You can use the following criteria to search for events in builder mode:
General information:
Host is the host name.
HostIP is the IP address of the host.
EventType is the type of the event.
UserName is the name of the user.
OsFamily is the family of the operating system.
OsVersion is the version of the operating system being used on the host.
TAA properties:
IOAId is the TAA (IOA) rule ID.
IOATag is the information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
IOATechnique is the MITRE technique.
IOATactics is the MITRE tactic.
IOAImportance is the importance level that is assigned to an event generated using this TAA (IOA) rule.
IOAConfidence is the level of confidence depending on the likelihood of false alarms caused by the rule.
File properties:
CreationTime is the event creation time.
FileName is the name of the file.
FilePath is the path to the directory where the file is located.
FileFullName is the full path to the file. Includes the path to the directory and the file name.
ModificationTime is the file modification time.
FileSize is the size of the file.
MD5 is the MD5 hash of the file.
SHA256 is the SHA256 hash of the file.
SimilarDLLPath is the malicious DLL placed in a directory on the standard search path to make the operating system load it before the original DLL.
Linux processes:
LogonRemoteHost is the IP address of the host that initiated remote access.
RealUserName is the name of the user assigned when the user was registered in the system.
EffectiveUserName is the user name that was used to log in to the system.
FileOwnerUserName is the name of the file owner.
RealGroupName is the name of the user group.
EffectiveGroupName is the name of the user group that is used for operation.
Environment is system environment variables.
ProcessType is the type of the process.
OperationResult is the result of the operation.
Process started:
PID is the process ID.
ParentFileFullName is the path to the parent process file.
ParentMD5 is the MD5 hash of the parent process file.
ParentSHA256 is the SHA256 hash of the parent process file.
StartupParameters is the options that the process was started with.
ParentPID is the parent process ID.
ParentStartupParameters is the parent process startup settings.
Remote connection:
HTTPMethod is the HTTP request method. For example, Get, Post, or Connect.
ConnectionDirection is the direction of the connection (inbound or outbound).
LocalIP is the IP address of the local computer from which the remote connection attempt was made.
LocalPort is the IP address of the local computer from which the remote connection attempt was made.
RemoteHostName is the name of the computer that was the target of the remote connection attempt.
RemoteIP is the IP address of the computer that was the target of the remote connection attempt.
RemotePort is the port of the computer that was the target of the remote connection attempt.
URl is the address of the resource to which the HTTP request was made.
TlsVersion is the version of the protocol.
TlsSni is the Server Name Indication, that is, the name of the resource to which the connection is being established.
TlsCertificateMd5 is the MD5 hash of the TLS certificate.
TlsCertificateSha1 is the SHA1 hash of the TLS certificate.
TlsCertificateSubjectNames are the primary and secondary DNS names.
TlsCertificateIssuerName is the name of the organization of the certificate owner.
TlsCertificateSerialNumber is the serial number of the certificate.
TlsCertificateCheckResult is the certificate verification result.
TlsCipherSuite are the cipher suites of the certificate.
TlsCertificateValidFrom is the date from which the certificate expiration date is calculated.
TlsCertificateValidTo is the date after which the certificate expires.
DNS:
DnsServerIpAddress is the IP address of the DNS server.
DnsQueryDomainName is the domain name from the request.
DnsAnswerData is the response data.
DnsQueryTypeId is the record type ID.
LDAP:
LDAPSearchFilter is the search filter.
LDAPSearchDistinguishedName is the distinguished name.
LDAPSearchAttributeList is a list of search attributes.
LDAPSearchScope is the search scope.
Named pipe:
PipeName is the named pipe.
PipeOperationType is the type of the operation with the named pipe.
WMI:
WmiOperationType is the WMI operation type: WMI activity or WMI event consumer name.
WmiHostName is the name of the machine.
WmiUserName is the user name.
WmiNamespaceName is the namespace.
WmiQuery is the text of the query.
WmiFilterName is the event filter.
WmiConsumerName is the name of the event consumer.
WmiConsumerText is the source code of the event consumer.
Registry modified:
RegistryKey is the registry key.
RegistryValueName is the name of the registry value.
RegistryValue is the data of the registry value.
RegistryOperationType is the type of the operation with the registry.
RegistryPreviousKey is the previous registry key.
RegistryPreviousValue is the previous name of the registry value.
System event log:
WinLogEventID is the type ID of the security event in the Windows log.
LinuxEventType is the type of the event. This criterion is used for Linux and macOS operating systems.
WinLogName is the name of the log.
WinLogEventRecordID is the log entry ID.
WinLogProviderName is the ID of the system that logged the event.
WinLogTargetDomainName is the domain name of the remote computer.
WinLogObjectName is the name of the object that initiated the event.
WinlogPackageName is the name of the package that initiated the event.
WinLogProcessName is the name of the process that initiated the event.
Detect and processing result:
DetectName is the name of the detected object.
RecordID is the ID of the triggered rule.
ProcessingMode is the scanning mode.
ObjectName is the name of the object.
ObjectType is the type of the object.
ThreatStatus is the detection mode.
UntreatedReason is the event processing status.
ObjectContent (for AMSI events too) is the content of the script sent for scanning.
ObjectContentType (for AMSI events too) is the type of script content.
Console interactive input:
InteractiveInputText is the text entered on the command line.
InteractiveInputType is the input type (console or pipe).
File modified:
FileOperationType is the type of the file operation.
FilePreviousPath is the path to the directory where the file was previously located.
FilePreviousName is the previous name of the file.
FilePreviousFullName is the full name of the file including the path to the directory where the file was previously located and/or the previous file name.
DroppedFileType is the type of the modified file.
Code injection and process access:
AccessMethod is the access method.
InjectAddress is the address space of the recipient process.
InjectedDllName is the name of the injected DLL.
ModifiedStartupParameters are the modified startup parameters.
InjectedDllPath is the path to the injected DLL.
CallTrace is the call trace.
TargetStartupParameters is the command that was used to start the recipient process.
Process access:
AccessOperationType is the operation type: Process access is open or Duplicate handle.
ProccessAccessRights are the requested process access rights.
HandleSourceStartupParameters is the command that starts the source handle.
HandletargetStartupParameters is the command to start the target handle.
Other:
File type is the type of the file.
TlsJa3Md5 contains decimal byte values for the following fields in the client hello packet: TLS version, cipher suite, list of TLS protocol extensions, elliptic curves, and elliptic curve formats.
TlsJa3sMd5 contains decimal byte values for the following fields in the server hello packet: TLS version, cipher suite, and list of TLS protocol extensions.
DotNetAssemblyName is the name of the .NET assembly.
DotNetAssemblyFlags contains .NET assembly flags.
To view the list of event search fields in source code mode, you can download this file.