Event Search Tokens in VMDR OT
On the Monitoring > Events tab, use the following tokens to search the events. Build your search queries by using various combinations of these tokens. Click each token for information about how to use it.
Supported Boolean Operators
The Qualys Query Language (QQL) supports the following logical or Boolean query operators. Use these operators in your queries to narrow down or broaden your search.
Narrow down your search by using the 'and' operator in your Boolean query. The result contains all the token values that you provide in your query.
Example
Show the events with the following category and class
event.category:`Process Integrity` and event.class:`OT`
Narrow down your search by using the 'not' operator in your Boolean query. The result contains all the other values except the one that you specify after 'not' in your query.
Example
Show the event that does not have the class OT
not event.class:`OT`
Broaden your search by using the 'or' operator in your Boolean query. The result contains any of the token values that you provide in your query.
Examples
Show the events with either the category or class
event.category:`Process Integrity` or event.class:`OT`
Event Search Tokens
Use this token to search for events by their category.
Example
Show events in the Process Integrity category.
event.category:`Process Integrity`
Use this token to search events by their class. Accepted values are OT or None.
Example
Show events with the class OT.
event.class:`OT`
Use this token to search events based on the event detail.
Example
Show events with detail I/O force disabled.
event.detail: `I/O force disabled`
Show events with detail Upload executable object.
event.detail:`Upload executable object`
event.lastDetectedDateevent.lastDetectedDate
Use this token to search events by their last detected timestamp. The value is in epoch time.
Example
Show events detected at a specific time.
event.lastDetectedDate:"2025-06-10"
event.impactedAsset.addressevent.impactedAsset.address
Use this token to search events based on the impacted asset’s IP address.
Example
Show events for the impacted asset with IP 192.0.2.0.
event.impactedAsset.address:"192.0.2.0"
Show events for the impacted asset with IP 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.
event.impactedAsset.address:"2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
event.impactedAsset.idevent.impactedAsset.id
Use this token to search events by the impacted asset’s ID.
Example
Show events for the asset ID.
event.impactedAsset.id:"a14e957e-3ec5-453c-b811-e423b012d0d3"
event.impactedAsset.macAddressevent.impactedAsset.macAddress
Use this token to search events by the impacted asset’s MAC address.
Example
Show events for the asset with the MAC address.
event.impactedAsset.macAddress:"66:7D:66:FF:CB:B6"
event.impactedAsset.hostnameevent.impactedAsset.hostname
Use this token to search events by the impacted asset’s hostname.
Example
Show events for the asset with the hostname.
event.impactedAsset.hostname:`host7936`
event.remoteAsset.addressevent.remoteAsset.address
Use this token to search events by the remote asset’s IP address.
Example
Show events for the remote asset with IP 192.0.2.0.
event.remoteAsset.address: "192.0.2.0"
Show events for the remote asset with IP 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff.
event.remoteAsset.address: "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"
event.remoteAsset.idevent.remoteAsset.id
Use this token to search events by the remote asset’s unique ID.
Example
Show events for the remote asset ID.
event.remoteAsset.id:"a14e957e-3ec5-453c-b811-e423b012d0d3"
event.remoteAsset.macAddressevent.remoteAsset.macAddress
Use this token to search events by the remote asset’s MAC address.
Example
Show events for the remote asset with the MAC address.
event.remoteAsset.macAddress:"66:7D:66:FF:CB:B6"
event.remoteAsset.hostnameevent.remoteAsset.hostname
Use this token to search events by the remote asset’s hostname.
Example
Show events for the remote asset with the hostname.
event.remoteAsset.hostname:`host7936`
event.operationevent.operation
Use this token to search events by the operation type related to the event.
Example
Show events with the IO Forcing operation.
event.operation:`IO Forcing`
Show events with the Configuration Upload operation.
event.operation:`Configuration Upload`
Use this token to search events based on the network protocol associated with the event.
Example
Show events using the cip protocol.
event.protocol:`cip`
Show events using the s7comm protocol.
event.protocol:`s7comm`
Use this token to search events based on the port number associated with the event.
Example
Show events on port 55556.
event.port:`55556`
event.transport.protocolevent.transport.protocol
Use this token to search events based on the transport protocol associated with the event.
Example
Show events using the TCP protocol
event.transport.protocol:`tcp`
Use this token to search events by severity level. Common values include low, moderate, high, or critical.
Example
Show events with low severity
event.severity:`low`
Show events with high severity
event.severity:`critical`
event.modbus.functionCodeevent.modbus.functionCode
Use this token to search Modbus events based on the function code used in the operation.
Example:
Show Modbus events with the function code 15
event.modbus.functionCode:`15`
event.modbus.objectData.addressevent.modbus.objectData.address
Use this token to search Modbus events based on the Modbus address accessed during the event.
Example:
Show Modbus events with the address 40001
event.modbus.objectData.address:"40001"
event.modbus.objectData.valueevent.modbus.objectData.value
Use this token to search Modbus events based on the value read or written at a specific Modbus address.
