You can use the following search tokens to search information about events on the Hunting tab.
Example
Show events with created action
action: CREATED
Example
Show events for a certain agent ID
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Example
Show any events related to name
asset.hostName: WIN-BU2-4322
Show any events that contain parts of name
asset.hostName: "WIN-BU2-4322"
Show events that match exact name
asset.hostName: `WIN-BU2-4322`
Example
Show any events related to AMSI type
amsi.type: ps
Example
Show any events related to AMSI file name
amsi.filename: mimicatz
Example
Show any events related to AMSI arguments
amsi.arguments:--verbose
Example
Show any events related to AMSI commandline content
amsi.commandline: base64
Example
Show any events related to AMSI commandline length
amsi.commandline.length: 1024
Example
Show any events that have AMSI loaded script.
event.hasAmsi: true
Example
Show an event ID
event.id: N_bf9ecb09-6e3a-3efe-b5aa-847cdf5a95ba
Examples
Show events found within certain dates
event.dateTime: [2017-06-15 ... 2017-06-30]
Show events found starting 2017-06-22, ending 1 month ago
event.dateTime: [2017-06-22 ... now-1M]
Show events found starting 2 weeks ago, ending 1 second ago
event.dateTime: [now-2w ... now-1s]
Show events found on specific date
event.dateTime:'2017-06-14'
Example
Show all EDR events
event.source: EDR
Example
Show all events having this phishing URL
event.phishingURL: "www.amtso.org/check-desktop-phishing-page/"
Example
Show all events of the phishing type FRAUD
event.phishingType: FRAUD
Example
Show all events with the phishing URL action Closed
event.action: CLOSED
Example
Show all events having the threat name No ROOTKIT
event.threatName: No ROOTKIT
Example
Show all events where the action taken on the traffic scan event is ACTION_DELETE
event.fileActionTaken: ACTION_DELETE
Example
Show all events where the final state of the traffic scan event is IGNORED
event.fileState: IGNORED
Example
Show all events having this URL for Network Monitor events
event.networkUrl: "HTTP://:44646/nice/ports"
Example
Show all events having the name for Network Monitor event Exploit.PentestingTool.HTTP.3
event.networkDetectionName: Exploit.PentestingTool.HTTP.3
Example
Show all events having the technique used for Network Monitor event lateralMovement
event.networkAttackTechnique: lateralMovement
Example
Show all events having the technique used for Anti Exploit event -
event.antiExploitTechnique: ROP/Emulation
Examples
Show events with file created on 2017-08-12
file.created: '2017-08-12'
Show events with file created between 2017-06-06 and 1 second ago
file.created: [2017-06-06 .. now-1s]
Show events with file created within date range
file.created: [2017-08-23 .. 2017-08-25]
Example
Show events on files created by this user
file.creator: admin
Example
Show events on files with pdf extension
file.extention: pdf
Example
Show events on files at this full path
file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'
Example
Show events on files with this MD5 hash
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
Example
Show events on files with this SHA256 hash
file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6
Example
Show events on this file name
file.name: myapp_log.txt
Example
Show events on files at this path
file.path: "C:\Windows\System32\LogFiles"
Example
Show events for this signed certificate hash
file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542
Example
Show any events that contain parts of issuer name
file.properties.certificate.issuer: "Verizon"
Show events that match exact issuer name
file.properties.certificate.issuer: `Verizon Certificate
ABZ`
Example
Show events with signed certificate
file.properties.certificate.signed: true
Examples
Show events with certificate signed on 2017-08-12
file.properties.certificate.signeddate: '2017-08-12'
Show events with certificate signed between 2017-06-06 and 1 second ago
file.properties.certificate.signeddate: [2017-06-06
.. now-1s]
Show events with certificate signed within date range
file.properties.certificate.signeddate: [2017-08-23
.. 2017-08-25]
Example
Show any events that contain parts of subject
file.properties.certificate.subject: "Mycorp
Technologies"
Show events that match exact subject
file.properties.certificate.subject: `CN = Mycorp
Technologies, Inc O = Mycorp Technologies, Inc L = Menlo Park
S = California C = US`
Example
Show events with valid certificate
file.properties.certificate.valid: true
Example
Show events for .exe files
file.type: exe
Example
Show events with this file handle name
handle.name: "Global\MsWinZonesCacheCounterMutexA0"
Example
Show events with this file handle name
handle.pid: 1388
Examples
Show events with this score
indicator.score: 8
Show events with confirmed scores
indicator.score >= 8
Examples
Show events with this score
indicator.threatfeed: 8
Show events with confirmed scores
indicator.threatfeed >= 8
Example
Show events with this malware category
malware.category: `File Infector`
Example
Show events with this malware name
malware.family: `CryptoMinerF`
Example
Show events with this tactic IDs.
