Searching Events

 

action

Use a text value ##### to define a file integrity event action that occurred (Attributes, Content, Create, Delete, Rename, Security).

Example

Show events for delete action

action: Delete

actor.imagePath

Use a text value ##### to define the full path to the process that performed the event action.

Example

Show events performed by the process at this full path

actor.imagePath: C:\Windows\System32\dllhost.exe

actor.process

Use a text value ##### to define a process that performed the event action.

Example

Show events performed by this process

actor.process: dllhost.exe

actor.userID

Use a text value ##### to find a user ID of interest.

Example

Show events performed by the user with user ID "jsmith"

actor.userID: jsmith

actor.userName

Use a text value ##### to find the username you're looking for.

Examples

Show events performed by the user with username System

actor.userName: System

Show events with files that match exact value "NT AUTHORITY\SYSTEM"

actor.userName: `NT AUTHORITY\SYSTEM`

asset.agentId

Use a text value ##### to find an agent ID of interest.

Example

Show events on the asset with this agent ID

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.agentVersion

Use a text value ##### to find the assets with a certain agent version you're interested in.

Example

Show agent version 1.3.2.0

asset.agentVersion: 1.3.2.0

asset.assetType

Select the name ##### of an asset type you're interested in.  Select from names in the drop-down menu.

Examples

Show VM assets

asset.assetType: "VM"

asset.created

Use a date range or specific date to define when assets were created (i.e. when first scanned by a scanner appliance, or when agent was installed).

Examples

Show assets created within certain dates

asset.created: [2016-01-01 ... 2016-01-10]

Show assets created starting 2015-10-01, ending 1 month ago

asset.created: [2015-10-01 ... now-1M]

Show assets created starting 2 weeks ago, ending 1 second ago

asset.created: [now-2w ... now-1s]

Show assets created on specific date

asset.created:'2016-01-08'

asset.lastCheckedIn

Use a date range or specific date to define when agents last checked in to the platform.

Examples

Show findings with last check in within certain dates

asset.lastCheckedIn: [2016-01-01 ... 2016-01-10]

Show findings with last check in starting 2015-10-01, ending 1 month ago

asset.lastCheckedIn: [2015-10-01 ... now-1M]

Show findings with last check in starting 2 weeks ago, ending 1 second ago

asset.lastCheckedIn: [now-2w ... now-1s]

Show findings with last check in on a specific date

asset.lastCheckedIn:'2015-12-01'

asset.name

Use quotes or backticks within values to help you find the asset name you're looking for.

Examples

Show any findings related to name

asset.name: QK2K12QP3-65-53

Show any findings that contain parts of name

asset.name: "QK2K12QP3-65-53"

Show any findings that match exact value "QK2K12QP3-65-53"

asset.name: `QK2K12QP3-65-53`

asset.netbiosName

Use a text value ##### to define the NetBIOS name you're interested in.

Examples

Show the asset with this name

asset.netbiosName: VISTASP2-24-208

asset.system.lastBoot

Use a date range or specific date to define when assets were last booted.

Examples

Show assets last booted within certain dates

asset.system.lastBoot: [2016-01-01 ... 2016-01-10]

Show assets last booted starting 2015-10-01, ending 1 month ago

asset.system.lastBoot: [2015-10-01 ... now-1M]

Show assets last booted starting 2 weeks ago, ending 1 second ago

asset.system.lastBoot: [now-2w ... now-1s]

Show assets last booted on a specific date

asset.system.lastBoot:'2016-01-08'

asset.tags

Use the tag ID to find assets having a certain asset tag.

Examples

Show any findings related to this tag ID

asset.tags: 7701016

asset.updated

Use a date range or specific date to define when assets were updated (i.e. when re-scanned by a scanner appliance, or when host data uploaded to the cloud platform by an agent) .

Examples

Show assets updated within certain dates

asset.updated: [2016-01-01 ... 2016-01-10]

Show assets updated starting 2015-10-01, ending 3 months ago

asset.updated: [2015-10-01 ... now-3M]

Show assets updated starting 2 weeks ago, ending 1 second ago

asset.updated: [now-2w ... now-1s]

Show assets updated on a specific date

asset.updated:'2016-01-10'

asset.interfaces.address

Use a text value ##### to define an IP address (IPv4 of IPv6) you're interested in.

