Alpha Help Center
  • All Files

© 2017, cmdWatch Inc. All rights reserved.

Revised: 6/23/2017 11:53:01 AM

CQL values

Listed here are all the CQL values that can be used to perform searches, queries, and filters in the system. The CQL values are used to create reports and triggers, and are used to filter source activity for investigations.

Use the following list as a reference when you enter queries in the simplified query builder or when you enter the queries manually.

NOTE: Some values are only listed in the web interface if they are available to the query type.

Boolean operators

By default, all searches and trigger queries must begin with the WHERE clause.

You can create complex queries by joining CQL values together using Boolean search operators. For example:

WHERE (cmd_user_typed = 'true' and cmd = 'clear') and (cmd_hour_of_day < '08' or cmd_day_of_week IN 'saturday,sunday')

The example query would return results where (the user manually typed the command, and the command is "clear") and (the command was executed before 8am or on Saturday/Sunday).

Boolean operators Description

' '

Quotation marks are used to contain the search values.

( )

Parentheses are used to group CQL values to create complex queries.

and

All of the queries must be true

or

Any of the queries must be true

CQL operators

You can use the following operators to define specific CQL query values:

CQL Operator Description

=

Is equal to

cmd = 'clear'

!=

Is not

cmd != 'clear'

<

Less than. When used with time or dates, it represents "before".

cmd_hour_of_day < '08'

>

Greater than. When used with time or dates, it represents "after".

cmd_hour_of_day > '08'

<=

Less than or equal to

session_violation_count <= '3'

>=

Greater than or equal to

session_violation_count >= '3'

IN

Includes

Should only be used when looking for specific values, do not use to find random wildcards.

cmd_day_of_week IN 'saturday,sunday'

NOT IN

Excludes

Should only be used when looking for specific values, do not use to find random wildcards.

cmd_day_of_week NOT IN 'saturday,sunday'

*

Wildcard

Supported by most CQL values except where noted.

server_os = '*ubuntu*'

Command

Query Description

cmd

Command

cmd = '<command value>'

Supports the following CQL operators: =, !=, IN, NOT IN

cmd = 'clear'

cmd​​​_date

Command date

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

You can also enter time frames, like "yesterday", "4 days ago" or "last month."

Be aware that integer values will be treated as Unix timestamps and non-integer values will be treated as date strings.

cmd_date = '<date and/or time>'

Supports the following CQL operators: =, !=, >, <, >=, <=

cmd_date >= '1494842400'

cmd_date = 'yesterday'

cmd_date < 'Jan 1 2017'

cmd​_day​_of​_week

Command day of week.

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

cmd_day_of_week = '<day of week in lowercase>'

Supports the following CQL operators: =, !=, IN, NOT IN

cmd_day_of_week = 'monday'

cmd_day_of_week IN 'saturday,sunday'

cmd​_exec​_path

Command executable path

cmd_exec_path = '<executable path>'

Supports the following CQL operators: =, !=, IN, NOT IN

cmd_exec_path = 'root'

cmd_exec_path NOT IN '/usr/*'

cmd​_file​_modified

Command file that was modified

cmd_file_modified = '<filename>'

Supports the following CQL operators: =, !=, IN, NOT IN

cmd_file_modified != 'readme.txt'

cmd_file_modified IN '*.exe'

cmd​_first​_time​_command

Command that is executed for the first time

cmd_first_time_command = '<true or false>'

Supports the following CQL operator: =

cmd_first_time_command = 'true'

cmd_first_time_command = 'false'

cmd​_first​_time​_command​_root

Root command that is executed for the first time.

cmd_first_time_command_root = '<true or false>'

Supports the following CQL operator: =

cmd_first_time_command_root = 'true'

cmd_first_time_command_root = 'false'

cmd​_has​_alert

Trigger matching this command generates an alert

cmd_has_alert = '<true or false>'

Supports the following CQL operator: =

cmd_has_alert = 'true'

cmd_has_alert = 'false'

cmd​_has​_error

Command generates an error output

cmd_has_error = '<true or false>'

Supports the following CQL operator: =

cmd_has_error = 'true'

cmd_has_error = 'false'

cmd​_has​_modified​_files

Command that modified files

cmd_has_modified_files = '<true or false>'

Supports the following CQL operator: =

cmd_has_modified_files = 'true'

cmd_has_modified_files = 'false'

cmd​_has​_output

Command generated an output

cmd_has_output = '<true or false>'

Supports the following CQL operator: =

cmd_has_output = 'true'

cmd_has_output = 'false'

cmd​_has​_violation

Command caused a violation

cmd_has_violation = '<true or false>'

Supports the following CQL operator: =

cmd_has_violation = 'true'

cmd_has_violation = 'false'

cmd​_hour​_of​_day

Command hour of day.

