by change on disk
event.class: Disk
event.commandExecutedevent.commandExecuted
Use a text value #### to get an executed command that resulted in the FIM event occurrence.
Example
commandExecute: chmod 555 log.txt
container.image.namecontainer.image.name
Use this token to get the container events for the given image name. The container image name is displayed on the Event Detail page, indicating the source of generated events.
Example
container.image.name: ip-10-82-9-210
container.nodeNamecontainer.nodeName
Use this token to get the container events for the given node name. The container node name is displayed on the Event Detail page, indicating where the image is running.
Example
container.nodeName: nginx
container.image.shacontainer.image.sha
Use this token to get the container events for the container with the given SHA.
Example
container.image.sha: 4498aa02f0636df72cf9714c75db0de089709f29d939867ffd29f3f5203f8253
Use the token to get the FIM events from the selected source. Token values: agent, scanner, and runtime_sensor
Example
Show the FIM events from Cloud Agent.
event.source: agent
Use this token to search events using the host type. Token values are: Network Device and Database.
This token is applicable only to the Scan Based events.
Example
Show events from databases.
event.hostType: Database
file.attribute.archivefile.attribute.archive
Use a token value Added or Removed to get all the attribute events where the archive attribute has been modified for file/folder.
Example
file.attribute.archive: Added
file.attribute.compressedfile.attribute.compressed
Use a token value Added or Removed to get all the attribute events where the compressed attribute has been modified for file/folder.
Example
file.attribute.compressed: Added
file.attribute.encryptedfile.attribute.encrypted
Use a token value Added or Removed to get all the attribute events where the encrypted attribute has been modified for file/folder.
Example
file.attribute.encrypted: Added
file.attribute.hiddenfile.attribute.hidden
Use a token value Added or Removed to get all the attribute events where the hidden attribute has been modified for file/folder.
Example
file.attribute.hidden: Added
file.attribute.notContentIndexedfile.attribute.notContentIndexed
Use a token value Added or Removed to get all the attribute events where the notContentIndexed attribute has been modified for a file/folder.
Example
file.attribute.notContentIndexed: Added
file.attribute.readonlyfile.attribute.readonly
Use a token value Added or Removed to get all the attribute events where the readonly attribute has been modified for file/folder.
Example
file.attribute.readonly: Added
Use a text value ##### to define the full path to the file that you want to monitor for file integrity.
Example
Show events the with file at this path
file.fullPath: C:\Windows\System32\LogFiles\qagent33_log.txt
Use an alpha-numeric value ##### to define the hash value of a file.
Example
Show events based on hash values calculated for file creation or content modification activities performed under your monitoring scope.
file.hash:45a565adc2535484070ba596c9e106243a58d6dfc3bd470a88774dfffa900369
Use a text value ##### to define the file name that you want to monitor for integrity.
Example
Show events on the file with this name
file.name: qagent33_log.txt
Use a text value ##### to define the event ID.
Example
Show the event with this event ID
event.id: 3b8c2708-55ee-33eb-942c-aead057dd753
Use a text value ##### to define the platform (Windows, Linux, or Unix).
Example
Show events for the platform Linux
agent.platform: Linux
profile.categoryprofile.category
Use a text value ##### to find the monitoring profile category related to the file integrity event.
Example
Show events matching a monitoring profile the with profile category PCI
profile.category: PCI
Use a text value ##### to find the monitoring profile name related to the file integrity event.
Example
Show events matching the monitoring profile with this name
profile.name: PCI Monitoring Profile
profile.rule.descriptionprofile.rule.description
Use a text value ##### to define a profile rule description of interest.
Example
Show events matching this profile rule description
profile.rule.description: My Profile Rule
profile.rule.idprofile.rule.id
Use an integer value ##### to define a profile rule ID of interest.
Example
Show events matching this profile rule ID
profile.rule.id: 12345
profile.rule.nameprofile.rule.name
Use a text value ##### to find the monitoring profile rule name related to the file integrity event.
Example
Show the events matching this profile rule name
profile.rule.name: rule01
profile.rule.typeprofile.rule.type
Use one of the tokens values to get the event based on a profile rule type.
The token values are directory, file, key, symlink, value.
Examples
Show the events based on the profile rule type as directory
profile.rule.type: directory
Show the Linux events of type symlink
profile.rule.type: symlink
registryKey.nameregistryKey.name
Use a text value ##### to find the registry key name related to the registry key integrity event.
Example
Show events matching the registry key with this name
registryKey.name: `QualysAgent.exe`
registryKey.pathregistryKey.path
Use a text value ##### to define the registry key path to the registry key threatened by key integrity event.
Example
Show events with key at this path
registryKey.path: `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QualysAgent.exe`
file.reputationStatusfile.reputationStatus
Select a reputation to find events with this reputation.
Token values:Â SUSPICIOUS, MALICIOUS, KNOWN, UNKNOWN, UNAVAILABLE
Example
Show events where the reputation is Malicious
file.reputationStatus: 'MALICIOUS`
Use the script name to find the events related to the database.
Example
Show events related to the database change using the script name.
script.name: Monitor Database Events
Select a event.severity (1-5) to find events with this severity. Select from values in the drop-down menu.
Example
Show events with severity 5
event.severity: 5
event.successStatusevent.successStatus
Use a text value ##### to find the success status of events.
Example
event.successStatus: `yes`
Use a text value ##### to define the file integrity event type (File or Directory or Key or Value).
Example
Show events with event type as File
event.type: File
file.trustStatusfile.trustStatus
Select a status to find events with a trustStatus. Select from values in the drop-down menu: TRUSTED, UNAVAILABLE
Example
Show events where the file trustStatus is TRUSTED
file.trustStatus: `TRUSTED`
Use the integer value ##### to fetch scan-based events for the given qid.
Example
Show events with given finding.qid
finding.qid: '45601'
Use a boolean query to express your query using AND logic.
Example
Show events with Write event.action performed by user ID akim
event.action: Write and actor.userId: akim
Use a boolean query to express your query using NOT logic.
Example
Show events for assets that don't have Windows operating system
not asset.operatingSystem: windows
Use a boolean query to express your query using OR logic.
Example
Show events for assets with one of these operating systems
asset.operatingSystem: windows or asset.operatingSystem: linux
Show events for assets with operating system name "Windows 2012" or "Windows 7 Ultimate Service Pack 1"
operatingSystem: `Windows 2012` or operatingSystem: `Windows 7 Ultimate Service Pack 1`