Example:
Show Modbus events with object data value 12
event.modbus.objectData.value:`12`
event.modbus.objectTypeevent.modbus.objectType
Use this token to search Modbus events based on the type of Modbus object involved in the event.
Supported values: Coil, Holding Register
Example:
Show Modbus events with object type Coil
event.modbus.objectType:`Coil`
Alert Specific Event Tokens
The following tokens can be used only for alert creation:
If a token value contains a colon (:) character, enclose the value in double quotes (“..”).
impactedAsset.riskScoreimpactedAsset.riskScore
Use this token to search events by the risk score of the impacted asset.
Example
Show the assets with a risk score of 9
impactedAsset.riskScore: 9
Show the assets for which risk score is not yet calculated
impactedAsset.riskScore is null
Show the assets with a valid risk score
not impactedAsset.riskScore is null
impactedAsset.firmwareVersionimpactedAsset.firmwareVersion
Use this token to search events by the firmware version of the impacted asset.
Example
Find events related to a specific firmware version.
impactedAsset.firmwareVersion: "2.1.0"
impactedAsset.software.versionimpactedAsset.software.version
Use this token to search events by the software version running on the impacted asset.
Example
Find events associated with a specific software version.
impactedAsset.software.version: "5.4.3"
impactedAsset.nameimpactedAsset.name
Use this token to search events by the name of the impacted asset.
Example
Find events affecting a specific asset.
impactedAsset.name: "PLC-Unit-01"
impactedAsset.importanceimpactedAsset.importance
Use this token to search events by the business importance of the impacted asset.
Example
Find events affecting business-critical assets.
impactedAsset.importance: "High"
impactedAsset.createdDateimpactedAsset.createdDate
Use this token to search events by the creation date of the impacted asset.
Example
Find events for assets created on a specific date.
impactedAsset.createdDate: "2023-06-10"
impactedAsset.lastUpdatedDateimpactedAsset.lastUpdatedDate
Use this token to search events by the last updated date of the impacted asset.
Example
Find events for assets updated recently.
impactedAsset.lastUpdatedDate: "2025-01-15"
impactedAsset.typeimpactedAsset.type
Use this token to search events by the asset type of the impacted asset.
Example
Find events affecting a specific type of asset.
impactedAsset.type: "Controller"
impactedAsset.hardware.modelimpactedAsset.hardware.model
Use this token to search events by the hardware model of the impacted asset.
Example
Find events related to a specific hardware model.
impactedAsset.hardware.model: "S7-1500"
impactedAsset.hardware.typeimpactedAsset.hardware.type
Use this token to search events by the hardware type of the impacted asset.
Example
Find events affecting a specific hardware type.
impactedAsset.hardware.type: "PLC"
impactedAsset.hardware.category2impactedAsset.hardware.category2
Use this token to search events by the secondary hardware category of the impacted asset.
Example
Find events associated with a specific secondary hardware category.
impactedAsset.hardware.category2: "Automation"
impactedAsset.inventory.sensorIDimpactedAsset.inventory.sensorID
Use this token to search events by the sensor ID that discovered the impacted asset.
Example
Find events detected by a specific sensor.
impactedAsset.inventory.sensorID: "SNS-2201"
impactedAsset.vulnerability.countimpactedAsset.vulnerability.count
Use this token to search events by the number of vulnerabilities detected on the impacted asset.
Example
Find events affecting assets with multiple vulnerabilities.
impactedAsset.vulnerability.count: "12"
impactedAsset.stateimpactedAsset.state
Use this token to search events by the state of the impacted asset.
Example
Find events for assets in a specific state.
impactedAsset.state: "Active"
impactedAsset.discovery.protocolimpactedAsset.discovery.protocol
Use this token to search events by the discovery protocol used for the impacted asset.
Example
Find events for assets discovered using a specific protocol.
impactedAsset.discovery.protocol: "SNMP"
impactedAsset.serialNumberimpactedAsset.serialNumber
Use this token to search events by the serial number of the impacted asset.
Example
Find events for a specific device serial number.
impactedAsset.serialNumber: "SN-998877"
impactedAsset.orderIdimpactedAsset.orderId
Use this token to search events by the order ID associated with the impacted asset.
Example
Find events related to a specific order.
impactedAsset.orderId: "ORD-33012"
impactedAsset.hardware.versionimpactedAsset.hardware.version
Use this token to search events by the hardware version of the impacted asset.
Example
Find events associated with a specific hardware version.
impactedAsset.hardware.version: "v3.2"
impactedAsset.hardware.categoryimpactedAsset.hardware.category
Use this token to search events by the hardware category of the impacted asset.
Example
Find events affecting assets in a specific hardware category.
impactedAsset.hardware.category: "Industrial Controller"
impactedAsset.hardware.category1impactedAsset.hardware.category1
Use this token to search events by the primary hardware category of the impacted asset.
Example
Find events associated with a primary hardware classification.
impactedAsset.hardware.category1: "Controller"
impactedAsset.purdueLevelimpactedAsset.purdueLevel
Use this token to search events by the Purdue level assigned to the impacted asset.
