User Activity Search Tokens

Looking for help with writing queries? Click here

 

asset.agentId

Use a text value ##### to find an agent ID of interest.

Example

Show events for a certain agent ID

asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74

asset.hostName

Use quotes or backticks with value to find events with the hostname you're interested in.

Example

Show any events related to name

asset.hostName: WIN-BU2-4322

Show any events that contain parts of name

asset.hostName: "WIN-BU2-4322"

Show events that match exact name

asset.hostName: `WIN-BU2-4322`

file.fullPath

Use a text value ##### to define the full path name to a file of interest.

Example

Show events on files at this full path

file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'

file.hash.md5

Use a text value ##### to define the MD5 hash of a file you're interested in.

Example

Show events on files with this MD5 hash

file.hash.md5: 50714f6cbb72be3e432d58e543dd2632

file.hash.sha256

Use a text value ##### to define the SHA256 hash of a file you're interested in/h4>

Example

Show events on files with this SHA256 hash

file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6

file.name

Use a text value ##### to help you find events on a file name of interest.

Example

Show events on this file name

file.name: myapp_log.txt

file.path

Use a text value ##### to find events on files at a file path you are interested in.

Example

Show events on files at this path

file.path: "C:\Windows\System32\LogFiles\"

file.properties.certificate.hash

Use a text value ##### to define a signed certificate hash of interest.

Example

Show events for this signed certificate hash

file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542

platform

Use a string value ##### to help you find events on a platform of interest.

Example

Show events that took place on Windows platform

platform: WINDOWS

process.image.fullPath

Use a string value ##### to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with image file at this full path

process.image.fullPath: "C:\windows\system32\svchost.exe"

process.name

Use a string value ##### to define a process image name of interest.

Example

Show events with this process image name

process.name: explorer.exe

process.fullPath

Use a string value ##### to define the full path to the file that launched the process. Enclose the path in double quotes.

Example

Show events with file at this full path

process.fullPath: "C:\windows\system32\svchost.exe"

response.action

Use a string value ##### to help you find events with response action (Delete File, Kill Process, Quarantine File or Unquarantine File ).

Example

Show events with this response action

response.action: Kill Process

response.status

Use a string value ##### to help you find events with response status (failed, in_progress, success).

Example

Shows events with this response status

response.status: success

response.user

Use a string value ##### to list response actions executed by a certain user.

Example

Shows response actions for this user

response.user: John Doe

response.userId

Use a string value ##### to list response actions executed by a certain username.

Example

Shows response actions for this username

response.userId: jdoe

response.timestamp

Use a date range or specific date to find when a response action on event occurred.

Examples

Show response action found within certain dates

response.timestamp: [2020-06-15 ... 2020-06-30]

Show response action found starting 2020-06-22, ending 1 month ago

response.timestamp: [2020-06-22 ... now-1M]

Show response action found starting 2 weeks ago, ending 1 second ago

response.timestamp: [now-2w ... now-1s]

Show response action found on specific date

response.timestamp:'2020-06-14'

response.comments

Use a string value ##### to list events by comments added while initiating the response action.

Example

Show events that contain parts of the comment

response.comments: "malicious"

Show events that match exact comment

response.comments: `killing malicious process`

response.priorScore

Use an integer value ##### to search events by the score before executing the response action.

Examples

Show events with this prior score

response.priorScore: 8

Show events with prior scores less than equal to this value

response.priorScore >= 8

response.statusMessage

Use a string value ##### to search events by status message displayed after the response action is completed.

Examples

Show events that contain parts of the status message

response.statusMessage:"Process"

Shows events with this status message

response.statusMessage:`Process does not exist`

and

Use a boolean query to express your query using AND logic.

Example

Show file created events on certain date and asset name

file.name: MWP_MALICIOUSJ.exe and response.status: success

not

Use a boolean query to express your query using NOT logic.

Example

Show events that are not on a certain asset name

not asset.hostName: `WIN-BU2-5555`

or

Use a boolean query to express your query using OR logic.

Example

Show events on files created by jsmith or kwang

file.creator: jsmith or file.creator: kwang