Required Tables
- file_events
- process_events
Returned Fields
|
timestamp |
date timestamp as a string |
| file_events.path | path of the file event |
| process_events.path | the process events path |
| provess_events.username | username of who created the process event |
Query
SELECT
FROM_UNIXTIME(unix_nano_timestamp/1e9),
file_events.path,
process_events.path,
process_events.username
FROM file_events
LEFT JOIN (
SELECT
path,
username,
process_c8id
FROM process_events
GROUP BY path, username, process_c8id
) AS process_events
ON process_events.process_c8id = file_events.process_c8id
WHERE process_events.path != '/usr/bin/dockerd'
AND (event_type=4 OR event_type=3)
AND (regexp_like(file_events.path, '/home/.+/\..+_history')
OR regexp_like(file_events.path, '/root/\..+\.history')
)
ORDER BY file_events.unix_nano_timestamp DESC
Comments
0 comments
Please sign in to leave a comment.