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

cmd_hour_of_day = '<## in 24 hour format>'

Supports the following CQL operator: =, !=, <, >, IN, NOT IN

cmd_hour_of_day = '21'

cmd_hour_of_day < '08'

cmd​_include​_system​_calls

Command including system calls

cmd_include_system_calls = '<true or false>'

Supports the following CQL operator: =

cmd_include_system_calls = 'true'

cmd_include_system_calls = 'false'

cmd​_​parameters

Command parameters

cmd_parameters = '<parameter>'

Supports the following CQL operators: =, !=, IN, NOT IN

cmd_parameters = -l*

cmd_parameters != -la

cmd​_parent​_cmd

Command's parent command

cmd​_parent_cmd = '<parent command>'

Supports the following CQL operators: =, !=, IN, NOT IN

cmd_parent_cmd = 'stat /var/lib/resolvconf'

cmd​_parent​_pid

Command's parent process ID

cmd_parent_cmd = '<PID #>'

Supports all CQL operators.

cmd_parent_cmd = '2359'

cmd_parent_cmd >= '912'

cmd​_pid

Command process ID

cmd_pid = '<PID #>'

Supports all CQL operators.

cmd_pid < '2723'

cmd_pid != '19493'

cmd​_root

Command root

cmd_root = '<root username>'

Supports the following CQL operators: =, !=, IN, NOT IN

cmd_root != 'admin'

cmd​_working​_directory

Command working directory

cmd_working_directory = '<directory path>'

Supports the following CQL operators: =, !=, IN, NOT IN

cmd_working_directory = /root/

Session

Query Description

session

Session ID

NOTE: Wildcard queries are not supported. You must enter the exact session ID.

The session ID can be found on the Sources page, under the Sessions tab. The session ID value is case sensitive.

session = '<SES-xxxx>'

Supports the following CQL operators: =, !=, IN, NOT IN

session != 'SES-2856'

session​_city

Session city

session_city = '<city name>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_city = 'vancouver'

session_city IN 'london,paris'

session​_command​_count

Total of user entered commands during a session

session_command_count = '<#>'

Supports all CQL operators.

session_command_count > '4'

session​_connect

Session connected

session_connect = '<true or false>'

Supports the following CQL operator: =

session_connect = 'true'

session_connect = 'false'

session​_country

Session country.

Use the 2 character ISO country abbreviation (link goes to a third-party site).

session_country = '<XX>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_country = 'ca'

session_country IN 'cn,kp'

session​_date

Session date

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

You can also enter time frames, like "yesterday", "4 days ago" or "last month."

Be aware that integer values will be treated as Unix timestamps and non-integer values will be treated as date strings.

session_date = '<date and/or time>'

Supports the following CQL operators: =, !=, >, <, >=, <=

session_date = 05-01-2017

session_date <= last month

session_date > 1494842400

session​_day​_of​_week

Session day of the week

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

session​_day​_of​_week = '<day of week in lowercase>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_day_of_week = tuesday

session_day_of_week IN 'thursday, wednesday'

session​_dualauth​_approved

Multi-factor authentication is approved for the session

session_dualauth_approved = '<true or false>'

Supports the following CQL operator: =

session_dualauth_approved = 'true'

session_dualauth_approved = 'false'

session​_dualauth​_provider

Session used a specific 2-factor authentication provider. Options include:

  • cmd
  • one​_time​_code
  • google
  • sms

session_dualauth_provider = '<2-factor authentication provider>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_dualauth_provider IN 'cmd,google'

session_dualauth_provider = 'one​_time​_code'

session​_dualauth​_required

Session required 2-factor authentication

session_dualauth_required = '<true or false>'

Supports the following CQL operator: =

session_dualauth_required = 'true'

session_dualauth_required = 'false'

session​_duoapi​_approved

Session activity is successfully authenticated through Duo Security

session_duoapi_approved = '<true or false>'

