Searching for Events
Click to view navigation pane


Home

Searching for Events

Use the search tokens below to search for runtime events. Looking for help with writing your query? click here

customerUuidcustomerUuid

Use a text value ##### to define a customer UUID of interest.

Example

Show events for this customer UUID

customerUuid: 6e0afd12-479c-db0d-822a-793a56bfe353

containerShacontainerSha

Use a text value ##### to define a container SHA of interest.

Example

Show events for this container SHA

containerSha: 368ab5ebbccb9d17d45cf62f6fa289edade4af81ef5a94e04a4406a1904175d

eventTypeeventType

Use a text value ##### to find events by the event type (STANDARD, BEHAVIOR).

Example

Show events with STANDARD type

eventType: STANDARD

uuiduuid

Use a text value ##### to define a UUID of interest.

Example

Show events with this UUID

uuid: 70b0dd00-cde7-11ea-8000-a130bd09cb71

dateCreateddateCreated

Use a date range or specific date to define when events were created.

Examples

Show events created within date range

dateCreated: [2020-06-15 ... 2020-06-30]

Show events created starting 2020-08-01, ending 1 month ago

dateCreated: [2020-08-01 ... now-1M]

Show events created starting 2 weeks ago, ending 1 second ago

dateCreated: [now-2w ... now-1s]

Show events created on specific date

dateCreated:'2020-08-15'

actionaction

Use a text value ##### to find events by the action (ALLOW, DENY, MONITOR).

Example

Show events with ALLOW action

action: ALLOW

bindAddressbindAddress

Use a text value ##### to find events with a certain bind IP address.

Example

Show events with this bind IP address

bindAddress: 10.44.92.127

bindPortbindPort

Use an integer value ##### to find events with a certain bind port.

Example

Show events with this bind port

bindPort: 8080

fileNamefileName

Use a text value ##### to find events for a particular file name.

Example

Show events for this file name

fileName: /etc/passwd

openModeopenMode

Use an integer value ##### to find events with a certain open mode value.

Example

Show events with this open mode

openMode: 577

processIdprocessId

Use an integer value ##### to find events by the process ID.

Example

Show events with this process ID

processId: 42

processNameprocessName

Use a text value ##### to find events by the process name.

Example

Show events with this process name

processName: /usr/bin/cat

seenseen

Use an integer value ##### to find events by the seen value.

Example

Show events with this seen value

seen: 1

systemsystem

Use a text value ##### to find events by the system.

Example

Show events for this system

system: amd64

systemCallsystemCall

Use an integer value ##### to find events by the system call numeric value.

Example

Show events with this system call

systemCall: 2

systemCallNamesystemCallName

Use an integer value ##### to find events by the system call name.

Example

Show events with this system call

systemCallName: sys_open

andand

Use a boolean query to express your query using AND logic.

Example

Show events with type Standard and with action Allow

eventType: STANDARD and action: ALLOW

notnot

Use a boolean query to express your query using NOT logic.

Example

Show events that don't have Deny action

not action: DENY

oror

Use a boolean query to express your query using OR logic.

Example

Show events with one of these actions

action: ALLOW or action: MONITOR