mitre.attack.tactic.id: “TA0002”
Show events with any one or both of the following tactic IDs.
mitre.attack.tactic.id: [“TA0002”,”TA0003”]
Example
Show events with this tactic name.
mitre.attack.tactic.name: “Execution”
Show events with any one or both of the following tactic names.
mitre.attack.tactic.name: [“Execution”,”Persistence”]
Example
Show events with this technique ID.
mitre.attack.technique.id: “T1059.001”
Show events with any one or both of the following technique IDs.
mitre.attack.technique.id: [“T1059.001”,”T1197”]
Example
Show events with this technique name.
mitre.attack.technique.name: “Command and Scripting
Interpreter: PowerShell”
Show events with any one or both of the following technique names.
mitre.attack.technique.name: [“Command and Scripting
Interpreter: PowerShell”,”BITS Jobs”]
Example
Show events with this tactic IDs.
mitre.attack.software.id: “S0106”
Show events with any one or both of the following software IDs.
mitre.attack.software.id: [“S0106”,”S0469”]
Example
Show events with this software name.
mitre.attack.software.name: “certutil”
Show events with any one or both of the following software names.
mitre.attack.software.name: [“certutil”,”CoinTicker”]
Example
Show events with this group IDs.
mitre.attack.group.id: “G0067”
Show events with any one or both of the following group IDs.
mitre.attack.group.id: [“G0067”,”G0082”]
Example
Show events with this group names.
mitre.attack.group.name: “OilRig”
Show events with any one or both of the following group names.
mitre.attack.group.name: [“OilRig”,”Lazarus Group”]
Example
Show events with this rule name.
mitre.attack.rule.name: “T1021_001_3”
Show events with any one or both of the following tactic IDs.
mitre.attack.rule.name: [“T1021_001_3”,”T1071_004_3”]
Examples
Show the asset with this name
netbiosname: VISTASP2-24-208
Example
Show network events on this local network IP
network.local.address.ip: 10.10.10.54
Example
Show events on this local network port
network.local.address.port: 80
Example
Show events with this network process name
network.process.name: chrome.exe
Example
Show events with this network process ID
network.process.pid: 12345
Example
Show events with this network protocol name
network.protocol: TCP
Example
Show events with this network FQDN
network.remote.address.fqdn: 10567-T51.corp.acme.com
Example
Show events with this network IP address
network.remote.address.ip: 198.252.200.123
Example
Show events with this network remote port
network.remote.address.port: 443
Example
Show events with established network state
network.state: ESTABLISHED
Example
Show events for parent process ID
parent.event.id: RTP_fc0c02da-2982-4426-8140-be55d5f050f7_-5443330379451874079_11384
Example
Show events created by process
parent.name: Notepad.exe
Example
Show events with this parent process ID
parent.pid: 1272
Example
Show events with this parent process image path
parent.imagepath: "C:\Temp\abe.exe"
Example
Show events that took place on Windows platform
platform: WINDOWS
Example
Show events on a process with arguments
process.arguments: arguments
Example
Show events with process as elevated privileges
process.elevated: true
Example
Show events with file at this full path
process.fullPath: "C:\windows\system32\svchost.exe"
Example
Show events with image file at this full path
process.image.fullPath: "C:\windows\system32\svchost.exe"
Example
Show events with image file contained in this folder
process.image.path: "C:\windows\system32"
Example
Show any events related to loaded module
process.loadedmodule.name: advapi32
Show any events that contain parts of loaded module name
process.loadedmodule.name: "advapi32"
Show events that match exact name
process.loadedmodule.name: `advapi32`
Example
Show any events that contain parts of loaded module path
process.loadedmodule.path: "C:\Windows\System32"
Show events that match exact value
process.loadedmodule.path: `C:\Windows\System32`
Example
Show any events that contain parts of loaded module full path
process.loadedmodule.fullpath: "C:\Windows\System32\advapi32.dll"
Show events that match exact value
process.loadedmodule.fullpath: `C:\Windows\System32\advapi32.dll`
