Supported Keys and Operators
Events that enter F5 Distributed Cloud App Infrastructure Protection (AIP) are keyword searchable. You can use any field in the event's metadata as a search keyword. You can also use a predetermined set of operators to combine keywords into a refined search query.
The following sections list keyword searchable fields by event type and the operators you can use to refine search queries. For more information, see Search for Events.
Audit Events: Supported Keywords
| Field Name | Field Definition | Subfield Name |
|---|---|---|
| event_type | The overarching type of the event, as defined by Distributed Cloud AIP. | – |
| agent_id | The Distributed Cloud AIP Agent's ID that sent the event to Distributed Cloud AIP. | – |
| arguments | List of all arguments in the event. | – |
| auid | The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes. | – |
| command | The command run that triggered the event. | – |
| connection | A description of the socket connection made to or from the monitored instance. | connection.addr |
| – | – | connection.dst_addr |
| – | – | connection.dst_port |
| – | – | connection.port |
| – | – | connection.src_addr |
| – | – | connection.src_port |
| – | – | connection.version |
| containerId | If the event is from a container, then the ID of the container from which the event triggered. | – |
| containerImage | If the event is from a container, then the title of the container image from which the event triggered. | – |
| cwd | The path to the directory that invoked the system call that triggered the event. | – |
| egid | The effective group ID of the user who triggered the event. | – |
| euid | The effective user ID of the user who triggered the event. | – |
| eventId | The Distributed Cloud AIP-generated ID of the event. | – |
| exe | The path to the executable used to trigger the event. | – |
| exit | The value that specifies the exit code returned by the system call. The returned value depends on the type of system call. | – |
| exit_status | The value that specifies the exit code returned by the system call. The returned value depends on the type of system call. | code |
| – | – | termination |
| fd | If set, then the file descriptor of the socket that opened for a network connection. | – |
| gid | The group ID of the user who triggered the event. | – |
| group | The group of the user who triggered the event. | – |
| header | The information in the header of the audit message that triggered the event. | id |
| – | – | milliseconds |
| – | – | timestamp |
| eventTime | The UNIX timestamp of when the event triggered. | – |
| is_agent_2 | Indicated whether or not the Agent sending the event is a Distributed Cloud AIP version 1.x Agent event or a Distributed Cloud AIP version 2.x+ Agent event. | – |
| loginuid | The user ID logged in at the time the event triggered. | – |
| organization_id | The ID that describes the Distributed Cloud AIP customer organization that reported the event. | – |
| path | The information about any paths which were passed as an argument to the system call that triggered the event. | – |
| pid | The process ID attached to the event, as reported by your operating system (OS). | – |
| pod_name | If the event is a Kubernetes event, then the name of the Kubernetes pod from which the system call that triggered the event originated. | – |
| pod_uid | If the event is a Kubernetes event, then the UID of the Kubernetes pod from which the system call that triggered the event originated. | – |
| ppid | The parent process ID attached to the event, as reported by your OS. | – |
| rule_name | The name of the Distributed Cloud AIP rule applied to the event. | – |
| session | The Shell session from which the event triggered. | – |
| success | A Boolean value that indicates whether or not the action that triggered the event was successful. | – |
| syscall | The type of system call sent to the kernel. | – |
| tty | The terminal from which the system call was invoked. To search for interactive activities, use the search
event_type = audit AND tty = null |
– |
| uid | The user ID of the user who triggered the event. | – |
| user | The username of the user who triggered the event. | – |
CloudTrail Events: Supported Keywords
| Field Name | Field Definition | Subfield Name | Subfield Name | Subfield Name | Subfield Name |
|---|---|---|---|---|---|
| agent_id | The Distributed Cloud AIP Agent's ID that sent the event to Distributed Cloud AIP. | – | – | – | – |
| organization_id | The ID that describes the Distributed Cloud AIP customer organization that reported the event. | – | – | – | – |
| eventTime | The UNIX timestamp of when the event triggered. | – | – | – | – |
| _insert_time | The UNIX timestamp of the time the event reached the edge of the Distributed Cloud AIP platform. | – | – | – | – |
| event_type | The overarching type of the event, as defined by Distributed Cloud AIP. | – | – | – | – |
