Cmd CQL implements a number of character matching patterns that can help you build more advanced triggers. This page lists and describes the patterns you can use to build trigger queries, and includes examples at the bottom.

Character matching patterns:

You can use these patterns to build Command triggers:

Character classes

You can use these character classes with the character class syntax shown above:

Examples

The following examples show how these patterns can help you build precise triggers that minimize false positives and false negatives.

1. Character sequence

Objective: Create an alert for any interactive docker exec with a shell interpreter as the entry point.

CQL:

cmd_root = 'docker' AND cmd_parameters IN '*-it*,*-i*-t*' AND cmd_parameters = '*[az /]sh' `

Explanation:

'*[az /]sh' will match any use of a sh , zsh , ash , bash , or dash interpreter, with or without a full path.

2. Matching * literal

Objective: Create an alert when HISTIGNORE=* is set in a local environment.

CQL:

cmd_root = 'export' AND cmd_parameters = '*HISTIGNORE=*[*]*'

Explanation:

'*HISTIGNORE=*[*]*' will match when * is in the list of commands to be omitted from command history.

3. Character class

Objective: Alert on any curl/wget usage with an IPv4 address-based URL.

CQL:

cmd_root IN 'wget,curl' AND cmd_parameters = '*://*[[:digit:]].*[[:digit:]].*[[:digit:]].*[[:digit:]][:/]*'

Explanation:

'*://*[[:digit:]].*[[:digit:]].*[[:digit:]].*[[:digit:]][:/]*'

  • '*://' → will match any URI handler (eg. https:// , http:// , ftp:// ).
  • '*[[:digit']].' → will match each of the four IP octets.
  • '[:/]*' → will match a standard or non-standard port.

Next:

Did this answer your question?