Supports the following CQL operator: =

session_duoapi_approved = 'true'

session_duoapi_approved = 'false'

session​_duoapi​_approver

Session activity is approved by a specific Duo Security user

session_duoapi_approver = '<Duo username>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_duoapi_approver = 'j.smith'

session​_duoapi​_required

Session activity required authentication through Duo Security

session_duoapi_required = '<true or false>'

Supports the following CQL operator: =

session_duoapi_required = 'true'

session_duoapi_required = 'false'

session​_duration

Session duration

session_duration >= '<# seconds>'

Supports the following CQL operators: >=, <=

session_duration <= '60'

session​_first​_time​_ip

Session initiated from a new IP address

session_first_time_ip = '<true or false>'

Supports the following CQL operator: =

session_first_time_ip = 'true'

session_first_time_ip = 'false'

session​_has​_alert

Trigger matching this session generated an alert that is still unresolved.

session_has_alert = '<true or false>'

Supports the following CQL operator: =

session_has_alert = 'true'

session_has_alert = 'false'

session​_has​_violation

Trigger matching this session generated a violation. Includes resolved and unresolved alerts.

session_has_violation = '<true or false>'

Supports the following CQL operator: =

session_has_violation = 'true'

session_has_violation = 'false'

session​_hour​_of​_day

Session hour of day

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

session_hour_of_day = '<## in 24 hour format>'

Supports the following CQL operator: =,!=, <, >, IN, NOT IN

session_hour_of_day = '18'

session_hour_of_day > '22'

session​_how​_connected

Session connected via a specific method. Options include:

  • ssh

session_how_connected = '<connection method>'

Supports the following CQL operator: =, !=

session_how_connected != 'ssh'

session​_ip

Session IP address

session_ip = '<IP address>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_ip = '192.168.1.23'

session_ip NOT IN '192.168.1.23,172.31.55.245'

session​_ip​_type

Session IP address type can be internal or external.

session_ip_type = '<Internal or External>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_ip_type = 'External'

session_ip_type != 'Internal'

session​_jira​_approved

Session activity is linked to a valid Jira ticket

session_jira_approved = '<true or false>'

Supports the following CQL operator: =

session_jira_approved = 'true'

session_jira_approved = 'false'

session​_jira​_required

Session activity must be linked to a Jira ticket

session_jira_required = '<true or false>'

Supports the following CQL operator: =

session_jira_required = 'true'

session_jira_required = 'false'

session​_jira​_ticket

Session activity is linked to a specific Jira ticket

session_jira_ticket = '<Jira ticket number>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_jira_ticket = 'JIRA-001'

session​_open

Session is open.

Tip: A session is considered closed if it is inactive for 3 minutes.

session_open = '<true or false>'

Supports the following CQL operator: =

session_open = 'true'

session_open = 'false'

session​_pid

Session process ID

session_pid = '<PID #>'

Supports all CQL operators.

session_pid > '25000'

session_pid != '24963'

session​_region

Session state or province

Use the 2 character ISO abbreviation (link goes to a third-party site).

session_region = '<XX>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_region = 'BC'

session_region NOT IN 'NY,PA'

session​_user

Session user

Use the server username, or the Cmd username.

session_user = '<username>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_user = 'jsmith'

session_user IN 'jsmith,jane.smith'

session​_user​_job

Session user's assigned job category

A user's job category is listed in their Cmd user account.

session_user_job = '<job category>'

Supports the following CQL operators: =, !=, IN, NOT IN

session_user_job = 'developer'

session_user_job NOT IN 'developer,engineering'

session​_violation​_count

Session violation total

session_violation​_count = '<#>'

Supports all CQL operators.

session_violation​_count < '4'

session_violation​_count >= '2'

Server

Query Description

server

Server ID

NOTE: Wildcard queries are not supported. You must enter the exact server ID.

The server ID can be found on the Sources page, under the Server tab.

server = '<SVR-xxx>'

Supports the following CQL operator: =

server = 'SVR-L46'

server​_added

Server is added on specified date

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

You can also enter time frames, like "yesterday", "4 days ago" or "last month."

