You can use Asset search tokens to search information in the Assets tab.
Example
Show events for a certain agent ID
asset.agentId: f0c8e682-e9cc-4e7d-b92a-0c905d81ec74
Examples
Show any events related to name
asset.hostName: WIN-BU2-4322
Show any events that contain parts of name
asset.hostName: "WIN-BU2-4322"
Show events that match exact name
asset.hostName: `WIN-BU2-4322`
Example
Show events with this malware category
asset.malware.category: `File Infector`
Example
Show events with this malware name
asset.malware.family: `cryptominerf`
Examples
Show any events related to platform WINDOWS
asset.platform: `WINDOWS`
Show any events related to platform WINDOWS and LINUX
asset.platform: ["WINDOWS", "LINUX"]
Examples
Show events with this score
asset.score: 8
Show events with confirmed scores
asset.score>= 8
Example
Show all EDR events
event.source: EDR
Example
Show events on files at this full path
file.fullPath: 'C:\Windows\System32\LogFiles\myapp_log.txt'
Example
Show events on files with this MD5 hash
file.hash.md5: 50714f6cbb72be3e432d58e543dd2632
Example
Show events on files with this SHA256 hash
file.hash.sha256: 8131747b7e364c254160fc5232086ba2f59226c64f4649ffaadcaa7d18b8c3e6
Example
Show events on this file name
file.name: myapp_log.txt
Example
Show events on files at this path
file.path: "C:\Windows\System32\LogFiles\"
Example
Show events for this signed certificate hash
file.properties.certificate.hash: 77ca91919c4321f081566603adb3a676767c542
Example
Show the list of assets that have Anti-malware enabled and have asset tag as Cloud Agent
isAntiMalwareInstalled: true and tags.name:
"Cloud Agent"
Example
Show events that took place on Windows platform
platform: WINDOWS
Example
Show events with image file at this full path
process.image.fullPath: "C:\windows\system32\svchost.exe"
Example
Show events with this process image name
process.name: explorer.exe
Example
Show events with file at this full path
process.fullPath: "C:\windows\system32\svchost.exe"
Example
Show events with this response action
response.action: Kill Process
Example
Shows events with this response status
response.status: success
Example
Shows response actions for this user
response.user: John Doe
Example
Shows response actions for this username
response.userId: jdoe
Examples
Show events with this prior score
response.priorScore: 8
Show events with prior scores less than equal to this value
response.priorScore >= 8
Examples
Show events that contain parts of the status message
response.statusMessage:"Process"
Shows events with this status message
response.statusMessage:`Process does not exist`
Example
Show file created events on certain date and asset name
file.name: MWP_MALICIOUSJ.exe and response.status:
success
Example
Show events that are not on a certain asset name
not asset.hostName: `WIN-BU2-5555`
Example
Show events on files created by jsmith or kwang
file.creator: jsmith or file.creator:
kwang
response.comments
Use a string value ##### to list events by comments added while initiating the response action.
Example
Show events that contain parts of the comment
response.comments: "malicious"
Show events that match exact comment
response.comments: `killing malicious process`