Events Search Token
Looking for help with writing queries? Click
here
action
Use a text value ##### to help you find an action
that occurred (CONNECTED, CREATED, CHANGE, OPEN, READ, RENAME, RUNNING,
WRITE or TERMINATED).
Example
Show events with created action
action: CREATED
asset.agentId
Use a text value ##### to find an agent ID of
interest.
Example
Show events for a certain agent ID
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
asset.hostName
Use quotes or backticks with value to find events
with the hostname you're interested in.
Example
Show any events related to name
asset.hostName: WIN-BU2-4322
Show any events that contain parts of name
asset.hostName: "WIN-BU2-4322"
Show events that match exact name
asset.hostName: `WIN-BU2-4322`
event.id
Use a text value ##### to help you find an event
ID you're looking for.
Example
Show an event ID
event.id: N_bf9ecb09-6e3a-3efe-b5aa-847cdf5a95ba
event.dateTime
Use a date range or specific date to define the
date and time event occurred.
Examples
Show events found within certain dates
event.dateTime: [2017-06-15 ... 2017-06-30]
Show events found starting 2017-06-22, ending 1 month ago
event.dateTime: [2017-06-22 ... now-1M]
Show events found starting 2 weeks ago, ending 1 second ago
event.dateTime: [now-2w ... now-1s]
Show events found on specific date
event.dateTime:'2017-06-14'
file.created
Use a date range or specific date to define when files were created.
Examples
Show events with file created on 2017-08-12
file.created: '2017-08-12'
Show events with file created between 2017-06-06 and 1 second ago
file.created: [2017-06-06 .. now-1s]
Show events with file created within date range
file.created: [2017-08-23 .. 2017-08-25]
file.creator
Use a text value ##### to help you find events
on files created by a certain user.
Example
Show events on files created by this user
file.creator: admin
file.extension
Use a text value ##### to define a file extension
you're interested in.
Example
Show events on files with pdf extension
file.extention: pdf
file.fullPath
Use a text value ##### to define the full pathname
to a file of interest.
Example
Show events on files at this full path
file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'
file.hash.md5
Use a text value ##### to define the MD5 hash
of a file you're interested in.
Example
Show events on files with this MD5 hash
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
file.hash.sha256
Use a text value ##### to define the SHA256 hash
of a file you're interested in/h4>
Example
Show events on files with this SHA256 hash
file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6
file.name
Use a text value ##### to help you find events
on a file name of interest.
Example
Show events on this file name
file.name: myapp_log.txt
file.path
Use a text value ##### to find events on files
at a file path you are interested in.
Example
Show events on files at this path
file.path: "C:\Windows\System32\LogFiles\"
file.properties.certificate.hash
Use a text value ##### to define a signed certificate
hash of interest.
Example
Show events for this signed certificate hash
file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542
file.properties.certificate.issuer
Use quotes or backticks with value to help you
find a certificate issuer.
Example
Show any events that contain parts of issuer name
file.properties.certificate.issuer: "Verizon"
Show events that match exact issuer name
file.properties.certificate.issuer: `Verizon Certificate
ABZ`
file.properties.certificate.signed
Use boolean string to help you find signed certificates
(true) or unsigned (false).
Example
Show events with signed certificate
file.properties.certificate.signed: true
file.properties.certificate.signeddate
Use a date range or specific date to define when certificates were
signed.
Examples
Show events with certificate signed on 2017-08-12
file.properties.certificate.signeddate: '2017-08-12'
Show events with certificate signed between 2017-06-06 and 1 second
ago
file.properties.certificate.signeddate: [2017-06-06
.. now-1s]
Show events with certificate signed within date range
file.properties.certificate.signeddate: [2017-08-23
.. 2017-08-25]
file.properties.certificate.subject
Use quotes or backticks with value to help you
find a certificate subject.
