Required Tables
- file_events
Returned Fields
| timestamp | date timestamp as a string |
| path | the path for the file event |
| process_c8id | unique UUID generated by Capsule8 and assigned to a process |
Query
SELECT
FROM_UNIXTIME(unix_nano_timestamp/1e9),
path,
process_c8id
FROM file_events
WHERE
event_type != 4
AND path LIKE '/etc/ld.so.%'
AND path NOT IN (
'/usr/bin/dnf',
'/usr/bin/dpkg',
'/usr/bin/rpm',
'/usr/bin/snap',
'/usr/bin/yum'
) AND path NOT LIKE '%puppet'
AND path NOT LIKE '%chef'
Comments
0 comments
Please sign in to leave a comment.