Be aware that integer values will be treated as Unix timestamps and non-integer values will be treated as date strings.

server_added = '<date and/or time>'

Supports the following CQL operators: =, !=, >, <, >=, <=

server_added < 'last week'

server_added >= '1494842400'

server_added != 'february'

server​_capture​_output

Server output that has been captured by the system

server_capture_output = '<all, errors, or none>'

Supports the following CQL operators: =, !=, IN, NOT IN

server_capture_output = 'all'

server_capture_output != 'errors'

server_capture_output NOT IN 'none'

server​_city

Server city

server_city = '<city name>'

Supports the following CQL operators: =, !=, IN, NOT IN

server_city = 'london'

server_city IN 'toronto,montreal'

server​_command​_count

User entered command total on the server

server_command_count = '<#>'

Supports all CQL operators.

server_command_count > '3'

server_command_count <= '20'

server​_country

Server country

Use the 2 character ISO country abbreviation (link goes to a third-party site).

server_country = '<XX>'

Supports the following CQL operators: =, !=, IN, NOT IN

server_country != 'us'

server_country NOT IN 'ca,gb'

server​_date

Date on the server

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

You can also enter time frames, like "yesterday", "4 days ago" or "last month."

Be aware that integer values will be treated as Unix timestamps and non-integer values will be treated as date strings.

server_date = '<date and/or time>'

Supports the following CQL operators: =, !=, >, <, >=, <=

server_date = '05-15-2018'

server_date <= '<date and/or time>'

server​_get​_file​_diff

Server captures file differences

server_get_file_diff = '<true or false>'

Supports the following CQL operator: =

server_get_file_diff = 'true'

server_get_file_diff = 'false'

server​_group

Server group

server_group = '<server group name>'

Supports the following CQL operators: =, !=, IN, NOT IN

server_group = 'development'

server_group != 'www'

server​_has​_alert

Trigger matching this server generates an alert that is still unresolved.

server_has_alert = '<true or false>'

Supports the following CQL operator: =

server_has_alert = 'true'

server_has_alert = 'false'

server​_has​_violation

Trigger matching this session generated a violation. Includes resolved and unresolved alerts.

server_has_violation = '<true or false>'

Supports the following CQL operator: =

server_has_violation = 'true'

server_has_violation = 'false'

server​_hostname

Server hostname

server_hostname = '<hostname>'

Supports the following CQL operators: =, !=, IN, NOT IN

server_hostname = 'cmd.com'

server​_ip

Server IP address

server_ip = '<IP address>'

Supports the following CQL operators: =, !=, IN, NOT IN

server_ip = '192.168.1.23'

server_ip != '127.0.0.1'

server​_last​_login

Server last login date

You can also enter time frames, like "yesterday", "4 days ago" or "last month."

Be aware that integer values will be treated as Unix timestamps and non-integer values will be treated as date strings.

server_last_login = '<date and/or time>'

Supports the following CQL operators: =, !=, >, <, >=, <=

server_last_login = 'two weeks ago'

server_last_login <= '1494842400'

server​_name

Server name

server_name = '<server name>'

Supports the following CQL operators: =, !=, IN, NOT IN

server_name = 'test-1'

server_name NOT IN 'test-1,test-3'

server​_os

Server operating system

Include the build or kernel version to narrow the query.

server_os = '<OS build / kernel version>'

Supports the following CQL operators: =, !=

server_os = '*ubuntu*'

server_os != 'debian'

server​_region

Server state or province

Use the 2 character ISO abbreviation (link goes to a third-party site).

server_region = '<XX>'

Supports the following CQL operators: =, !=, IN, NOT IN

server_region = 'CA'

server_region != 'TX'

server​_session​_count

Server session total

server_session_count = '<#>'

Supports all CQL operators.

server_session_count > '5'

server_session_count != '1'

server​_violation​_count

Server violation total

server_violation_count = '<#>'

Supports all CQL operators.

server_violation_count > '10'

server_violation_count = '1'

Trigger

Query Description

trigger​_date

Trigger date

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

You can also enter time frames, like "yesterday", "4 days ago" or "last month."