Example
Show any events that contain parts of subject
file.properties.certificate.subject: "Mycorp
Technologies"
Show events that match exact subject
file.properties.certificate.subject: `CN = Mycorp
Technologies, Inc O = Mycorp Technologies, Inc L = Menlo Park S =
California C = US`
file.properties.certificate.valid
Use boolean string to help you find valid certificates
(true) or invalid (false).
Example
Show events with valid certificate
file.properties.certificate.valid: true
file.type
Use a text value ##### to define files in a Portable
Executable (PE) format.
Example
Show events for .exe files
file.type: exe
handle.name
Use a text value ##### to define a file handle
name that you're interested in.
Example
Show events with this file handle name
handle.name: Global\MsWinZonesCacheCounterMutexA0
Note: The "handle.name" token is available based on
your subscription. For more information, contact Qualys Support.
handle.pid
Use an integer value ##### to define a file handle
process ID that you're interested in.
Example
Show events with this file handle name
handle.pid: 1388
Note: The "handle.pid" token is available based on your subscription.
For more information, contact Qualys Support.
indicator.score
Use an integer value ##### to define the threat
score of an indicator based on all scoring engines.
Examples
Show events with this score
indicator.score: 8
Show events with confirmed scores
indicator.score >= 8
indicator.threatfeed
Use an integer value ##### to define the threat
score of an indicator based on the threat feed scoring engine.
Examples
Show events with this score
indicator.threatfeed: 8
Show events with confirmed scores
indicator.threatfeed >= 8
malware.category
Use quotes or backticks with value to define a
malware category you're interested in.
Example
Show events with this malware category
malware.category: `File Infector`
malware.family
Use quotes or backticks with value to define a
malware family you're looking for.
Example
Show events with this malware name
malware.family: `CryptoMinerF`
netbiosname
Use a text value ##### to define the NetBIOS name
you're interested in.
Examples
Show the asset with this name
netbiosname: VISTASP2-24-208
network.local.address.ip
Use a text value ##### to define the local IP
address of a process network connection.
Example
Show events on this local network IP
network.local.address.ip: 10.10.10.54
network.local.address.port
Use an integer value ##### to define the local
port number of a process network connection.
Example
Show events on this local network port
network.local.address.port: 80
network.process.name
Use a string value ##### to define the name of
a network process connection.
Example
Show events with this network process name
network.process.name: chrome.exe
network.process.pid
Use an integer value ##### to define the process
ID of a network process connection.
Example
Show events with this network process ID
network.process.pid: 12345
network.protocol
Use a string value ##### to find events with a
network protocol name you're looking for (TCP or UDP).
Example
Show events with this network protocol name
network.protocol: TCP
network.remote.address.fqdn
Use a string value ##### to define the FQDN of
a process remote connection.
Example
Show events with this network FQDN
network.remote.address.fqdn: 10567-T51.corp.acme.com
network.remote.address.ip
Use a string value ##### to define the IP address
of a process remote connection.
Example
Show events with this network IP address
network.remote.address.ip: 198.252.200.123
network.remote.address.port
Use an integer value ##### to define the port
of a process remote connection.
Example
Show events with this network remote port
network.remote.address.port: 443
network.state
Use a string value ##### to define the state of
a process network connection (TIME_WAIT or ESTABLISHED).
Example
Show events with established network state
network.state: ESTABLISHED
operatingsystem.fullname
Use quotes or backticks within values to help
you find the operating system you're looking for.
Examples
Show any findings with this OS name
operatingsystem.fullname: Windows 2012
how any findings that contain components of OS name
operatingsystem.fullname: "Windows 2012"
Show any findings that match exact value "Windows 2012"
operatingsystem.fullname: `Windows 2012`
parent.event.id
Use a string value ##### to help you find events
with parent process ID.
Example
Show events for parent process ID
parent.event.id: RTP_fc0c02da-2982-4426-8140-be55d5f050f7_-5443330379451874079_11384
parent.name
Use string value to display events created by
a process.