| eventVersion | The version of the log event format. | – | – | – | – |
| userIdentity | Information about the user that made the request. | – | – | – | – |
| – | – | type | – | – | – |
| – | – | userName | – | – | – |
| – | – | principalId | – | – | – |
| – | – | arn | – | – | – |
| – | – | accountId | – | – | – |
| – | – | accessKeyId | – | – | – |
| – | – | sessionContext | attributes | creationDate | – |
| – | – | – | – | mfaAuthenticated | – |
| – | – | invokedBy | – | – | – |
| – | – | sessionIssuer | – | – | – |
| – | – | webIdFederationData | federatedProvider | – | – |
| – | – | – | attributes | – | – |
| eventSource | The service to which the request was made. The format is typically the short form of the service name + .amazonaws.com, such as cloudformation.amazonaws.com. | – | – | – | – |
| eventSourceType | – | – | – | – | – |
| eventName | The requested action. The value returned depends on the actions available through the API for the service. | – | – | – | – |
| accountId | The account that owns the entity that granted permissions for the request. If the request was made with temporary security credentials, then this is the account that owns the IAM user/role used to obtain credentials. | – | – | – | – |
| arn | – | – | – | – | – |
| awsRegion | The AWS region to which the request was made. | – | – | – | – |
| userAgent | The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs, or the AWS CLI. | – | – | – | – |
| bucketName | – | – | – | – | – |
| error | – | – | – | – | – |
| errorCode | If the request returns an error, then the AWS service error number. | – | – | – | – |
| errorMessage | If the request returns an error, then the AWS service error description. | – | – | – | – |
| responseElements | The response element for actions that make changes, such as create, delete, or update. | assumedRoleUser | arn | – | – |
| – | – | – | assumedRoleId | – | – |
| – | – | credentials | accessKeyId | – | – |
| requestParameters | The parameters sent with the request. The parameters are documented in each AWS service's API documentation. | groupId | – | – | – |
| – | – | ipPermissions | items | fromPort | – |
| – | – | – | – | ipProtocol | – |
| – | – | – | – | toPort | – |
| – | – | – | – | ipv6Ranges | items (This field is a list of IP addresses) |
| – | – | roleSessionName | – | – | – |
| additionalEventData | Additional information about the event that is not part of the request or the response. | – | – | – | – |
| requestId | The value that identifies the request. The serviced called generates this value. | – | – | – | – |
| eventId | The Distributed Cloud AIP-generated ID of the event. | – | – | – | – |
| eventType | The ID of the type of the event that triggered the event. | – | – | – | – |
| apiVersion | The API version associated with the AwsApiCall eventType value. | – | – | – | – |
| arnRole | – | – | – | – | – |
| accessKey | – | – | – | – | – |
| cidrIp | – | – | – | – | – |
| cidrIpv6 | – | – | – | – | – |
| consoleLogin | – | – | – | – | – |
| managementEvent | A Boolean value that indicates whether or not the event is a management event. | – | – | – | – |
| MFAUsed | – | – | – | – | – |
| readonly | A Boolean value that indicates whether or not the event is a read-only event. | – | – | – | – |
| resourceName | – | – | – | – | – |
| resourceType | – | – | – | – | – |
| resources | A list of resources accessed in the event. | ARN | – | – | – |
| – | – | accountId | – | – | – |
| – | – | type | – | – | – |
| recipientAccountID | The account ID that received the event. | – | – | – | – |
| serviceEventDetails | The service event, including the trigger for the event and the result. | – | – | – | – |
| sharedEventID | The GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts. | – | – | – | – |
| subnetId | – | – | – | – | – |
| iamInstanceProfileArn | – | – | – | – | – |
| iamInstanceProfileId | – | – | – | – | – |
| ip | NOTE: Support CIDR block notation and FQDN for search. | – | – | – | – |
| imageId | – | – | – | – | – |
| keyId | – | – | – | – | – |
| sourceIPAddress |
The IP address from which the request was made. NOTE: Support CIDR block notation for search. |
– | – | – | – |
| permission | – | – | – | – | – |
| profileId | – | – | – | – | – |
| policyArn | – | – | – | – | – |
| feed | – | – | – | – | – |
| user | The username of the user who triggered the event. | – | – | – | – |
| userType | – | – | – | – | – |
| vpcId | The VPC endpoint in which requests were made from a VPC to another AWS service. | – | – | – | – |
File Integrity Monitoring (FIM) Events: Supported Keywords
| Field Name | Field Definition | Subfield Name |
|---|---|---|
| event_type | The overarching type of the event, as defined by Distributed Cloud AIP. | – |
| account_id | The AWS account ID that sent the event to Distributed Cloud AIP. | – |
| agent_id | The Distributed Cloud AIP Agent's ID that sent the event to Distributed Cloud AIP. | – |