Example
Find events affecting assets at a specific Purdue level.
impactedAsset.purdueLevel: "Level 2"
impactedAsset.hardware.mappedimpactedAsset.hardware.mapped
Search for events affecting assets with catalogued or uncatalogued hardware information. Select Cataloged or Uncataloged as the token value.
Example
Find events for assets where hardware mapping information is cataloged.
impactedAsset.hardware.mapped: "Cataloged"
impactedAsset.isModifiedimpactedAsset.isModified
Use this token to search events by the modification status of the impacted asset.
Example
Find events for assets that were recently modified.
impactedAsset.isModified: "false"
impactedAsset.lastModifiedDateimpactedAsset.lastModifiedDate
Use this token to search events by the last modified date of the impacted asset.
Example
Find events for assets modified on a specific date.
impactedAsset.lastModifiedDate: "2025-01-18"
impactedAsset.inventory.sourceimpactedAsset.inventory.source
Use this token to search events by the inventory source of the impacted asset.
Example
Find events for assets discovered from a specific inventory source.
impactedAsset.inventory.source: "Passive"
impactedAsset.inventory.fileHashimpactedAsset.inventory.fileHash
Use this token to search events by the inventory file hash of the impacted asset.
Example
Find events related to a specific inventory file hash.
impactedAsset.inventory.fileHash: "c9d0c6e534b51a733ff64e1fd3c4141"
impactedAsset.inventory.filenameimpactedAsset.inventory.filename
Use this token to search events by the inventory file name of the impacted asset.
Example
Find events for a specific inventory file.
impactedAsset.inventory.filename: "Germany_Plant_1"
impactedAsset.tag.idimpactedAsset.tag.id
Use this token to search events by the tag ID assigned to the impacted asset.
Example
Find events associated with a specific tag ID.
impactedAsset.tag.id: "38970492"
impactedAsset.tag.nameimpactedAsset.tag.name
Use this token to search events by the tag name assigned to the impacted asset.
Example
Find events associated with a specific tag.
impactedAsset.tag.name: "Critical-OT"
impactedAsset.tag.businessImpactimpactedAsset.tag.businessImpact
Use this token to search events by the business impact defined for the impacted asset tag.
Example
Find events affecting assets with high business impact.
impactedAsset.tag.businessImpact: "High"
impactedAsset.hardware.manufacturerimpactedAsset.hardware.manufacturer
Use this token to search events by the hardware manufacturer of the impacted asset.
Example
Find events affecting assets from a specific manufacturer.
impactedAsset.hardware.manufacturer: "Siemens"
impactedAsset.passiveSensor.idimpactedAsset.passiveSensor.id
Use this token to search events by the passive sensor ID associated with the impacted asset.
Example
Find events detected by a specific passive sensor.
impactedAsset.passiveSensor.id: "032589611212:1638792150:574815:701:1638792150:574815:701"
impactedAsset.passiveSensor.nameimpactedAsset.passiveSensor.name
Use this token to search events by the passive sensor name associated with the impacted asset.
Example
Find events monitored by a specific passive sensor.
impactedAsset.passiveSensor.name: "OT-Passive-Sensor-01"
impactedAsset.passiveSensor.locationimpactedAsset.passiveSensor.location
Use this token to search events by the location of the passive sensor monitoring the impacted asset.
Example
Find events monitored at a specific location.
impactedAsset.passiveSensor.location: "Plant Floor"
impactedAsset.hardware.classimpactedAsset.hardware.class
Use this token to search events by the hardware class of the impacted asset.
Example
Find events affecting asset with hardware class as OT.
impactedAsset.hardware.class: "OT"
impactedAsset.hasModulesimpactedAsset.hasModules
Use this token to search events by whether the impacted asset has enabled modules.
Example
Find events for assets with enabled modules.
impactedAsset.hasModules: "true"
impactedAsset.hasAddOnsimpactedAsset.hasAddOns
Use this token to search events by whether the impacted asset has add-ons installed.
Example
Find events for assets with add-ons.
impactedAsset.hasAddOns: "false"
impactedAsset.addOn.hardware.modelimpactedAsset.addOn.hardware.model
Use this token to search events by the hardware model of an add-on connected to the impacted asset.
Example
Find events related to a specific add-on hardware model.
impactedAsset.addOn.hardware.model: "Expansion-Module-X2"
impactedAsset.addOn.hardware.manufacturerimpactedAsset.addOn.hardware.manufacturer
Use this token to search events by the hardware manufacturer of an add-on connected to the impacted asset.
Example
Find events involving add-ons from a specific manufacturer.
impactedAsset.addOn.hardware.manufacturer: "Schneider Electric"
impactedAsset.addOn.hardware.category2impactedAsset.addOn.hardware.category2
Use this token to search events by the secondary hardware category of an add-on connected to the impacted asset.
Example
Find events related to add-ons of a specific hardware category.
impactedAsset.addOn.hardware.category2: "I/O Module"
impactedAsset.addOn.firmwareVersionimpactedAsset.addOn.firmwareVersion
Use this token to search events by the firmware version of an add-on connected to the impacted asset.