Example
Show events created by process
parent.name: Notepad.exe
parent.pid
Use an integer value ##### to display the events
with parent process ID.
Example
Show events with this parent process ID
parent.pid: 1272
parent.imagepath
Use a string value ##### to display events with
the parent process image path.
Example
Show events with this parent process image path
parent.imagepath: "C:\Temp\abe.exe"
process.arguments
Use a string value ##### to help you find events
on a process running with certain arguments.
Example
Show events on a process with arguments
process.arguments: arguments
process.elevated
Use boolean string to define events with process
running as elevated privileges (true) or not (false).
Example
Show events with process as elevated privileges
process.elevated: true
process.fullPath
Use a string value ##### to define the full path
to the file that launched the process. Enclose the path in double
quotes.
Example
Show events with file at this full path
process.fullPath: "C:\windows\system32\svchost.exe"
process.image.fullPath
Use a string value ##### to define the full path
to the file that launched the process. Enclose the path in double
quotes.
Example
Show events with image file at this full path
process.image.fullPath: "C:\windows\system32\svchost.exe"
process.image.path
Use a string value ##### to define the path to
the folder containing the file that launched the process. Enclose
the path in double quotes.
Example
Show events with image file contained in this folder
process.image.path: "C:\windows\system32"
process.loadedmodule.name
Use quotes or backticks with value to find events
with the name of a loaded module running in a process.
Example
Show any events related to loaded module
process.loadedmodule.name: advapi32
Show any events that contain parts of loaded module name
process.loadedmodule.name: "advapi32"
Show events that match exact name
process.loadedmodule.name: `advapi32`
Note: The "process.loadedmodule.name" token is available
based on your subscription. For more information, contact Qualys Support.
process.loadedmodule.path
Use quotes or backticks with value to find events
on the path to the directory containing the loaded module you are
interested in.
Example
Show any events that contain parts of loaded module path
process.loadedmodule.path: "C:\Windows\System32\"
Show events that match exact value
process.loadedmodule.path: `C:\Windows\System32\`
Note: The "process.loadedmodule.path" token is available
based on your subscription. For more information, contact Qualys Support.
process.loadedmodule.fullpath
Use quotes or backticks with value to find events
on the full path to the loaded module image you are interested in.
Example
Show any events that contain parts of loaded module full path
process.loadedmodule.fullpath: "C:\Windows\System32\advapi32.dll"
Show events that match exact value
process.loadedmodule.fullpath: `C:\Windows\System32\advapi32.dll`
Note: The "process.loadedmodule.fullpath" token is available
based on your subscription. For more information, contact Qualys Support.
process.loadedmodule.hash.md5
Use a text value ##### to define the MD5 hash
of a loaded module you're interested in.
Example
Show events for loaded module with this MD5 hash
process.loadedmodule.hash.md5: c102a6ff0fe651242be9a4be3e579106
Note: The "process.loadedmodule.hash.md5" token is available
based on your subscription. For more information, contact Qualys Support.
process.loadedmodule.hash.sha256
Use a text value ##### to define the SHA256 hash
of a loaded module you're interested in.
Example
Show events for loaded module with this SHA256 hash
process.loadedmodule.hash.sha256: ef117b762c2c680d181cf4119ff611c9de46fcea6b60775e746541f5dd8f1cd0
Note: The "process.loadedmodule.hash.sha256" token is available
based on your subscription. For more information, contact Qualys Support.
process.name
Use a string value ##### to define a process image
name of interest.
Example
Show events with this process image name
process.name: explorer.exe
process.parentname
Use a string value ##### to define a parent process
image name of interest.
Example
Show events with this parent process image name
process.parentname: explorer.exe
process.parentPid
Use an integer value ##### to define the process
parent ID you're looking for.
Example
Show events with this process parent ID
process.parentPid: 676
process.pid
Use an integer value ##### to define the process
ID you're looking for.
Example
Show events with this process ID
process.pid: 1655
process.started
Use a date range or specific date to define when a process was
started.
