Description
What search query parameters are available within ZoneFox
Solution
What search query parameters are available within ZoneFox
The table below lists all of the possible search query parameters available within ZoneFox. In cases where only specific values are valid, the values which can be entered are detailed.
| Parameter |
Description |
Valid Values/Examples |
Notes |
| Activity |
This attribute of an Event defines the category of activity that has taken place. |
Windows, Mac, and Linux Agent
- file deleted
- file read
- file created
- file written
- file renamed
- file moved
- file uploaded
- file downloaded
- new process created
- process stopped
- machine on
- machine off
- user logged on
- user logged off
- new drive mounted
- drive unmounted
|
SQL Server Agent has its own Activity values
- database record selected
- database record updated
- database record inserted
- database record deleted
- database object created
- database object altered
- database object dropped
- database sp executed
- database logged in
- database failed login
- database logged off
- database stopped
- database started
- database variable set
|
| Application |
The application / process name of the process involved in the event. |
Examples
- winword.exe
- notepad.exe
- conhost.exe
|
|
| City |
For file uploaded or downloaded events where the City can be identified from the IP address of the destination / source host respectively this attribute shall be populated. |
Example
London
|
This attribute can currently be searched on or included in Policy criteria but is not displayed in the user interface.
|
| Code |
For file uploaded or downloaded events this attribute shall be populated with the country code of the location of the destination / source host respectively. |
Examples
US, CA, GB, etc.
|
|
| Country |
For file uploaded or downloaded events this attribute shall be populated with the country name of the location of the destination / source host respectively. |
Examples
United States
China
Canada
|
Internal Network shall be used int he country attribute for source os destination host with local IP addresses. |
| DestinationIP |
For file uploaded or downloaded events this attribute shall be populated with the IP Address of the destination host. |
|
|
| DestinationPort |
For file uploaded or downloaded events this attribute shall be populated with the Port used in the transfer on the destination host. |
|
|
| Endpoint |
The machine where the event took place. This will be in the form of a ZoneFox agent ID, but will also be displayed in results as the resolved hostname for that machine. |
|
|
| Extension |
For events involving file activities, the file extension for the file involved in the event. |
Examples
- .exe
- .docx
|
|
| File |
For events involving file activities, the file name for the file involved in the event. |
|
|
| Folder |
For events involving file activities, each folder in the path to the file location shall be available for search via the folder attribute. |
|
|
| GroupName |
Used to refer to Active Directory groups which have been synced to ZoneFox if AD LDAP connectivity has been configured |
|
|
| Hostname |
For file uploaded or downloaded events this attribute shall be populated with the hostname of the destination host. |
|
|
| Resource |
For file based events the Resource attribute is made up of a storage identifier followed by the full path and name of the file involved. For SQL Server based events the Resource attribute is made up of elements provided from the corresponding SQL Server Extended event. |
File Based Events
Storage identifiers are as follows,
- Local storage is signified by the drive letter followed by a colon, e.g. c:
- rm: - removable media
- mtp:
- ptp:
- cd:
- nfs: - network based storage
Example
nfs:\\device\mup\fs01\depts\hr\doc1.docx
|
|
| SAMAccountName |
Used to refer to Active Directory users if AD LDAP connectivity has been configured. |
|
|
| SourceIP |
For file uploaded or downloaded events this attribute shall be populated with the IP Address of the source host. |
|
|
| SourcePort |
For file uploaded or downloaded events this attribute shall be populated with the Port used in the transfer on the source host. |
|
|
| User |
The userid of the user account under which the activity executed. |
|
|