Example
Find events associated with a specific add-on firmware version.
impactedAsset.addOn.firmwareVersion: "1.4.2"
impactedAsset.addOn.lastScanDateimpactedAsset.addOn.lastScanDate
Use this token to search events by the last scan date of an add-on connected to the impacted asset.
Example
Find events for add-ons scanned on a specific date.
impactedAsset.addOn.lastScanDate: "2025-01-12"
impactedAsset.addOn.orderIdimpactedAsset.addOn.orderId
Use this token to search events by the order ID of an add-on connected to the impacted asset.
Example
Find events related to a specific add-on order.
impactedAsset.addOn.orderId: "ADD-45091"
impactedAsset.addOn.serialNumberimpactedAsset.addOn.serialNumber
Use this token to search events by the serial number of an add-on connected to the impacted asset.
Example
Find events associated with a specific add-on serial number.
impactedAsset.addOn.serialNumber: "ASN-771245"
impactedAsset.addOn.slaveAddressimpactedAsset.addOn.slaveAddress
Use this token to search events by the slave address of an add-on connected to the impacted asset.
Example
Find events involving add-ons with a specific slave address.
impactedAsset.addOn.slaveAddress: "0x00000004#39"
impactedAsset.addOn.unitAddressimpactedAsset.addOn.unitAddress
Use this token to search events by the unit address of an add-on connected to the impacted asset.
Example
Find events involving add-ons with a specific unit address.
impactedAsset.addOn.unitAddress: "2"
impactedAsset.finding.hardware.typeimpactedAsset.finding.hardware.type
Use this token to search events by the hardware type identified in a finding on the impacted asset.
Example
Find events involving a specific hardware type.
impactedAsset.finding.hardware.type: "Controller"
impactedAsset.finding.vulnerability.categoryimpactedAsset.finding.vulnerability.category
Use this token to search events by the vulnerability category identified in a finding on the impacted asset.
Example
Find events related to a specific vulnerability category.
impactedAsset.finding.vulnerability.category: "Configuration"
impactedAsset.finding.typeDetectedimpactedAsset.finding.typeDetected
Use this token to search events based on the vulnerability type detected on the impacted asset. Select the type from the available options (Confirmed, Information, Potential).
Example
Find events where a specific vulnerability type was detected.
impactedAsset.finding.typeDetected: "Confirmed"
impactedAsset.finding.asset.typeimpactedAsset.finding.asset.type
Use this token to search events by the asset type associated with a finding on the impacted asset.
Example
Find events affecting a specific asset type.
impactedAsset.finding.asset.type: "PLC"
impactedAsset.finding.statusimpactedAsset.finding.status
Use this token to search events based on the vulnerability status detected on the impacted asset. Choose the status from the available options (ACTIVE, FIXED, NEW, REOPENED).
Example
Find events with vulnerability in a specific status.
impactedAsset.finding.status: "NEW"
impactedAsset.finding.asset.idimpactedAsset.finding.asset.id
Use this token to search events by the asset ID associated with a finding on the impacted asset.
Example
Find events related to a specific asset ID.
impactedAsset.finding.asset.id: "56863af6-301e-3788-aa95-95b5f844ad2a"
impactedAsset.finding.vulnerability.qidimpactedAsset.finding.vulnerability.qid
Use this token to search events by the vulnerability QID identified in a finding on the impacted asset.
Example
Find events related to a specific vulnerability QID.
impactedAsset.finding.vulnerability.qid: "150321"
impactedAsset.finding.vulnerability.cveIdimpactedAsset.finding.vulnerability.cveId
Use this token to search events by the CVE ID identified in a finding on the impacted asset.
Example
Find events associated with a specific CVE.
impactedAsset.finding.vulnerability.cveId: "CVE-2024-41235"
Use this token to search events by patch availability for the vulnerability identified on the impacted asset.
Example
Find events where a patch is available or unavailable.
impactedAsset.finding.vulnerability.isPatchAvailable: "false"
impactedAsset.finding.vulnerability.titleimpactedAsset.finding.vulnerability.title
Use this token to search events by the vulnerability title identified in a finding on the impacted asset.
Example
Find events related to a specific vulnerability.
impactedAsset.finding.vulnerability.title: "Weak Authentication"
impactedAsset.finding.severityimpactedAsset.finding.severity
Use this token to search events by the severity of a finding on the impacted asset.
Example
Find events with high-severity findings.
impactedAsset.finding.severity: "High"
impactedAsset.finding.firstFoundDateimpactedAsset.finding.firstFoundDate
Use this token to search events by the first detection date of a finding on the impacted asset.
Example
Find events where a finding was first detected on a specific date.
impactedAsset.finding.firstFoundDate: "2024-06-01"
impactedAsset.finding.lastFoundDateimpactedAsset.finding.lastFoundDate
Use this token to search events by the most recent detection date of a finding on the impacted asset.
Example
Find events where a finding was detected recently.
impactedAsset.finding.lastFoundDate: "2025-01-09"
impactedAsset.finding.asset.nameimpactedAsset.finding.asset.name
Use this token to search events by the asset name associated with a finding on the impacted asset.
