Get All Events in Your Account
Click here to see this page in full context


Get All Events in Your Account

Provides a list of all events in your account.

GET/csapi/v1.3/runtime/events

Input ParametersInput Parameters

Parameter Mandatory/Optional Data Type Description

eventType

 Mandatory  string

Specify the type of logs you want to return. Possible values are: STANDARD, BEHAVIOR.

startTime

  Optional  string

Specify a starting date/time to get events created after this date. Specify the date in the format ['YYYY'-'MM'-'DD'T'hh':'mm':'ss'].

endTime

  Optional  string

Specify an ending date/time to get events created before this date. Specify the date in the format ['YYYY'-'MM'-'DD'T'hh':'mm':'ss'].

filter

  Optional  string

Specify a string value for a search query to filter the list of events returned in the output. In the search query you can include any value that appears in the response body like action, system, systemCall, containerSha, uuid, etc.

For example, filter events with a string like this:

filter=action:ALLOW AND containerSha:dc58cab81c9a1edb8cd39d34a8a61942c56dc1d4ad27668684be4169d4f0cec5

pageNumber

  Optional  integer

The page to be returned. Page numbers start with 1.

pageSize

  Optional  integer

The number of records per page to be included in the response. When not specified you’ll get 10 events.

There are several options for filtering the events returned in the output. For example, you can only get events created after a certain date, before a certain date or within a date range. You can also filter the list to get events for a particular container or with a certain action type. See all options below.

Sample for returning all events with Standard typeSample for returning all events with Standard type

You’ll get up to 10 events in the output by default.

API request

    curl --location --request GET "<qualys_base_url>/csapi/v1.3/runtime/events?eventType=STANDARD"
--header "Authorization: Bearer <token>"

Response

    [
    {
        "customerUuid": "6e0afd12-479c-db0d-822a-793a56bfe353",
        "containerSha": "3368ab5ebbccb9d17d45cf62f6fa289edade4af81ef5a94e04a4406a1904175d",
        "eventType": "STANDARD",
        "uuid": "70b0dd00-cde7-11ea-8000-a130bd09cb71",
        "created": 1595620450000,
        "action": "DENY",
        "bindAddress": null,
        "bindPort": 0,
        "fileName": "/etc/passwd",
        "openMode": 0,
        "processId": 42,
        "processName": "/usr/bin/cat",
        "seen": 1,
        "system": "amd64",
        "systemCall": 2,
        "systemCallName": "sys_open"
    },
    {
        "customerUuid": "6e0afd12-479c-db0d-822a-793a56bfe353",
        "containerSha": "3368ab5ebbccb9d17d45cf62f6fa289edade4af81ef5a94e04a4406a1904175d",
        "eventType": "STANDARD",
        "uuid": "70b0dd00-cde7-11ea-8000-51fe233a28cb",
        "created": 1595620450000,
        "action": "DENY",
        "bindAddress": null,
        "bindPort": 0,
        "fileName": "/etc/passwd",
        "openMode": 0,
        "processId": 43,
        "processName": "/usr/bin/cat",
        "seen": 1,
        "system": "amd64",
        "systemCall": 2,
        "systemCallName": "sys_open"
    },
...
]

More Samples

Try these additional samples in your account.

Sample with Page Number and Page Size specifiedSample with Page Number and Page Size specified

In this sample, we’ve specified the number of events to show in the output.

API request

    curl --location --request GET "<qualys_base_url>/csapi/v1.3/runtime/events?eventType=STANDARD&pageNumber=1&pageSize=5"
--header "Authorization: Bearer <token>"

Sample to get events with certain actionSample to get events with certain action

In this sample the filter parameter is used to get events with the ALLOW action. Be sure to specify the action value in all caps (ALLOW, DENY, MONITOR).

API request

    curl --location --request GET "<qualys_base_url>/csapi/v1.3/runtime/events?eventType=BEHAVIOR&filter=action:ALLOW"
--header "Authorization: Bearer <token>"

Sample to get events created within a particular date rangeSample to get events created within a particular date range

In this sample we’ll get events created between June 30, 2020 and July 1, 2020.

API request

    curl --location --request GET "<qualys_base_url>/csapi/v1.3/runtime/events?eventType=BEHAVIOR&startTime=2020-06-30T08:30:29&endTime=2020-07-01T08:30:29"
--header "Authorization: Bearer <token>"

Samples using filter string as inputSamples using filter string as input

In this sample we’ll only get events for the specified container.

API request

    curl --location --request GET
"<qualys_base_url>/csapi/v1.3/runtime/events?eventType=BEHAVIOR&filter=containerSha:dc58cab81c9a1edb8cd39d34a8a61942c56dc1d4ad27668684be4169d4f0cec5"
--header "Authorization: Bearer <token>"

Sample to only get events with the ALLOW action for the specified containerSample to only get events with the ALLOW action for the specified container

API request

    curl --location --request GET
"<qualys_base_url>/csapi/v1.3/runtime/events?eventType=BEHAVIOR&filter=action:ALLOW AND containerSha:dc58cab81c9a1edb8cd39d34a8a61942c56dc1d4ad27668684be4169d4f0cec5"
--header "Authorization: Bearer <token>"

 

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
success We appreciate your feedback. We'll work to make this topic better for you in the future.