User Activity Search Tokens
You can use Asset View search tokens to search information
in the Assets tab.
asset.agentId
Use a text value ##### to find an agent ID of
interest.
Example
Show events for a certain agent ID
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
asset.hostName
Use quotes or backticks with value to find events
with the hostname you're interested in.
Examples
Show any events related to name
asset.hostName: WIN-BU2-4322
Show any events that contain parts of name
asset.hostName: "WIN-BU2-4322"
Show events that match exact name
asset.hostName: `WIN-BU2-4322`
asset.operatingsystem
Use an integer value ##### to find events by their
agent id.
Examples
Show events with agent id: Microsoft Windows 10 Pro 10.0.18363 64-bit
N/A Build 18363
asset.operatingsystem: `Microsoft Windows 10 Pro 10.0.18363
64-bit N/A Build 18363`
asset.malware.category
Use quotes or backticks with value to define an asset with a malware
category you're interested in.
Example
Show events with this malware category
asset.malware.category: `File Infector`
asset.malware.family
Use quotes or backticks with value to define an asset with the
malware family you're looking for.
Example
Show events with this malware name
asset.malware.family: `cryptominerf`
asset.score
Use an integer value ##### to define the threat
score of an asset based on all scoring engines.
Examples
Show events with this score
asset.score: 8
Show events with confirmed scores
asset.score>= 8
file.fullPath
Use a text value ##### to define the full path
name to a file of interest.
Example
Show events on files at this full path
file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'
file.hash.md5
Use a text value ##### to define the MD5 hash
of a file you're interested in.
Example
Show events on files with this MD5 hash
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
file.hash.sha256
Use a text value ##### to define the SHA256 hash
of a file you're interested in/h4>
Example
Show events on files with this SHA256 hash
file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6
file.name
Use a text value ##### to help you find events
on a file name of interest.
Example
Show events on this file name
file.name: myapp_log.txt
file.path
Use a text value ##### to find events on files
at a file path you are interested in.
Example
Show events on files at this path
file.path: "C:\Windows\System32\LogFiles\"
file.properties.certificate.hash
Use a text value ##### to define a signed certificate
hash of interest.
Example
Show events for this signed certificate hash
file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542
process.image.fullPath
Use a string value ##### to define the full path
to the file that launched the process. Enclose the path in double
quotes.
Example
Show events with image file at this full path
process.image.fullPath: "C:\windows\system32\svchost.exe"
process.name
Use a string value ##### to define a process image
name of interest.
Example
Show events with this process image name
process.name: explorer.exe
process.fullPath
Use a string value ##### to define the full path
to the file that launched the process. Enclose the path in double
quotes.
Example
Show events with file at this full path
process.fullPath: "C:\windows\system32\svchost.exe"
response.action
Use a string value ##### to help you find events
with response action (Delete File, Kill Process, Quarantine File or
Unquarantine File ).
Example
Show events with this response action
response.action: Kill Process
response.status
Use a string value ##### to help you find events
with response status (failed, in_progress, success).
Example
Shows events with this response status
response.status: success
response.user
Use a string value ##### to list response actions
executed by a certain user.
Example
Shows response actions for this user
response.user: John Doe
response.userId
Use a string value ##### to list response actions
executed by a certain username.
Example
Shows response actions for this username
response.userId: jdoe
response.timestamp
Use a date range or specific date to find when a response action
on event occurred.
Examples
Show response action found within certain dates
response.timestamp: [2020-06-15 ... 2020-06-30]
Show response action found starting 2020-06-22, ending 1 month ago
response.timestamp: [2020-06-22 ... now-1M]
Show response action found starting 2 weeks ago, ending 1 second
ago
response.timestamp: [now-2w ... now-1s]
Show response action found on specific date
response.timestamp:'2020-06-14'
response.priorScore
Use an integer value ##### to search events by
the score before executing the response action.
Examples
Show events with this prior score
response.priorScore: 8
Show events with prior scores less than equal to this value
response.priorScore >= 8
response.statusMessage
Use a string value ##### to search events by status
message displayed after the response action is completed.
Examples
Show events that contain parts of the status message
response.statusMessage:"Process"
Shows events with this status message
response.statusMessage:`Process does not exist`
and
Use a boolean query to express your query using
AND logic.
Example
Show file created events on certain date and asset name
file.name: MWP_MALICIOUSJ.exe and response.status:
success
not
Use a boolean query to express your query using
NOT logic.
Example
Show events that are not on a certain asset name
not asset.hostName: `WIN-BU2-5555`
or
Use a boolean query to express your query using
OR logic.
Example
Show events on files created by jsmith or kwang
file.creator: jsmith or file.creator: kwang
response.comments
Use a string value ##### to list events by comments added while initiating the response action.
Example
Show events that contain parts of the comment
response.comments: "malicious"
Show events that match exact comment
response.comments: `killing malicious process`