Home

Searching for CRS File Events

Use the search tokens below to search for CRS file events. Looking for help with writing your query? click here

file.actionfile.action

Enter the action for your file event (Read, Update, Open, Delete, Rename).

Example

Show the file events having action as 'Update'.

file.action: Update

file.cluster.statusfile.cluster.status

Enter the status of your cluster (SUCCESS, UNKOWN, FAILURE).

Example

Show the file events having status as 'SUCCESS'.

file.cluster.status: SUCCESS

file.sourcefile.source

Enter the source of your file.

Example

Show the file events based on the given file source.

file.source: /etc/group

file.targetfile.target

Enter the target of your file.

Example

Show file events based on the specified file target - /etc/group

file.target: /etc/group

actor.process.nameactor.process.name

Enter the acting process name.

Example

Show the process events based on the specified acting process name.

actor.process.name: /usr/bin/cat

actor.process.container.nameactor.process.container.name

Enter the acting process container name.

Example

Show the process events based on the specified acting process container name.

actor.process.container.name: ubuntu-container

actor.process.parent.nameactor.process.parent.name

Enter the acting process container name.

Example

Show the process events based on the specified acting process container name.

actor.process.parent.name: linux-container

actor.process.container.uidactor.process.container.uid

Enter the UID of your container.

Example

Show the process events based on the specified acting process containerUid.

actor.process.container.uid: 2971480b85e82b888f3327303e4a7c48ae350e16ed71d3fe728543e6187c69ec

actor.process.parent.container.uidactor.process.parent.container.uid

Enter the UID of your container.

Example

Show the file events based on the specified parent process containerUid.

actor.process.parent.container.uid: 2971480b85e82b888f3327303e4a7c48ae350e16ed71d3fe728543e6187c69ec

actor.process.xattributes.execIdactor.process.xattributes.execId

Enter the acting process name.

Example

Show the file events based on the specified acting process xattributes's execution id.

actor.process.xattributes.execId: aXAtMTAtODItMTEtMjIzOjEwNjMxMzU1OTQ4Mjk3OjExNzM5MA==

actor.process.parent.container.nameactor.process.parent.container.name

Enter the process name happening in your container.

Example

Show file events based on the actor process container name.

actor.process.parent.container.name: ubuntu-container

actor.authorizations.policy.nameactor.authorizations.policy.name

Enter the acting authorization policy name.

Example

Show file events based on the K8s cluster name.

resource.kubernetes.cluster.name: pci-fim

cloud.providercloud.provider

Enter the cloud provider name (AWS, AZURE, GCP, OCI, SELF_MANAGED_K8S).

Example

Show clusters based on the Cloud provider.

provider: AWS

file.namespaceNamefile.namespaceName

Enter the name of the namespace.

Example

Show file events based on the specified namespace name.

file.namespaceName: container20

file.nodeNamefile.nodeName

Enter the name of the node.

Example

Show file events based on the specified node name.

file.nodeName: gcp2

container.cluster.namefile.namespaceNamecontainer.cluster.namefile.namespaceName

Enter the cluster name.

Example

Show cluster details based on the name - GCP-2.

container.cluster.name: GCP-2

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: March, 2026