Example
Find events related to a specific asset.
impactedAsset.finding.asset.name: "PLC-Unit-01"
impactedAsset.finding.firmwareimpactedAsset.finding.firmware
Use this token to search events by the firmware identified in a finding on the impacted asset.
Example
Find events associated with a specific firmware.
impactedAsset.finding.firmware: "v4.0.1"
impactedAsset.finding.hardware.versionimpactedAsset.finding.hardware.version
Use this token to search events by the hardware version identified in a finding on the impacted asset.
Example
Find events associated with a specific hardware version.
impactedAsset.finding.hardware.version: "v2.3"
impactedAsset.finding.hardware.productimpactedAsset.finding.hardware.product
Use this token to search events by the hardware product identified in a finding on the impacted asset.
Example
Find events related to a specific hardware product.
impactedAsset.finding.hardware.product: "ControlLogix"
impactedAsset.finding.hardware.modelimpactedAsset.finding.hardware.model
Use this token to search events by the hardware model identified in a finding on the impacted asset.
Example
Find events involving a specific hardware model.
impactedAsset.finding.hardware.model: "1756-L83E"
impactedAsset.finding.protocolimpactedAsset.finding.protocol
Use this token to search events by the protocol identified in a finding on the impacted asset.
Example
Find events detected over a specific protocol.
impactedAsset.finding.protocol: "Modbus/TCP"
impactedAsset.finding.hardware.manufacturerimpactedAsset.finding.hardware.manufacturer
Use this token to search events by the hardware manufacturer identified in a finding on the impacted asset.
Example
Find events affecting devices from a specific manufacturer.
impactedAsset.finding.hardware.manufacturer: "Rockwell Automation"
impactedAsset.finding.vulnerability.vendorNameimpactedAsset.finding.vulnerability.vendorName
Use this token to search events by the vendor name associated with the vulnerability identified on the impacted asset.
Example
Find events related to vulnerabilities from a specific vendor.
impactedAsset.finding.vulnerability.vendorName: "Siemens"
impactedAsset.finding.vulnerability.threatIntelimpactedAsset.finding.vulnerability.threatIntel
Use this token to search events by threat intelligence context associated with the vulnerability identified on the impacted asset.
Example
Find events involving vulnerabilities with known threat intelligence.
impactedAsset.finding.vulnerability.threatIntel: "Known Exploit"
impactedAsset.finding.vulnerability.criticalityimpactedAsset.finding.vulnerability.criticality
Use this token to search events by the criticality assigned to the vulnerability identified on the impacted asset.
Example
Find events involving high-criticality vulnerabilities.
impactedAsset.finding.vulnerability.criticality: "Critical"
remoteAsset.riskScoreremoteAsset.riskScore
Use this token to search events by the risk score of the remote asset.
Example
Show the assets with a risk score of 9
remoteAsset.riskScore: 9
Show the assets for which risk score is not yet calculated
remoteAsset.riskScore is null
Show the assets with a valid risk score
not remoteAsset.riskScore is null
remoteAsset.firmwareVersionremoteAsset.firmwareVersion
Use this token to search events by the firmware version of the remote asset.
Example
Find events related to a specific firmware version.
remoteAsset.firmwareVersion: "3.1.4"
remoteAsset.software.versionremoteAsset.software.version
Use this token to search events by the software version running on the remote asset.
Example
Find events associated with a specific software version.
remoteAsset.software.version: "6.0.2"
remoteAsset.nameremoteAsset.name
Use this token to search events by the name of the remote asset.
Example
Find events involving a specific remote asset.
remoteAsset.name: "HMI-Panel-02"
remoteAsset.importanceremoteAsset.importance
Use this token to search events by the business importance of the remote asset.
Example
Find events affecting business-critical remote assets.
remoteAsset.importance: "Medium"
remoteAsset.createdDateremoteAsset.createdDate
Use this token to search events by the creation date of the remote asset.
Example
Find events for remote assets created on a specific date.
remoteAsset.createdDate: "2023-09-05"
remoteAsset.lastUpdatedDateremoteAsset.lastUpdatedDate
Use this token to search events by the last updated date of the remote asset.
Example
Find events for remote assets updated recently.
remoteAsset.lastUpdatedDate: "2025-01-10"
remoteAsset.typeremoteAsset.type
Use this token to search events by the asset type of the remote asset.
Example
Find events affecting a specific type of remote asset.
remoteAsset.type: "HMI"
remoteAsset.hardware.vendorremoteAsset.hardware.vendor
Use this token to search events by the hardware vendor of the remote asset.
Example
Find events affecting devices from a specific vendor.
remoteAsset.hardware.vendor: "Schneider Electric"
remoteAsset.hardware.modelremoteAsset.hardware.model
Use this token to search events by the hardware model of the remote asset.
Example
Find events related to a specific remote hardware model.
remoteAsset.hardware.model: "TP1200"
remoteAsset.hardware.typeremoteAsset.hardware.type
Use this token to search events by the hardware type of the remote asset.