Be aware that integer values will be treated as Unix timestamps and non-integer values will be treated as date strings.

trigger_date = '<date and/or time>'

Supports the following CQL operators: =, !=, >, <, >=, <=

trigger_date > 'yesterday'

trigger_date <= 'May 16 2017'

trigger​_day​_of​_week

Trigger day of the week

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

trigger_day_of_week = '<day of week in lowercase>'

Supports the following CQL operators: =, !=, IN, NOT IN

trigger_day_of_week = 'sunday'

trigger_day_of_week NOT IN 'monday,friday'

trigger​_group

Trigger group name

trigger_group = '<trigger group name>'

Supports the following CQL operators: =, !=, IN, NOT IN

trigger_group != 'generic'

trigger_group IN 'auth,bad'

trigger​_has​_unresolved

Trigger has unresolved alerts

trigger​_has​_unresolved = '<true or false>'

trigger​_has​_violation

Trigger has resolved and unresolved alerts

trigger​_has​_violation = '<true or false>'

trigger​_hour​_of​_day

Trigger hour of day

For triggers, the date is in UTC. For all other CQL search queries, the date is based on your local time.

trigger_hour_of_day = '<## in 24 hour format>'

Supports the following CQL operators: =, !=, IN, NOT IN

trigger_hour_of_day = '22'

trigger​_name

Trigger name

trigger_name = '<name of trigger>'

Supports the following CQL operators: =, !=, IN, NOT IN

trigger_name = 'stop_sudo'

trigger_name IN 'warning*,beware*'

trigger​_risk​_level

Trigger violation risk level

trigger_risk_level = '<1 to 5>'

Supports all CQL operators.

trigger_risk_level = '5'

trigger_risk_level > '1'

trigger​_verified​_by​_name

Trigger is resolved by Cmd user

trigger_verified_by_name = '<user's name in Cmd>'

Supports the following CQL operators: =, !=, IN, NOT IN

trigger_verified_by_name = 'John Smith'

trigger_verified_by_name != 'KJ'

Macros

Macros are CQL trigger queries that have been saved and are used in other triggers. Macro queries are always prefixed with macro_ followed by the user defined name. For more information, see Macros.

The query itself would be in this format:

macro_<user defined macro name> = '<true or false>'

Supports the following CQL operator: =

macro_stop_sudo = 'true'

MFA (Multi-factor authentication)

Query Description

mfa​_dualauth​_approved

2-factor authentication is approved

mfa_dualauth_approved = '<true or false>'

Supports the following CQL operator: =

mfa_dualauth_approved = 'true'

mfa_dualauth_approved = 'false'

mfa​_dualauth​_provider

2-factor authentication method. Typically Google or Duo.

mfa_dualauth_provider = '<authentication provider>'

Supports the following CQL operators: =, !=, IN, NOT IN

mfa_dualauth_provider = 'google'

mfa_dualauth_provider NOT IN 'duo,google'

mfa​_dualauth​_required

2-factor authentication is required

mfa_dualauth_required = '<true or false>'

Supports the following CQL operator: =

mfa_dualauth_required = 'true'

mfa_dualauth_required = 'false'

mfa​_duoapi​_approved

2-factor authentication by Duo is approved

mfa_duoapi_approved = '<true or false>'

Supports the following CQL operator: =

mfa_duoapi_approved = 'true'

mfa_duoapi_approved = 'false'

mfa​_duoapi​_approver

2-factor authentication is approved by specified Duo user

mfa_duoapi_approver = '<Duo username>'

Supports the following CQL operators: =, !=, IN, NOT IN

mfa_duoapi_approver = 'j.smith

mfa_duoapi_approver IN 'smith,jones

mfa​_duoapi​_required

2-factor authentication is required through Duo

mfa_duoapi_required = '<true or false>'

Supports the following CQL operator: =

mfa_duoapi_required = 'true'

mfa_duoapi_required = 'false'

mfa​_jira​_approved

Authenticated user is linked to a valid Jira ticket

mfa_jira_approved = '<true or false>'

Supports the following CQL operator: =

mfa_jira_approved = 'true'

mfa_jira_approved = 'false'

mfa​_jira​_required

Authenticated user activity must be linked to a Jira ticket

mfa_jira_required = '<true or false>'

Supports the following CQL operator: =

mfa_jira_required = 'true'

mfa_jira_required = 'false'

mfa​_jira​_ticket

Authenticated user activity is linked to a specific Jira ticket

mfa_jira_ticket = '<Jira ticket number>'

Supports the following CQL operators: =, !=, IN, NOT IN

mfa_jira_ticket = 'PRJ-001'

mfa_jira_ticket IN 'PRJ,QA'