| arguments | List of all arguments of the command executed that resulted in the filesystem event that triggered the event. | – |
| auid | The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes. | – |
| availability_zone | The region in which the event generated. For example, for AWS events, the region may be us-east-1. | – |
| cloud_provider | The source of the event metadata: AWS or Azure or GCP. | – |
| command | The command run that triggered the event. | – |
| containerId | If the event is from a container, then the ID of the container from which the event triggered. | – |
| containerImage | If the event is from a container, then the title of the container image from which the event triggered. | – |
| eventId | The Distributed Cloud AIP-generated ID of the event. | – |
| events | The strings that represent the type of event that occurred, such as ACCESS, CLOSE, DELETE, MODIFY, and so on. | – |
| exe | The path to the executable used to trigger the event. | – |
| exit | The value that specifies the exit code returned by the system call. The returned value depends on the type of system call. | – |
| filename | The name of the file that triggered the event. | – |
| gid | The group ID of the user who triggered the event. | – |
| group | The group of the user who triggered the event. | – |
| hostname | The name of the server on which the event occurred. | – |
| eventTime | The UNIX timestamp of when the event triggered. | – |
| organization_id | The ID that describes the Distributed Cloud AIP customer organization that reported the event. | – |
| pid | The process ID attached to the event, as reported by your operating system (OS). | – |
| pod_name | If the event is a Kubernetes event, then the name of the Kubernetes pod from which the system call that triggered the event originated. | – |
| pod_uid | If the event is a Kubernetes event, then the UID of the Kubernetes pod from which the system call that triggered the event originated. | – |
| ppid | The parent process ID attached to the event, as reported by your OS. | – |
| rule_id | The id of the rule applied to the event. | – |
| session | The Shell session from which the event triggered. | – |
| tty | The terminal from which the system call was invoked. | – |
| uid | The user ID of the user who triggered the event. | – |
| user | The username of the user who triggered the event. | – |
Kubernetes Audit Events: Supported Keywords
| Field Name | Field Definition | Subfield Name | Subfield Definition |
|---|---|---|---|
| agent_id | The Distributed Cloud AIP Agent's ID that sent the event to Distributed Cloud AIP. | – | – |
| organization_id | The ID that describes the Distributed Cloud AIP customer organization that reported the event. | – | – |
| event_type | The overarching type of the event, as defined by Distributed Cloud AIP. | – | – |
| action | The type of event. | – | – |
| eventId | The Distributed Cloud AIP-generated ID of the event. | – | – |
| eventTime | The UNIX timestamp of when the event triggered. | – | – |
| node_name | The name of the node (server) on which the event triggered. | – | – |
| resource | The object on which the event triggered. | name | The pod name in which the object exists. |
| – | – | type | The type of record, as reported by either auditd or the OS. |
| – | – | namespace | The Kubernetes namespace in which the event triggered. |
Kubernetes Config Events: Supported Keywords
| Field Name | Field Definition | Subfield Name | Subfield Definition | Subfield Name | Subfield Definition | Subfield Name | Subfield Definition |
|---|---|---|---|---|---|---|---|
| agent_id | The Distributed Cloud AIP Agent's ID that sent the event to Distributed Cloud AIP. | – | – | – | – | – | – |
| organization_id | The ID that describes the Distributed Cloud AIP customer organization that reported the event. | – | – | – | – | – | – |
| event_type | The overarching type of the event, as defined by Distributed Cloud AIP. | – | – | – | – | – | – |
| action | The type of event. | – | – | – | – | – | – |
| eventId | The Distributed Cloud AIP-generated ID of the event. | – | – | – | – | – | – |
| eventTime | The UNIX timestamp of when the event triggered. | – | – | – | – | – | – |
| name | The namespace in which the object exists. | – | – | – | – | – | – |
| namespace | The Kubernetes namespace in which the event triggered. | – | – | – | – | – | – |
| type | The type of record, as reported by either auditd or the OS. | – | – | – | – | – | – |
| spec | The configuration of the object. | role_bindings | – | targets | – | name | – |
| – | – | – | – | – | – | type | – |
| – | – | – | – | – | – | namespace | – |
| – | – | – | – | role_name | – | – | – |
| – | – | – | – | role_type | – | – | – |
| – | – | role_policies | – | verbs | – | – | – |
| – | – | – | – | api_groups | – | – | – |
| – | – | – | – | resources | – | – | – |
| – | – | – | – | resource_names | – | – | – |
Linux Host Events: Supported Keywords