Example
Find events affecting a specific hardware type.
remoteAsset.hardware.type: "HMI"
remoteAsset.hardware.category2remoteAsset.hardware.category2
Use this token to search events by the secondary hardware category of the remote asset.
Example
Find events associated with a specific secondary hardware category.
remoteAsset.hardware.category2: "Operator Interface"
remoteAsset.inventory.sensorIDremoteAsset.inventory.sensorID
Use this token to search events by the sensor ID that discovered the remote asset.
Example
Find events detected by a specific sensor.
remoteAsset.inventory.sensorID: "032589611212:1638792150:574815:701:1638792150:574815:701"
remoteAsset.vulnerability.countremoteAsset.vulnerability.count
Use this token to search events by the number of vulnerabilities detected on the remote asset.
Example
Find events affecting remote assets with multiple vulnerabilities.
remoteAsset.vulnerability.count: "7"
remoteAsset.stateremoteAsset.state
Use this token to search events by the state of the remote asset.
Example
Find events for remote assets in a specific state.
remoteAsset.state: "Active"
remoteAsset.discovery.protocolremoteAsset.discovery.protocol
Use this token to search events by the discovery protocol used for the remote asset.
Example
Find events for assets discovered using a specific protocol.
remoteAsset.discovery.protocol: "SNMP"
remoteAsset.serialNumberremoteAsset.serialNumber
Use this token to search events by the serial number of the remote asset.
Example
Find events for a specific device serial number.
remoteAsset.serialNumber: "RSN-554433"
remoteAsset.orderIdremoteAsset.orderId
Use this token to search events by the order ID associated with the remote asset.
Example
Find events related to a specific order.
remoteAsset.orderId: "ORD-88421"
remoteAsset.hardware.versionremoteAsset.hardware.version
Use this token to search events by the hardware version of the remote asset.
Example
Find events associated with a specific hardware version.
remoteAsset.hardware.version: "v1.9"
remoteAsset.hardware.categoryremoteAsset.hardware.category
Use this token to search events by the hardware category of the remote asset.
Example
Find events affecting a specific hardware category.
remoteAsset.hardware.category: "Industrial Device"
remoteAsset.hardware.category1remoteAsset.hardware.category1
Use this token to search events by the primary hardware category of the remote asset.
Example
Find events associated with a primary hardware classification.
remoteAsset.hardware.category1: "HMI"
remoteAsset.purdueLevelremoteAsset.purdueLevel
Use this token to search events by the Purdue level assigned to the remote asset.
Example
Find events affecting assets at a specific Purdue level.
remoteAsset.purdueLevel: "Level 1"
remoteAsset.hardware.mappedremoteAsset.hardware.mapped
Search the events for assets whose hardware information is catalogued or uncatalogued. Select Cataloged or Uncataloged as the token value.
Example
Find events for assets with the following hardware mapping information.
remoteAsset.hardware.mapped: "Cataloged"
remoteAsset.isModifiedremoteAsset.isModified
Use this token to search events by the modification status of the remote asset.
Example
Find events for assets that were recently modified.
remoteAsset.isModified: "false"
remoteAsset.lastModifiedDateremoteAsset.lastModifiedDate
Use this token to search events by the last modified date of the remote asset.
Example
Find events for assets modified on a specific date.
remoteAsset.lastModifiedDate: "2025-01-22"
remoteAsset.inventory.sourceremoteAsset.inventory.source
Use this token to search events by the inventory source of the remote asset.
Example
Find events for assets discovered from a specific inventory source.
remoteAsset.inventory.source: "Passive"
remoteAsset.inventory.fileHashremoteAsset.inventory.fileHash
Use this token to search events by the inventory file hash of the remote asset.
Example
Find events related to a specific inventory file hash.
remoteAsset.inventory.fileHash: "c9d0c6e534b51a733ff64e1fd3c4141"
remoteAsset.inventory.filenameremoteAsset.inventory.filename
Use this token to search events by the inventory file name of the remote asset.
Example
Find events for a specific inventory file.
remoteAsset.inventory.filename: "Germany_Plant_1"
remoteAsset.tag.idremoteAsset.tag.id
Use this token to search events by the tag ID assigned to the remote asset.
Example
Find events associated with a specific tag ID.
remoteAsset.tag.id: "38970492"
remoteAsset.tag.nameremoteAsset.tag.name
Use this token to search events by the tag name assigned to the remote asset.
Example
Find events associated with a specific tag.
remoteAsset.tag.name: "Remote-Zone"
remoteAsset.tag.businessImpactremoteAsset.tag.businessImpact
Use this token to search events by the business impact defined for the remote asset tag.
Example
Find events affecting assets with high business impact.
remoteAsset.tag.businessImpact: "Medium"
remoteAsset.hardware.manufacturerremoteAsset.hardware.manufacturer
Use this token to search events by the hardware manufacturer of the remote asset.
Example
Find events affecting devices from a specific manufacturer.
remoteAsset.hardware.manufacturer: "Honeywell"
remoteAsset.passiveSensor.idremoteAsset.passiveSensor.id
Use this token to search events by the passive sensor ID associated with the remote asset.
