Threat Response - Indexed Search Fields

The following fields are indexed by Threat Response and available in global search:

• Alert IDs

• Incident IDs

• Alerts:

  • Summary
  • Description
  • Threat name
  • Alert type
  • “Target” (host or email address)
  • “Attacker” (host or email address)
  • Alert source name
  • Received date (e.g. “Mon, Apr 17 2017 08:47”)
  • Threat filename
  • Threat file size
  • Threat hash (md5, sha1, sha256)
  • Email:
    • Subject
    • Message ID
    • Sender
    • Recipient
  • Custom field values (alert-level, not incident level. Values only, not field names)
  • Detector:
    • Product
    • Vendor
    • Event Category
    • Action
    • Host (IP and/or hostname)

• Campaigns:

  • Actor
  • Actor ID
  • Campaign Name
  • Campaign ID
  • Exploit kit name
  • Exploit kit ID
  • Malware family name
  • Malware family ID

• Hosts (IP, hostname, URL):

  • Value (string)
  • Linked computer names (from NetBIOS)
  • Mac address (from NetBIOS or PC Data collection)

• Incidents:

  • Summary
  • Description
  • Classification
  • Comments
  • Attachment filenames (for files manually uploaded by a PTR analyst)

• Threats:

  • Type
  • Name

• Users (alert targets, not PTR analysts):

  • Username
  • Display name