Searching for Events
This topic covers Qualys Query Language (QQL) tokens associated with the Qualys Container Runtime Sensor which are used for event search on Qualys Cloud Platform. To know more about types of Searches, refer to How to Search in Container Security.
To know about QQLs associated with Container Runtime Sensor, refer to
Searching for File Events
Use the search tokens below to search for File events.
actionaction
Enter the action for your file event (Read, Update, Open, Delete, Rename).
Example
Show the file events having action as 'Update'.
action: Update
statusstatus
Enter the status of your cluster (SUCCESS, UNKOWN, FAILURE).
Example
Show the file events having status as 'SUCCESS'.
status: SUCCESS
file.sourcefile.source
Enter the source of your file.
Example
Show the file events based on the given file source.
file.source: /etc/group
file.targetfile.target
Enter the target of your file.
Example
Show file events based on the specified file target - /etc/group
file.target: /etc/group
actor.process.nameactor.process.name
Enter the acting process name.
Example
Show the process events based on the specified acting process name.
actor.process.name: /usr/bin/cat
actor.process.container.nameactor.process.container.name
Enter the acting process container name.
Example
Show the process events based on the specified acting process container name.
actor.process.container.name: ubuntu-container
actor.process.container.uidactor.process.container.uid
Enter the UID of your container.
Example
Show the process events based on the specified acting process containerUid.
actor.process.container.uid: 2971480b85e82b888f3327303e4a7c48ae350e16ed71d3fe728543e6187c69ec
actor.process.parent_process.container.uidactor.process.parent_process.container.uid
Enter the UID of your container.
Example
Show the file events based on the specified parent process containerUid.
actor.process.parent_process.container.uid: 2971480b85e82b888f3327303e4a7c48ae350e16ed71d3fe728543e6187c69ec
actor.process.xattributes.exec_idactor.process.xattributes.exec_id
Enter the acting process name.
Example
Show the file events based on the specified acting process xattributes's execution id.
actor.process.name: aXAtMTAtODItMTEtMjIzOjEwNjMxMzU1OTQ4Mjk3OjExNzM5MA==
actor.process.parent_process.nameactor.process.parent_process.name
Enter the parent process name.
Example
Show file events based on the actor parent process.
actor.process.parent_process.name: /user/bin/cat
actor.process.parent_process.container.nameactor.process.parent_process.container.name
Enter the process name happening in your container.
Example
Show file events based on the actor process container name.
actor.process.parent_process.container.name: ubuntu-container
cloud.providercloud.provider
Enter the cloud provider name (AWS, AZURE, GCP, OCI, SELF_MANAGED_K8S).
Example
Show clusters based on the Cloud provider.
provider: AWS
namespaceNamenamespaceName
Enter the name of the namespace.
Example
Show file events based on the specified namespace name.
namespace: container20
nodenamenodename
Enter the name of the node.
Example
Show file events based on the specified node name.
nodename: gcp2
clusterNameclusterName
Enter the cluster name.
Example
Show cluster details based on the name - GCP-2.
clusterName: GCP-2
Searching for Process Events
Use the search tokens below to search for Process events.
actionaction
Enter the action for your file event (LAUNCH, TERMINATE).
Example
Find the process events having action as 'LAUNCH'.
action: LAUNCH
statusstatus
Enter the status of your cluster (SUCCESS, UNKOWN, FAILURE).
Example
Find the process events having status as 'SUCCESS'.
status: SUCCESS
actor.process.nameactor.process.name
Enter the acting process name.
Example
Show the process events based on the specified acting process name.
actor.process.name: /usr/bin/cat
actor.process.container.nameactor.process.container.name
Enter the acting process container name.
Example
Show the process events based on the specified acting process container name.
actor.process.container.name: ubuntu-container
actor.process.container.uidactor.process.container.uid
Enter the UID of your container.
Example
Show the process events based on the specified acting process containerUid.
actor.process.container.uid: 2971480b85e82b888f3327303e4a7c48ae350e16ed71d3fe728543e6187c69ec
process.container.uidprocess.container.uid
Enter the UID of your container.
Example
Show the process events based on the specified acting process containerUid.
process.container.uid: 2971480b85e82b888f3327303e4a7c48ae350e16ed71d3fe728543e6187c69ec
process.container.nameprocess.container.name
Enter the acting process name.
Example
Show the process events based on the specified acting process container name.
process.container.name: ubuntu-container
process.nameprocess.name
Enter the process name.
Example
Show the process events based on the specified process name.
process.name: /usr/bin/cat
process.xattributes.exec_idprocess.xattributes.exec_id
Enter the execution id of the specified Xattributes of a process.
Example
Show the process events based on the specified process xattributes's execution id.
process.xattributes.exec_id: aXAtMTAtODItMTEtMjIzOjEwNjMxMzU1OTQ4Mjk3OjExNzM5MA==
cloud.providercloud.provider
Enter the cloud provider name (AWS, AZURE, GCP, OCI, SELF_MANAGED_K8S).
Example
Show the process events based on the Cloud provider. - AWS
cloud.provider: AWS
namespaceNamenamespaceName
Enter the name of the namespace.
Example
Show the process events based on the namespace name.
namespaceName: default
nodenamenodename
Enter the name of the node.
Example
Show the process events based on the node name.
nodename: ip-10-**-10-2**
clusterNameclusterName
Enter the cluster name.
Example
Show the process events based on the specified cluster name.
clusterName: ip-10-**-9-**02