Example
Show events for loaded module with this MD5 hash
process.loadedmodule.hash.md5: c102a6ff0fe651242be9a4be3e579106
Example
Show events for loaded module with this SHA256 hash
process.loadedmodule.hash.sha256: ef117b762c2c680d181cf4119ff611c9de46fcea6b60775e746541f5dd8f1cd0
Example
Show events with this process image name
process.name: explorer.exe
Example
Show events with this parent process image name
process.parentname: explorer.exe
Example
Show events with this process parent ID
process.parentPid: 676
Example
Show events with this process ID
process.pid: 1655
Examples
Show events with process started on 2017-08-12
process.started: '2017-08-12'
Show events with process started between 2017-06-06 and 1 second ago
process.started: [2017-06-06 .. now-1s]
Show events with process started within date range
process.started: [2017-08-23 .. 2017-08-25]
Examples
Show events with process terminated on 2017-08-12
process.terminated: '2017-08-12'
Show events with process terminated between 2017-06-06 and 1 second ago
process.terminated: [2017-06-06 .. now-1s]
Show events with process terminated within date range
process.terminated: [2017-08-23 .. 2017-08-25]
Example
Show events with this process image name
process.username: sslong
Example
Show events with this registry key name
registry.key: HKEY_CURRENT_CONFIG
Example
Show events with this registry value
registry.value: "C:\Program Files"
Example
Show events with this registry data
registry.data: "filename.exe"
Example
Show events with this response action
response.action: Kill Process
Example
Shows events with this response status
response.status: success
Example
Shows response actions for this user
response.user: John Doe
Example
Shows response actions for this username
response.userId: jdoe
Examples
Show events with this prior score
response.priorScore: 8
Show events with prior scores less than equal to this value
response.priorScore >= 8
Examples
Show events that contain parts of the status message
response.statusMessage:"Process"
Shows events with this status message
response.statusMessage:`Process does not exist`
Example
Show events with this object type
type: FILE
Example
Show file created events on certain date and asset name
file.created: '2017-08-12' and asset.hostName:
`WIN-BU2-1233`
Example
Show events that are not on a certain asset name
not asset.hostName: `WIN-BU2-5555`
Example
Show events on files created by jsmith or kwang
file.creator: jsmith or file.creator:
kwang
Use a text value #### to help you find a Yara rule with a name.
Example
Show a Yara rule
yara.ruleName: SHA3_constants
Example
Show events with this file title
file.title: myapp
Example
Show file that were last modified by this author
file.lastmodifiedby: ABC
Example
Show files that are created using Microsoft Office Word
file.creatingapplication: Microsoft Office Word
Examples
Show files that have more than one page.
file.numofpages > 1
Show files that have 20 pages.
file.numofpages: 20
Example
Show files that are non PE.
file.nonpefile: True
Examples
Show PDF files that have more than one page.
file.pdf.pages > 1
Show PDF files that have 20 pages.
file.pdf.pages: 20
Examples
Show files that have more than one /JS present in the PDF file.
file.pdf.js > 1
Show files that have 20 /JS present in the PDF file.
file.pdf.js: 20
Examples
Show files that have more than one JavaScript block present in the PDF file.
file.pdf.javascript > 1
Show files that have 20 JavaScript blocks present in the PDF file.
file.pdf.javascript: 20
Examples
Show files that have zero /ObjStm files in the PDF file.
file.pdf.objstm: 0
Examples
Show files that have zero automatic actions to be performed when a given page of the document is viewed.
file.pdf.aa: 0
Examples
Show files that have zero open actions to be performed when the document is viewed.
file.pdf.openaction: 0
response.comments
Use a string value ##### to list events by comments added while initiating the response action.
Example
Show events that contain parts of the comment
response.comments: "malicious"
Show events that match exact comment
response.comments: `killing malicious process`