Examples
Show events with process started on 2017-08-12
process.started: '2017-08-12'
Show events with process started between 2017-06-06 and 1 second
ago
process.started: [2017-06-06 .. now-1s]
Show events with process started within date range
process.started: [2017-08-23 .. 2017-08-25]
process.terminated
Use a date range or specific date to define when a process was
terminated.
Examples
Show events with process terminated on 2017-08-12
process.terminated: '2017-08-12'
Show events with process terminated between 2017-06-06 and 1 second
ago
process.terminated: [2017-06-06 .. now-1s]
Show events with process terminated within date range
process.terminated: [2017-08-23 .. 2017-08-25]
process.username
Use a string value ##### to help you find a process
username.
Example
Show events with this process image name
process.username: sslong
registry.key
Use a string value ##### to help you find events
with a registry name of interest.
Example
Show events with this registry key name
registry.key: HKEY_CURRENT_CONFIG
Note: The "registry.key" token is available based on your
subscription. For more information, contact Qualys Support.
registry.value
Use a string value ##### to help you find events
with a certain registry value in the key.
Example
Show events with this registry value
registry.value: "C:\Program Files"
Note: The "registry.value" token is available based on your
subscription. For more information, contact Qualys Support.
registry.data
Use a string value ##### to help you find events
with certain registry data.
Example
Show events with this registry data
registry.data: "filename.exe"
Note: The "registry.data" token is available based on your
subscription. For more information, contact Qualys Support.
response.action
Use a string value ##### to help you find events
with response action (Delete File, Kill Process,or Quarantine File).
Example
Show events with this response action
response.action: Kill Process
response.status
Use a string value ##### to help you find events
with response status (failed, in_progress, success).
Example
Shows events with this response status
response.status: success
response.user
Use a string value ##### to list response actions
executed by a certain user.
Example
Shows response actions for this user
response.user: John Doe
response.userId
Use a string value ##### to list response actions
executed by a certain username.
Example
Shows response actions for this username
response.userId: jdoe
response.timestamp
Use a date range or specific date to find when a response action
on event occurred.
Examples
Show response action found within certain dates
response.timestamp: [2020-06-15 ... 2020-06-30]
Show response action found starting 2020-06-22, ending 1 month ago
response.timestamp: [2020-06-22 ... now-1M]
Show response action found starting 2 weeks ago, ending 1 second
ago
response.timestamp: [now-2w ... now-1s]
Show response action found on specific date
response.timestamp:'2020-06-14'
response.priorScore
Use an integer value ##### to search events by
the score before executing the response action.
Examples
Show events with this prior score
response.priorScore: 8
Show events with prior scores less than equal to this value
response.priorScore >= 8
response.statusMessage
Use a string value ##### to search events by status
message displayed after the response action is completed.
Examples
Show events that contain parts of the status message
response.statusMessage:"Process"
Shows events with this status message
response.statusMessage:`Process does not exist`
type
Use a string value ##### to help you find events
with the object type you're looking for (FILE, MUTEX, NETWORK, REGISTRY,etc).
Example
Show events with this object type
type: FILE
Note: "MUTEX" and "REGISTRY" values are available
based on your subscription. For more information, contact Qualys Support.
and
Use a boolean query to express your query using
AND logic.
Example
Show file created events on certain date and asset name
file.created: '2017-08-12' and asset.hostName:
`WIN-BU2-1233`
not
Use a boolean query to express your query using
NOT logic.
Example
Show events that are not on a certain asset name
not asset.hostName: `WIN-BU2-5555`
or
Use a boolean query to express your query using
OR logic.
Example
Show events on files created by jsmith or kwang
file.creator: jsmith or file.creator: kwang
response.comments
Use a string value ##### to list events by comments added while initiating the response action.
Example
Show events that contain parts of the comment
response.comments: "malicious"Show events that match exact comment
response.comments: `killing malicious process`