Cmd CQL implements a number of character matching patterns that can help you build more advanced triggers. This page lists and describes the patterns you can use to build trigger queries, and includes examples at the bottom.
Character matching patterns:
You can use these patterns to build Command triggers:
Character classes
You can use these character classes with the character class syntax shown above:
Examples
The following examples show how these patterns can help you build precise triggers that minimize false positives and false negatives.
1. Character sequence
Objective: Create an alert for any interactive docker exec with a shell interpreter as the entry point.
CQL:
cmd_root = 'docker' AND cmd_parameters IN '*-it*,*-i*-t*' AND cmd_parameters = '*[az /]sh' `
Explanation:
'*[az /]sh' will match any use of a sh , zsh , ash , bash , or dash interpreter, with or without a full path.
2. Matching * literal
Objective: Create an alert when HISTIGNORE=* is set in a local environment.
CQL:
cmd_root = 'export' AND cmd_parameters = '*HISTIGNORE=*[*]*'
Explanation:
'*HISTIGNORE=*[*]*' will match when * is in the list of commands to be omitted from command history.
3. Character class
Objective: Alert on any curl/wget usage with an IPv4 address-based URL.
CQL:
cmd_root IN 'wget,curl' AND cmd_parameters = '*://*[[:digit:]].*[[:digit:]].*[[:digit:]].*[[:digit:]][:/]*'
Explanation:
'*://*[[:digit:]].*[[:digit:]].*[[:digit:]].*[[:digit:]][:/]*'
'*://'→ will match any URI handler (eg.https://,http://,ftp://).'*[[:digit']].'→ will match each of the four IP octets.'[:/]*'→ will match a standard or non-standard port.
Next:
See more examples of advanced triggers, with design best practices.
Review the Cmd CQL glossary.
Learn to add triggers.