Examples

Show events on the asset with IPv4 address

asset.interfaces.address: 10.10.100.20

Show events on the asset with IPv6 address (enclose value in single quotes)

asset.interfaces.address: 'fe80:0:0:0:2501:b53c:4139:404b'

asset.interfaces.hostname

Use quotes or backticks within values to help you find the hostname you're looking for.

Examples

Show any findings related to name

asset.interfaces.hostname: xpsp2-jp-26-111

Show any findings that contain parts of name

asset.interfaces.hostname: "xpsp2-jp-26-111"

Show any findings that match exact value "xpsp2-jp-26-111"

asset.interfaces.hostname: `xpsp2-jp-26-111`

Show any findings related to name (we'll match super domains)

asset.interfaces.hostname: qcentos71sqp3.rdlab.acme.com

Show any findings that match exact value "qcentos71sqp3.rdlab.acme.com"

asset.interfaces.hostname: `qcentos71sqp3.rdlab.acme.com`

asset.interfaces.interfaceName

Use a text value ##### to help you find a certain interface name.

Example

Show events on the asset with the interface name PRO/1000

asset.interfaces.interfaceName: PRO/1000

asset.interfaces.macAddress

Use a text value ##### to define a MAC address you're interested in.

Example

Show events on the asset with this MAC address

asset.interfaces.macAddress: 00-50-56-A9-73-5A

asset.lastLoggedOnUser

Use a text value ##### to help you find assets last logged into by a user of interest.

Example

Show events on the asset that was last logged into by user asmith

asset.lastLoggedOnUser: asmith

asset.operatingSystem

Use quotes or backticks within values to help you find the operating system you're looking for.

Examples

Show any findings with this OS name

asset.operatingSystem: Windows 2012

Show any findings that contain components of OS name

asset.operatingSystem: "Windows 2012"

Show any findings that match exact value "Windows 2012"

asset.operatingSystem: `Windows 2012`

class

Use a text value ##### to define file integrity event class of interest (Disk or Registry).

Example

Show events threatened by change on disk

class: Disk

file.fullPath

Use a text value ##### to define the full path to the file threatened by file integrity event.

Example

Show events with file at this path

file.fullPath: C:\Windows\System32\LogFiles\qagent33_log.txt

file.name

Use a text value ##### to define the file name threatened by file integrity event.

Example

Show events on the file with this name

file.name: qagent33_log.txt

id

Use a text value ##### to define the event ID.

Example

Show the event with this event ID

id: 3b8c2708-55ee-33eb-942c-aead057dd753

platform

Use a text value ##### to define the platform (Windows, Linux or Unix).

Example

Show events for the platform Linux

platform: Linux

profile.category

Use a text value ##### to find the monitoring profile category related to file integrity event.

Example

Show events matching a monitoring profile with profile category PCI

profile.category: PCI

profile.name

Use a text value ##### to find the monitoring profile name related to file integrity event.

Example

Show events matching the monitoring profile with this name

profile.name: PCI Monitoring Profile

profile.rule.description

Use a text value ##### to define a profile rule description of interest.

Example

Show events matching this profile rule description

profile.rule.description: My Profile Rule

profile.rule.id

Use an integer value ##### to define a profile rule ID of interest.

Example

Show events matching this profile rule ID

profile.rule.id: 12345

severity

Select a severity (1-5) to find events with this severity. Select from values in the drop-down menu.

Example

Show events with severity 5

severity: 5

type

Use a text value ##### to define the file integrity event type (File or Directory).

Example

Show events with event type File

type: File

and

Use a boolean query to express your query using AND logic.

Example

Show events with Write action performed by user ID akim

action: Write and actor.userID: akim

not

Use a boolean query to express your query using NOT logic.

Example

Show events for assets that don't have Windows operating system

not asset.operatingSystem: windows

or

Use a boolean query to express your query using OR logic.

Example

Show events for assets with one of these operating systems

asset.operatingSystem: windows or asset.operatingSystem: linux

Show events for assets with operating system name "Windows 2012" or "Windows 7 Ultimate Service Pack 1"

operatingSystem: `Windows 2012` or operatingSystem: `Windows 7 Ultimate Service Pack 1`