Example
Find events detected by a specific passive sensor.
remoteAsset.passiveSensor.id: "032589611212:1638792150:574815:701:1638792150:574815:701"
remoteAsset.passiveSensor.nameremoteAsset.passiveSensor.name
Use this token to search events by the passive sensor name associated with the remote asset.
Example
Find events monitored by a specific passive sensor.
remoteAsset.passiveSensor.name: "Remote-Passive-Sensor-01"
remoteAsset.passiveSensor.locationremoteAsset.passiveSensor.location
Use this token to search events by the location of the passive sensor monitoring the remote asset.
Example
Find events monitored at a specific location.
remoteAsset.passiveSensor.location: "Remote Site"
remoteAsset.hardware.classremoteAsset.hardware.class
Use this token to search events by the hardware class of the remote asset.
Example
Find events affecting a specific hardware class.
remoteAsset.hardware.class: "OT"
remoteAsset.hasModulesremoteAsset.hasModules
Use this token to search events by whether the remote asset has enabled modules.
Example
Find events for remote assets with enabled modules.
remoteAsset.hasModules: "true"
remoteAsset.hasAddOnsremoteAsset.hasAddOns
Use this token to search events by whether the remote asset has add-ons installed.
Example
Find events for remote assets with add-ons.
remoteAsset.hasAddOns: "false"
remoteAsset.addOn.hardware.modelremoteAsset.addOn.hardware.model
Use this token to search events by the hardware model of an add-on connected to the remote asset.
Example
Find events related to a specific add-on hardware model.
remoteAsset.addOn.hardware.model: "Expansion-Module-A1"
remoteAsset.addOn.hardware.manufacturerremoteAsset.addOn.hardware.manufacturer
Use this token to search events by the hardware manufacturer of an add-on connected to the remote asset.
Example
Find events involving add-ons from a specific manufacturer.
remoteAsset.addOn.hardware.manufacturer: "Siemens"
remoteAsset.addOn.hardware.category2remoteAsset.addOn.hardware.category2
Use this token to search events by the secondary hardware category of an add-on connected to the remote asset.
Example
Find events related to a specific add-on hardware category.
remoteAsset.addOn.hardware.category2: "I/O Module"
remoteAsset.addOn.firmwareVersionremoteAsset.addOn.firmwareVersion
Use this token to search events by the firmware version of an add-on connected to the remote asset.
Example
Find events associated with a specific add-on firmware version.
remoteAsset.addOn.firmwareVersion: "2.0.5"
remoteAsset.addOn.lastScanDateremoteAsset.addOn.lastScanDate
Use this token to search events by the last scan date of an add-on connected to the remote asset.
Example
Find events for add-ons scanned on a specific date.
remoteAsset.addOn.lastScanDate: "2025-01-14"
remoteAsset.addOn.orderIdremoteAsset.addOn.orderId
Use this token to search events by the order ID of an add-on connected to the remote asset.
Example
Find events related to a specific add-on order.
remoteAsset.addOn.orderId: "ADD-77821"
remoteAsset.addOn.serialNumberremoteAsset.addOn.serialNumber
Use this token to search events by the serial number of an add-on connected to the remote asset.
Example
Find events associated with a specific add-on serial number.
remoteAsset.addOn.serialNumber: "ASN-990012"
remoteAsset.addOn.slaveAddressremoteAsset.addOn.slaveAddress
Use this token to search events by the slave address of an add-on component.
Example
Find events involving add-on component with a specific slave address.
remoteAsset.addOn.slaveAddress: "0x00000004#39"
remoteAsset.addOn.unitAddressremoteAsset.addOn.unitAddress
Use this token to search events by the unit address of an add-on connected to the remote asset.
Example
Find events involving add-ons with a specific unit address.
remoteAsset.addOn.unitAddress: "1"
remoteAsset.finding.hardware.typeremoteAsset.finding.hardware.type
Use this token to search events by the hardware type identified in a finding on the remote asset.
Example
Find events involving a specific hardware type.
remoteAsset.finding.hardware.type: "Gateway"
remoteAsset.finding.vulnerability.categoryremoteAsset.finding.vulnerability.category
Use this token to search events by the vulnerability category identified in a finding on the remote asset.
Example
Find events related to a specific vulnerability category.
remoteAsset.finding.vulnerability.category: "Authentication"
remoteAsset.finding.typeDetectedremoteAsset.finding.typeDetected
Use this token to search events based on the vulnerability detection type detected on the remote asset. Select the type from the available options (Confirmed, Information, Potential).
Example
Find events where a specific type was detected.
remoteAsset.finding.typeDetected: "Confirmed"
remoteAsset.finding.asset.typeremoteAsset.finding.asset.type
Use this token to search events by the asset type associated with a finding on the remote asset.
Example
Find events affecting a specific asset type.
remoteAsset.finding.asset.type: "HMI"
remoteAsset.finding.statusremoteAsset.finding.status
Use this token to search events based on the vulnerability status on the remote asset. Select the status from the available options (ACTIVE, FIXED, NEW, REOPENED).
