Required Tables
- process_events
Returned Fields
| timestamp | date timestamp as a string |
| path | process event's path |
| username | username who created the process event |
Query
SELECT
FROM_UNIXTIME(unix_nano_timestamp/1e9),
process_events.path,
process_events.username
FROM process_events
WHERE (
path LIKE '%cat'
AND array_join(arguments, ' ') LIKE '%/etc/group%'
) OR (
path LIKE '%groups'
OR path LIKE '%ldapsearch'
OR path LIKE '%id'
OR path LIKE '%getent'
)
ORDER BY process_events.unix_nano_timestamp DESC
Comments
0 comments
Please sign in to leave a comment.