| Field Name | Field Definition | Subfield Name | |
|---|---|---|---|
| event_type | The overarching type of the event, as defined by Distributed Cloud AIP. | – | |
| account_id | The AWS account ID that sent the event to Distributed Cloud AIP. | – | |
| agent_id | The Distributed Cloud AIP Agent's ID that sent the event to Distributed Cloud AIP. | – | |
| arguments | List of all arguments in the event. | – | |
| auid | The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes. | – | |
| availability_zone | The region in which the event generated. For example, for AWS events, the region may be us-east-1. | – | |
| caddr | The address in memory from which the symbol for the event loads. | – | |
| cloud_provider | The source of the event metadata: AWS or Azure or GCP. | – | |
| comment | A text comment that attempts to provide additional information to the preloaded information for the event. | – | |
| eventId | The Distributed Cloud AIP-generated ID of the event. | – | |
| exe | The path to the executable used to trigger the event. | – | |
| function | The symbol found to be overloaded. | – | |
| group | The group of the user who triggered the event. | – | |
| hostname | The name of the server on which the event occurred. | – | |
| eventTime | The UNIX timestamp of when the event triggered. | – | |
| level | The level value from the rule applied to the event. | – | |
| library | – | – | |
| organization_id | The ID that describes the Distributed Cloud AIP customer organization that reported the event. | – | |
| originalLibrary | The shared object file from which the symbol for the event should have loaded. | – | |
| overridingLibrary | The shared object file from which the symbol for the event currently loads. | – | |
| pid | The process ID attached to the event, as reported by your operating system (OS). | – | |
| raddr | The address of the real symbol for the event that should have been loaded. | – | |
| session | The Shell session from which the event triggered. | – | |
| sigid | The rule ID of the rule applied to the event. | – | |
| src_ip | If set, then indicates the source IP address of the action that triggered the event. | – | |
| subj | – | – | |
| uid | The user ID of the user who triggered the event. | – | |
| user | The username of the user who triggered the event. | – |
Login Events: Supported Keywords
| Field Name | Field Definition | Subfield Name |
|---|---|---|
| event_type | The overarching type of the event, as defined by Distributed Cloud AIP. | – |
| address | The IP address from which the user who triggered the event originated. | – |
| agent_id | The Distributed Cloud AIP Agent's ID that sent the event to Distributed Cloud AIP. | – |
| arguments | List of all arguments in the event. | – |
| auid | The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes. | – |
| command | The command run that triggered the event. | – |
| containerId | If the event is from a container, then the ID of the container from which the event triggered. | – |
| containerImage | If the event is from a container, then the title of the container image from which the event triggered. | – |
| eventId | The Distributed Cloud AIP-generated ID of the event. | – |
| exe | The path to the executable used to trigger the event. | – |
| host | – | – |
| eventTime | The UNIX timestamp of when the event triggered. | – |
| organization_id | The ID that describes the Distributed Cloud AIP customer organization that reported the event. | – |
| pid | The process ID attached to the event, as reported by your operating system (OS). | – |
| pod_name | If the event is a Kubernetes event, then the name of the Kubernetes pod from which the system call that triggered the event originated. | – |
| pod_uid | If the event is a Kubernetes event, then the UID of the Kubernetes pod from which the system call that triggered the event originated. | – |
| session | The Shell session from which the event triggered. | – |
| uid | The user ID of the user who triggered the event. | – |
| user | The username of the user who triggered the event. | – |
Threat Intelligence (ThreatIntel) Events: Supported Keywords
| Field Name | Field Definition | Subfield Name | |
|---|---|---|---|
| event_type | The overarching type of the event, as defined by Distributed Cloud AIP. | – | |
| account_id | The AWS account ID that sent the event to Distributed Cloud AIP. | – | |
| agent_id | The Distributed Cloud AIP Agent's ID that sent the event to Distributed Cloud AIP. | – | |
| arguments | List of all arguments in the event. | – | |
| auid | The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes. | – | |
| availability_zone | The region in which the event generated. For example, for AWS events, the region may be us-east-1. | – | |
| cloud_provider | The source of the event metadata: AWS or Azure or GCP. | – | |
| command | The command run that triggered the event. | – | |
