Searching for Runtime Events
Use the search tokens below to search for runtime events. Looking for help with writing your query? click here
customerUuidcustomerUuid
Use a text value ##### to define a customer UUID of interest.
Example
Show events for this customer UUID
customerUuid: 6e0afd12-479c-db0d-822a-793a56bfe353
containerShacontainerSha
Use a text value ##### to define a container SHA of interest.
Example
Show events for this container SHA
containerSha: 368ab5ebbccb9d17d45cf62f6fa289edade4af81ef5a94e04a4406a1904175d
eventTypeeventType
Use a text value ##### to find events by the event type (STANDARD, BEHAVIOR).
Example
Show events with STANDARD type
eventType: STANDARD
uuiduuid
Use a text value ##### to define a UUID of interest.
Example
Show events with this UUID
uuid: 70b0dd00-cde7-11ea-8000-a130bd09cb71
dateCreateddateCreated
Use a date range or specific date to define when events were created.
Examples
Show events created within date range
dateCreated: [2020-06-15 ... 2020-06-30]
Show events created starting 2020-08-01, ending 1 month ago
dateCreated: [2020-08-01 ... now-1M]
Show events created starting 2 weeks ago, ending 1 second ago
dateCreated: [now-2w ... now-1s]
Show events created on specific date
dateCreated:'2020-08-15'
actionaction
Use a text value ##### to find events by the action (ALLOW, DENY, MONITOR).
Example
Show events with ALLOW action
action: ALLOW
bindAddressbindAddress
Use a text value ##### to find events with a certain bind IP address.
Example
Show events with this bind IP address
bindAddress: 10.44.92.127
bindPortbindPort
Use an integer value ##### to find events with a certain bind port.
Example
Show events with this bind port
bindPort: 8080
fileNamefileName
Use a text value ##### to find events for a particular file name.
Example
Show events for this file name
fileName: /etc/passwd
openModeopenMode
Use an integer value ##### to find events with a certain open mode value.
Example
Show events with this open mode
openMode: 577
processIdprocessId
Use an integer value ##### to find events by the process ID.
Example
Show events with this process ID
processId: 42
processNameprocessName
Use a text value ##### to find events by the process name.
Example
Show events with this process name
processName: /usr/bin/cat
seenseen
Use an integer value ##### to find events by the seen value.
Example
Show events with this seen value
seen: 1
systemsystem
Use a text value ##### to find events by the system.
Example
Show events for this system
system: amd64
systemCallsystemCall
Use an integer value ##### to find events by the system call numeric value.
Example
Show events with this system call
systemCall: 2
systemCallNamesystemCallName
Use an integer value ##### to find events by the system call name.
Example
Show events with this system call
systemCallName: sys_open
andand
Use a boolean query to express your query using AND logic.
Example
Show events with type Standard and with action Allow
eventType: STANDARD and action: ALLOW
notnot
Use a boolean query to express your query using NOT logic.
Example
Show events that don't have Deny action
not action: DENY
oror
Use a boolean query to express your query using OR logic.
Example
Show events with one of these actions
action: ALLOW or action: MONITOR