Searching for Events
Click to view navigation pane


Home

Searching for Events

Use the search tokens below to search for runtime events. Looking for help with writing your query? click here

customerUuid

Use a text value ##### to define a customer UUID of interest.

Example

Show events for this customer UUID

customerUuid: 6e0afd12-479c-db0d-822a-793a56bfe353

containerSha

Use a text value ##### to define a container SHA of interest.

Example

Show events for this container SHA

containerSha: 368ab5ebbccb9d17d45cf62f6fa289edade4af81ef5a94e04a4406a1904175d

eventType

Use a text value ##### to find events by the event type (STANDARD, BEHAVIOR).

Example

Show events with STANDARD type

eventType: STANDARD

uuid

Use a text value ##### to define a UUID of interest.

Example

Show events with this UUID

uuid: 70b0dd00-cde7-11ea-8000-a130bd09cb71

dateCreated

Use a date range or specific date to define when events were created.

Examples

Show events created within date range

dateCreated: [2020-06-15 ... 2020-06-30]

Show events created starting 2020-08-01, ending 1 month ago

dateCreated: [2020-08-01 ... now-1M]

Show events created starting 2 weeks ago, ending 1 second ago

dateCreated: [now-2w ... now-1s]

Show events created on specific date

dateCreated:'2020-08-15'

action

Use a text value ##### to find events by the action (ALLOW, DENY, MONITOR).

Example

Show events with ALLOW action

action: ALLOW

bindAddress

Use a text value ##### to find events with a certain bind IP address.

Example

Show events with this bind IP address

bindAddress: 10.44.92.127

bindPort

Use an integer value ##### to find events with a certain bind port.

Example

Show events with this bind port

bindPort: 8080

fileName

Use a text value ##### to find events for a particular file name.

Example

Show events for this file name

fileName: /etc/passwd

openMode

Use an integer value ##### to find events with a certain open mode value.

Example

Show events with this open mode

openMode: 577

processId

Use an integer value ##### to find events by the process ID.

Example

Show events with this process ID

processId: 42

processName

Use a text value ##### to find events by the process name.

Example

Show events with this process name

processName: /usr/bin/cat

seen

Use an integer value ##### to find events by the seen value.

Example

Show events with this seen value

seen: 1

system

Use a text value ##### to find events by the system.

Example

Show events for this system

system: amd64

systemCall

Use an integer value ##### to find events by the system call numeric value.

Example

Show events with this system call

systemCall: 2

systemCallName

Use an integer value ##### to find events by the system call name.

Example

Show events with this system call

systemCallName: sys_open

and

Use a boolean query to express your query using AND logic.

Example

Show events with type Standard and with action Allow

eventType: STANDARD and action: ALLOW

not

Use a boolean query to express your query using NOT logic.

Example

Show events that don't have Deny action

not action: DENY

or

Use a boolean query to express your query using OR logic.

Example

Show events with one of these actions

action: ALLOW or action: MONITOR