| connection | The description of the socket connection made to or from the monitored instance. | addr | |
| – | – | dst_addr | |
| – | – | dst_port | |
| hostname | The name of the server on which the event occurred. | – | |
| – | – | port | |
| – | – | src_addr | |
| – | – | src_port | |
| containerId | If the event is from a container, then the ID of the container from which the event triggered. | – | |
| containerImage | If the event is from a container, then the title of the container image from which the event triggered. | – | |
| cwd | The path to the directory that invoked the system call that triggered the event. | – | |
| egid | The effective group ID of the user who triggered the event. | – | |
| euid | The effective user ID of the user who triggered the event. | – | |
| eventId | The Distributed Cloud AIP-generated ID of the event. | – | |
| exe | The path to the executable used to trigger the event. | – | |
| exit | The value that specifies the exit code returned by the system call. The returned value depends on the type of system call. | – | |
| exit_status | The value that specifies the exit code returned by the system call. The returned value depends on the type of system call. | code | |
| – | – | termination | |
| fd | If set, then the file descriptor of the socket that opened for a network connection. | – | |
| gid | The group ID of the user who triggered the event. | – | |
| group | The group of the user who triggered the event. | – | |
| header | The information in the header of the audit message that triggered the event. | id | |
| – | – | milliseconds | |
| – | – | timestamp | |
| eventTime | The UNIX timestamp of when the event triggered. | – | |
| is_agent_2 | Indicated whether or not the Agent sending the event is a Distributed Cloud AIP version 1.x Agent event or a Distributed Cloud AIP version 2.x+ Agent event. | – | |
| loginuid | – | – | |
| organization_id | The ID that describes the Distributed Cloud AIP customer organization that reported the event. | – | |
| path | The information about any paths which were passed as an argument to the system call that triggered the event. | – | |
| pid | The process ID attached to the event, as reported by your operating system (OS). | – | |
| pod_name | If the event is a Kubernetes event, then the name of the Kubernetes pod from which the system call that triggered the event originated. | – | |
| pod_uid | If the event is a Kubernetes event, then the UID of the Kubernetes pod from which the system call that triggered the event originated. | – | |
| ppid | The parent process ID attached to the event, as reported by your OS. | – | |
| rule_name | The name of the Distributed Cloud AIP rule applied to the event. | – | |
| session | The Shell session from which the event triggered. | – | |
| success | A Boolean value that indicates whether or not the action that triggered the event was successful. | – | |
| syscall | The type of system call sent to the kernel. | – | |
| threatintelEventId | The ID of the event. | – | |
| threatintel_reason | The reason the IP address is marked as malicious. | – | |
| threatintel_source | The source of information used to determined that the IP address is malicious. | – | |
| threatintel_type | The hardcoded value of the IP address. | – | |
| tty | The terminal from which the system call was invoked. | – | |
| type | The type of record, as reported by either auditd or the OS. | – | |
| uid | The user ID of the user who triggered the event. | – | |
| user | The username of the user who triggered the event. | – |
Windows Events: Supported Keywords
| Field Name | Field Definition |
|---|---|
| organization_id | The ID that describes the Distributed Cloud AIP customer organization that reported the event. |
| agent_id | The Distributed Cloud AIP Agent's ID that sent the event to Distributed Cloud AIP. |
| event_type | – |
| eventTime | The time at which the event triggered. |
| addr | – |
| command | The cli command that triggered the event. |
| correlation | The GUID of the activity that triggered the event. |
| dns_host | The name of the computer as registered in DNS. |
| dst_host | Sysmon: The hostname of the network connection's destination. |
| dst_ip | Sysmon: The destination IP address of the network connection. |
| dstIpv6 | Sysmon: A Boolean value which indicates whether or not the IP address in an IPv6 address. |
| dst_port | Sysmon: The port used by the network connection's destination. |
| domain | – |
| eventId | The Distributed Cloud AIP-generated ID of the event. |
| exe | The filename of the event's triggering or target application. |
| guid | Sysmon: The GUID of a newly-created process. A unique universal identifier. |
| hash | Sysmon: A hash value. |
| linked_logon_id | The ID of a paired login. |
| logon_process | – |
| logon_type | Login type as an INT. |
| parent_command | Sysmon: The cli command used to invoke a new event's parent. |
| parent_guid | Sysmon: The GUID of a new process's parent. |
