← Back to Explore
crowdstrike_cqlHunting
Packages in Container Images - Match Parameter
Searches packages using the provided parameter and returns the corresponding image repository.
Detection Query
ImageScanEventType = ImageVulnerabilityEvent
| array:eval("CVEMapping[]", asArray="PackageName[]", function={PackageName := splitString(by="\|",field="CVEMapping",index=1)})
| array:drop("CVEMapping[]")
| array:contains(array="PackageName[]", value=?Package)
| groupBy([ImageInfo.Registry,ImageInfo.Repository])
Author
ByteRay
Data Sources
Cloud
Platforms
cloud
Tags
Huntingcs_module:CSPM / ASPM / DSPM
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Packages in Container Images - Match Parameter
# Description of what the query does and its purpose.
# Using the YAML block scalar `|` allows for multi-line strings.
description: |
Searches packages using the provided parameter and returns the corresponding image repository.
# The author or team that created the query.
author: ByteRay
# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
- Cloud
# The CrowdStrike modules required to run this query.
cs_required_modules:
- CSPM / ASPM / DSPM
# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
- Hunting
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
ImageScanEventType = ImageVulnerabilityEvent
| array:eval("CVEMapping[]", asArray="PackageName[]", function={PackageName := splitString(by="\|",field="CVEMapping",index=1)})
| array:drop("CVEMapping[]")
| array:contains(array="PackageName[]", value=?Package)
| groupBy([ImageInfo.Registry,ImageInfo.Repository])