Looking for help with writing queries? Click here
Example
Show events for a certain agent ID
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Example
Show any events related to name
asset.hostName: WIN-BU2-4322
Show any events that contain parts of name
asset.hostName: "WIN-BU2-4322"
Show events that match exact name
asset.hostName: `WIN-BU2-4322`
Examples
Show events with this platform
asset.platform: Windows
Show any events that contain parts of platform name
asset.platform: "Windows"
Show events that match exact name
asset.platform: `Windows`
Examples
Show events with this malware
asset.malware.family: CryptoMinerF
Show any events that contain parts of malware name
asset.malware.family: "CryptoMinerF"
Show events that match exact name
asset.malware.family: `CryptoMinerF`
Examples
Show events with this malware category
asset.malware.category: File Infector
Show any events that contain parts of malware category
asset.malware.category: "File Infector"
Show events that match exact name
asset.malware.category: `File Infector`
Examples
Show events with this score
asset.score: 8
Show events with confirmed scores
asset.score >= 8
Example
Show file created events on certain date and asset name
asset.agentId:"d9440962-f4ff-4d53-b518-060d0f3137fc"
and asset.score: 8
Example
Show events that are not on a certain asset name
not asset.hostName: `WIN-BU2-5555`
Example
Show events on files created by jsmith or kwang
file.creator: jsmith or file.creator: kwang