| parent_name | The name of a new process's parent. |
| pid | The ID attached of an event's triggering or newly created process. |
| ppid | Used for events that create new processes. |
| reg_event | Sysmon: The type of operation performed on the target registry key. |
| sam_account | The SAM account associated with the event, usually account management. |
| sid | A security identifier. |
| signature | Sysmon: The signature of a driver. |
| signature_validity | Sysmon: Integrity of a driver's signature. |
| signed | A Boolean value that indicates whether or not the driver is signed. |
| src_ip | Sysmon: The IP address of a network connection source. |
| src_ipv6 | Sysmon: A Boolean value that indicates whether or not a network connection's IP address is IPv6. |
| src_port | Sysmon: The source's port in a network connection. |
| target_exe | Sysmon: The executable affected by this event. |
| target_file | – |
| target_guid | Sysmon: The GUID of a target process. |
| target_reg_key | Sysmon: The registry key affected by this event. |
| target_user | Sysmon: The username of the account affected by this event. |
| user | The name of the user who triggered the event. |
| win_event_id | – |
Hostless Netflow Events: Supported Keywords
| Field Name | Field Definition |
|---|---|
| eventTime | The time at which the event triggered |
| workloadId | Task ARN for AWS deployments |
| srcIp | The IP address from which the request was made |
| dstIp | The IP address to which the request was sent |
| srcPort | The source's port in a network connection |
| dstPort | The port used by the network connection's destination |
| protocol | The protocol used to make the request |
| tos | The type of service |
| taskSrc | Whether the flow originated from an endpoint within the task |
| taskDst | Where the flow was sent by an endpoint within the task |
| numBytes | The total number of bytes sent/received |
| numBytesRx | The total number of bytes received |
| numBytesTx | The total number of bytes sent |
| duration | The duration of the flow, in milliseconds (ms) |
Hostless Process Events: Supported Keywords
| Field Name | Field Definition |
|---|---|
| timestamp | The time at which the event triggered |
| workloadId | Task ARN for AWS deployments |
| containerId | The SHA-256 hash that matches the Docker identifier (ID) |
| exe | The name of the executable used to trigger the event |
| exePath | The path to the executable used to trigger the event |
| exeHash | The SHA-256 hash of the binary, expressed as hex string |
| startTime | The date and time at which the process started |
| workingDir | The working directory for calling the executable that triggered the event |
| arguments | Arguments |
| PID | The process ID attached to the event, as reported by your distribution or OS |
| PPID | The parent process ID attached to the event, as reported by your distribution or OS |
| uid | The user ID of the user who triggered the event |
| RUID | The real user ID of the user who issued the command that triggered the event |
| EUID | The effective user ID of the user who triggered the event, which determines their access to system resources |
| tty | The terminal from which the event was triggered, if the event was not triggered by a background process |
| numFd | The number of open file descriptors |
| procState | The state of the process, which can be 'running', 'waiting', 'stopped', 'zombie' or 'dead') |
Supported Operators
| Operator | Operator Definition | Example |
|---|---|---|
| = | include anything that exactly matches the keyword | exe = "/bin/ls" |
| != | exclude anything that exactly matches the keyword | tty != NULL |
| < | include anything fewer than the keyword | pid < 999 |
| <= | include anything fewer than or equal to the keyword | pid <= 1000 |
| > | include anything greater than the keyword | pid > 999 |
| >= | include anything greater than or equal to the keyword | pid >= 1000 |
| starts_with | include anything that begins with the information in the keyword | filename starts_with "etc/group" |
| ends_with | include anything that ends with the information in the keyword | arguments ends_with "22" |
| like | include anything that matches a string within the keyword | arguments like "BECOME-SUCCESS" |
| and && |
include anything that matches both the first condition and the second condition of the query | tty != NULL and tty != "" tty != NULL && tty != "" |
| or || |
include anything that matches either the first condition or the second condition of the query | tty != NULL or tty != "" tty != NULL || tty != "" |
| not |
|
|
| in | include anything that matches any of the conditions in the following list | command in ["sudo", "systemctl", "sv"] ip in ["192.168.1.1/16", "172.0.0.1/32"] (for Linux and Cloudtrail events) port in [22, 21, 80, 443] |
| @ | include all value(s) in a lookup list that exists in the organization | user in @inactive_users |