Incidents Search Tokens

asset.agentId

Use a text value ##### to find an agent ID of interest.

Example

Show events for a certain agent ID

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.hostName

Use quotes or backticks with value to find events with the hostname you're interested in.

Example

Show any events related to name

asset.hostName: WIN-BU2-4322

Show any events that contain parts of name

asset.hostName: "WIN-BU2-4322"

Show events that match exact name

asset.hostName: `WIN-BU2-4322`

asset.platform

Use quotes or backticks with value to find assets having events of a certain platform.

Examples

Show events with this platform

asset.platform: Windows

Show any events that contain parts of platform name

asset.platform: "Windows"

Show events that match exact name

asset.platform: `Windows`

asset.operatingsystem

Use quotes or backticks with value to find assets having events of a certain operating system.

Examples

Show events with this operating system

asset.operatingsystem: Windows 2012

Show any events that contain parts of operating system name

asset.operatingsystem: "Windows 2012"

Show events that match exact name

asset.operatingsystem: `Windows 2012`

asset.malware.family

Use quotes or backticks with value to find assets having events of a certain malware family.

Examples

Show events with this malware

asset.malware.family: CryptoMinerF

Show any events that contain parts of malware name

asset.malware.family: "CryptoMinerF"

Show events that match exact name

asset.malware.family: `CryptoMinerF`

asset.malware.category

Use quotes or backticks with value to find assets having events of a certain malware category.

Examples

Show events with this malware category

asset.malware.category: File Infector

Show any events that contain parts of malware category

asset.malware.category: "File Infector"

Show events that match exact name

asset.malware.category: `File Infector`

asset.score

Use an integer value ##### to find assets based on the highest scored indicator.

Examples

Show events with this score

asset.score: 8

Show events with confirmed scores

asset.score >= 8

asset.tags.name

Use quotes or backticks with value to find assets that have certain tag of interest.

Examples

Show events with this asset tag

asset.tags.name: newtag

Show any events that contain parts of asset tag name

asset.tags.name: "newtag"

Show events that match exact name

asset.tags.name: `newtag`

and

Use a boolean query to express your query using AND logic.

Example

Show file created events on certain date and asset name

asset.agentId:"d9440962-f4ff-4d53-b518-060d0f3137fc" and asset.score: 8

not

Use a boolean query to express your query using NOT logic.

Example

Show events that are not on a certain asset name

not asset.hostName: `WIN-BU2-5555`

or

Use a boolean query to express your query using OR logic.

Example

Show events on files created by jsmith or kwang

file.creator: jsmith or file.creator: kwang

Incident Search Tokens

asset.agentId

Use a text value ##### to find an agent ID of interest.

asset.hostName

Use quotes or backticks with value to find events with the hostname you're interested in.

asset.platform

Use quotes or backticks with value to find assets having events of a certain platform.

asset.operatingsystem

Use quotes or backticks with value to find assets having events of a certain operating system.

asset.malware.family

Use quotes or backticks with value to find assets having events of a certain malware family.

asset.malware.category

Use quotes or backticks with value to find assets having events of a certain malware category.

asset.score

Use an integer value ##### to find assets based on the highest scored indicator.

asset.tags.name

Use quotes or backticks with value to find assets that have certain tag of interest.

and

Use a boolean query to express your query using AND logic.

not

Use a boolean query to express your query using NOT logic.

or

Use a boolean query to express your query using OR logic.