Provides a list of all events in your account.
Parameter | Mandatory/Optional | Data Type | Description |
---|---|---|---|
eventType |
Mandatory | string |
Specify the type of logs you want to return. Possible values are: STANDARD, BEHAVIOR. |
startTime |
Optional | string |
Specify a starting date/time to get events created after this date. Specify the date in the format ['YYYY'-'MM'-'DD'T'hh':'mm':'ss']. |
endTime |
Optional | string |
Specify an ending date/time to get events created before this date. Specify the date in the format ['YYYY'-'MM'-'DD'T'hh':'mm':'ss']. |
filter |
Optional | string |
Specify a string value for a search query to filter the list of events returned in the output. In the search query you can include any value that appears in the response body like action, system, systemCall, containerSha, uuid, etc. For example, filter events with a string like this: filter=action:ALLOW AND containerSha:dc58cab81c9a1edb8cd39d34a8a61942c56dc1d4ad27668684be4169d4f0cec5 |
pageNumber |
Optional | integer |
The page to be returned. Page numbers start with 1. |
pageSize |
Optional | integer |
The number of records per page to be included in the response. When not specified you’ll get 10 events. |
There are several options for filtering the events returned in the output. For example, you can only get events created after a certain date, before a certain date or within a date range. You can also filter the list to get events for a particular container or with a certain action type. See all options below.
You’ll get up to 10 events in the output by default.
API request
curl --location --request GET "<qualys_base_url>/csapi/v1.3/runtime/events?eventType=STANDARD"
--header "Authorization: Bearer <token>"
Response
[
{
"customerUuid": "6e0afd12-479c-db0d-822a-793a56bfe353",
"containerSha": "3368ab5ebbccb9d17d45cf62f6fa289edade4af81ef5a94e04a4406a1904175d",
"eventType": "STANDARD",
"uuid": "70b0dd00-cde7-11ea-8000-a130bd09cb71",
"created": 1595620450000,
"action": "DENY",
"bindAddress": null,
"bindPort": 0,
"fileName": "/etc/passwd",
"openMode": 0,
"processId": 42,
"processName": "/usr/bin/cat",
"seen": 1,
"system": "amd64",
"systemCall": 2,
"systemCallName": "sys_open"
},
{
"customerUuid": "6e0afd12-479c-db0d-822a-793a56bfe353",
"containerSha": "3368ab5ebbccb9d17d45cf62f6fa289edade4af81ef5a94e04a4406a1904175d",
"eventType": "STANDARD",
"uuid": "70b0dd00-cde7-11ea-8000-51fe233a28cb",
"created": 1595620450000,
"action": "DENY",
"bindAddress": null,
"bindPort": 0,
"fileName": "/etc/passwd",
"openMode": 0,
"processId": 43,
"processName": "/usr/bin/cat",
"seen": 1,
"system": "amd64",
"systemCall": 2,
"systemCallName": "sys_open"
},
...
]
Try these additional samples in your account.
In this sample, we’ve specified the number of events to show in the output.
API request
curl --location --request GET "<qualys_base_url>/csapi/v1.3/runtime/events?eventType=STANDARD&pageNumber=1&pageSize=5"
--header "Authorization: Bearer <token>"
In this sample the filter parameter is used to get events with the ALLOW action. Be sure to specify the action value in all caps (ALLOW, DENY, MONITOR).
API request
curl --location --request GET "<qualys_base_url>/csapi/v1.3/runtime/events?eventType=BEHAVIOR&filter=action:ALLOW"
--header "Authorization: Bearer <token>"
In this sample we’ll get events created between June 30, 2020 and July 1, 2020.
API request
curl --location --request GET "<qualys_base_url>/csapi/v1.3/runtime/events?eventType=BEHAVIOR&startTime=2020-06-30T08:30:29&endTime=2020-07-01T08:30:29"
--header "Authorization: Bearer <token>"
In this sample we’ll only get events for the specified container.
API request
curl --location --request GET
"<qualys_base_url>/csapi/v1.3/runtime/events?eventType=BEHAVIOR&filter=containerSha:dc58cab81c9a1edb8cd39d34a8a61942c56dc1d4ad27668684be4169d4f0cec5"
--header "Authorization: Bearer <token>"
API request
curl --location --request GET
"<qualys_base_url>/csapi/v1.3/runtime/events?eventType=BEHAVIOR&filter=action:ALLOW AND containerSha:dc58cab81c9a1edb8cd39d34a8a61942c56dc1d4ad27668684be4169d4f0cec5"
--header "Authorization: Bearer <token>"
Was this topic helpful?