Example
Find events with a specific vulnerability status.
remoteAsset.finding.status: "NEW"
remoteAsset.finding.asset.idremoteAsset.finding.asset.id
Use this token to search events by the asset ID associated with a finding on the remote asset.
Example
Find events related to a specific asset ID.
remoteAsset.finding.asset.id: "56863af6-301e-3788-aa95-95b5f844ad2a"
remoteAsset.finding.vulnerability.qidremoteAsset.finding.vulnerability.qid
Use this token to search events by the vulnerability QID identified in a finding on the remote asset.
Example
Find events related to a specific vulnerability QID.
remoteAsset.finding.vulnerability.qid: "210345"
remoteAsset.finding.vulnerability.cveIdremoteAsset.finding.vulnerability.cveId
Use this token to search events by the CVE ID identified in a finding on the remote asset.
Example
Find events associated with a specific CVE.
remoteAsset.finding.vulnerability.cveId: "CVE-2024-77891"
remoteAsset.finding.vulnerability.isPatchAvailableremoteAsset.finding.vulnerability.isPatchAvailable
Use this token to search events by patch availability for the vulnerability identified on the remote asset.
Example
Find events where a patch is available or unavailable.
remoteAsset.finding.vulnerability.isPatchAvailable: "false"
remoteAsset.finding.vulnerability.titleremoteAsset.finding.vulnerability.title
Use this token to search events by the vulnerability title identified in a finding on the remote asset.
Example
Find events related to a specific vulnerability.
remoteAsset.finding.vulnerability.title: "Default Credentials Enabled"
remoteAsset.finding.severityremoteAsset.finding.severity
Use this token to search events by the severity of a finding on the remote asset.
Example
Find events with high-severity findings.
remoteAsset.finding.severity: "Critical"
remoteAsset.finding.firstFoundDateremoteAsset.finding.firstFoundDate
Use this token to search events by the first detection date of a finding on the remote asset.
Example
Find events where a finding was first detected on a specific date.
remoteAsset.finding.firstFoundDate: "2024-04-18"
remoteAsset.finding.lastFoundDateremoteAsset.finding.lastFoundDate
Use this token to search events by the most recent detection date of a finding on the remote asset.
Example
Find events where a finding was detected recently.
remoteAsset.finding.lastFoundDate: "2025-01-19"
remoteAsset.finding.asset.nameremoteAsset.finding.asset.name
Use this token to search events by the asset name associated with a finding on the remote asset.
Example
Find events related to a specific asset.
remoteAsset.finding.asset.name: "HMI-Panel-02"
remoteAsset.finding.firmwareremoteAsset.finding.firmware
Use this token to search events by the firmware identified in a finding on the remote asset.
Example
Find events associated with a specific firmware.
remoteAsset.finding.firmware: "v3.6.0"
remoteAsset.finding.hardware.versionremoteAsset.finding.hardware.version
Use this token to search events by the hardware version identified in a finding on the remote asset.
Example
Find events associated with a specific hardware version.
remoteAsset.finding.hardware.version: "v2.1"
remoteAsset.finding.hardware.productremoteAsset.finding.hardware.product
Use this token to search events by the hardware product identified in a finding on the remote asset.
Example
Find events related to a specific hardware product.
remoteAsset.finding.hardware.product: "PanelView Plus"
remoteAsset.finding.hardware.modelremoteAsset.finding.hardware.model
Use this token to search events by the hardware model identified in a finding on the remote asset.
Example
Find events involving a specific hardware model.
remoteAsset.finding.hardware.model: "2711P-T12C4D9"
remoteAsset.finding.protocolremoteAsset.finding.protocol
Use this token to search events by the protocol identified in a finding on the remote asset.
Example
Find events detected over a specific protocol.
remoteAsset.finding.protocol: "HTTPS"
remoteAsset.finding.hardware.manufacturerremoteAsset.finding.hardware.manufacturer
Use this token to search events by the hardware manufacturer identified in a finding on the remote asset.
Example
Find events affecting devices from a specific manufacturer.
remoteAsset.finding.hardware.manufacturer: "Rockwell Automation"
remoteAsset.finding.vulnerability.vendorNameremoteAsset.finding.vulnerability.vendorName
Use this token to search events by the vendor name associated with the vulnerability identified on the remote asset.
Example
Find events related to vulnerabilities from a specific vendor.
remoteAsset.finding.vulnerability.vendorName: "Rockwell Automation"
remoteAsset.finding.vulnerability.threatIntelremoteAsset.finding.vulnerability.threatIntel
Use this token to search events by threat intelligence context associated with the vulnerability identified on the remote asset.
Example
Find events involving vulnerabilities with known threat intelligence.
remoteAsset.finding.vulnerability.threatIntel: "Exploitable"
remoteAsset.finding.vulnerability.criticalityremoteAsset.finding.vulnerability.criticality
Use this token to search events by the criticality assigned to the vulnerability identified on the remote asset.
Example
Find events involving high-criticality vulnerabilities.
remoteAsset.finding.vulnerability.criticality: "High"