Auth Events API



Overview

Auth Events API provides visibility into authentication events that occur on Windows endpoints. The reporting of Windows authentication events supplements the reporting of process events, which enables the correlation of authentication and process activity and yields more context-rich threat hunting and incident response.

Auth Events collection is disabled by default and must be enabled for each Policy. Verify that the devices for which Auth Events are required have a policy assigned with Auth Event collection enabled.

Note: For Auth Events, certain fields have recently been removed from the offical list of fields that would be returned, because they would never have been populated with data.

Use Cases

  • Search authentication events; successful, failed, remote, elevated privileges
  • Group authentication events by type, user, etc
  • Understand how a user is moving laterally
  • Identify abnormal user logon activity

Requirements

  • Enterprise EDR
  • Policy assigned with Auth Event collection enabled
  • Windows endpoints (supported by Carbon Black Cloud Windows Sensor 3.9.1+ running on Windows 10.0.15063+)

Key Features

  • Provides increased visibility into endpoint activity
  • Provides additional context during threat hunting and incident response
  • Increases potential for correlation of authentication and process events
  • Reduces mean time to respond (MTTR)
  • Reduces reliance on third-party solutions for the collection of Windows authentication events

Resources


Authentication

Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.


Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.

Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.

API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
  • {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events

Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:
  • Search > Events > org.search.events, allow permission to CREATE, READ

API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.


Cloud Services Platform Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with OAuth Access Control; API access is controlled using OAuth apps or User API Tokens. This is currently limited to the UK Point of Presence and AWS GovCloud (US).

Environment
Available on Prod UK and AWS GovCloud (US). Full list of environments is available here; Use the Carbon Black Cloud Console URL from Cloud Services Platform, as described here.

API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
  • {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events

Access Level
Before you create your OAuth App, you need to create a custom Role with the following permissions under IDENTITY & ACCESS MANAGEMENT > Roles > VMware Carbon Black Cloud:
  • _API.Search:org.Events, allow permission to CREATE, READ

API Authentication
The Cloud Services Platform supports several authentication options, Access Token, API Token, and for backward compatibility, X-Auth-Token. To learn about the differences or how to use the authentication methods see the Authentication Guide.


Quick Start

This Quick Start guide follows a scenario for starting an Auth Events Search Job, getting its results, and then starting and getting the Auth Events Detail results. The workflow steps are:
1. Start Auth Events Search Job
2. Get Auth Events Search Job Result
3. Start Auth Events Detail Job
4. Get Auth Events Detail Job Results
1. Start Auth Events Search Job
Start a search in the past 10 weeks that looks for a specific username.
Request
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
  "query": "auth_username:SYSTEM",
  "time_range": {
    "window": "-10w"
  }
}
{
  "job_id": "9e846705-ffa4-4ad4-a1be-c97fdca1ac2f-sqs"
}
2. Get Auth Events Search Job Result
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.
For this example, we will limit the displayed results to a single one with the rows=1 query parameter.
Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/9e846705-ffa4-4ad4-a1be-c97fdca1ac2f-sqs/results?rows=1
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
{
  "results": [
    {
      "auth_domain_name": "NT AUTHORITY",
      "auth_event_action": "LOGON_SUCCESS",
      "auth_remote_device": "-",
      "auth_remote_port": 0,
      "auth_username": "SYSTEM",
      "backend_timestamp": "2023-01-13T17:19:01.013Z",
      "childproc_count": 0,
      "crossproc_count": 48,
      "device_group_id": 0,
      "device_id": 17686136,
      "device_name": "w10cbws2thtplt",
      "device_policy_id": 20622246,
      "device_timestamp": "2023-01-13T17:17:45.322Z",
      "event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
      "filemod_count": 3,
      "ingress_time": 1673630293265,
      "modload_count": 1,
      "netconn_count": 35,
      "org_id": "ABCD1234",
      "parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
      "parent_pid": 608,
      "process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
      "process_hash": [
        "15a556def233f112d127025ab51ac2d3",
        "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
      ],
      "process_name": "c:\\windows\\system32\\lsass.exe",
      "process_pid": [
        776
      ],
      "process_username": [
        "NT AUTHORITY\\SYSTEM"
      ],
      "regmod_count": 11,
      "scriptload_count": 0,
      "windows_event_id": 4624
    }
  ],
  "num_found": 175,
  "num_available": 175,
  "approximate_unaggregated": 175,
  "num_aggregated": 175,
  "contacted": 12,
  "completed": 12
}
3. Start Auth Events Detail Job
Using the event_id that we received from the Get Auth Events Search Job Results call, start a Start Auth Events Detail Job to get more detailed information about the event.
Request
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
{
  "event_ids": ["DA9E269E-421D-469D-A212-9062888A02F4"]
}
{
  "job_id": "d91ecebb-3f70-4088-9724-918978efc0cb-sqs"
}
4. Get Auth Events Detail Job Results
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.
Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs/d91ecebb-3f70-4088-9724-918978efc0cb-sqs/results
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
{
  "results": [
    {
      "auth_cleartext_credentials_logon": false,
      "auth_daemon_logon": true,
      "auth_domain_name": "NT AUTHORITY",
      "auth_elevated_token_logon": true,
      "auth_event_action": "LOGON_SUCCESS",
      "auth_failed_logon_count": 0,
      "auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
      "auth_interactive_logon": false,
      "auth_key_length": 0,
      "auth_logon_id": "00000000-000003E7",
      "auth_logon_type": 5,
      "auth_package": "Negotiate",
      "auth_remote_device": "-",
      "auth_remote_logon": false,
      "auth_remote_port": 0,
      "auth_restricted_admin_logon": false,
      "auth_user_id": "S-1-5-18",
      "auth_username": "SYSTEM",
      "auth_virtual_account_logon": false,
      "backend_timestamp": "2023-01-13T17:18:36.195Z",
      "childproc_count": 0,
      "crossproc_count": 48,
      "device_external_ip": "52.116.18.136",
      "device_group_id": 0,
      "device_id": 17686136,
      "device_installed_by": "CBAWTD\\Administrator",
      "device_internal_ip": "192.168.231.164",
      "device_location": "UNKNOWN",
      "device_name": "w10cbws2thtplt",
      "device_os": "WINDOWS",
      "device_os_version": "Windows 10 x64",
      "device_policy": "test-monitor",
      "device_policy_id": 20622246,
      "device_sensor_version": "3.9.0.2352",
      "device_target_priority": "MEDIUM",
      "device_timestamp": "2023-01-13T17:17:45.322Z",
      "document_guid": "e0Huct8dQRyYfOEHImpfkA",
      "event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
      "event_report_code": "SUB_RPT_NONE",
      "filemod_count": 3,
      "ingress_time": 1673630293265,
      "modload_count": 1,
      "netconn_count": 35,
      "org_id": "ABCD1234",
      "parent_cmdline": "wininit.exe",
      "parent_cmdline_length": 11,
      "parent_effective_reputation": "TRUSTED_WHITE_LIST",
      "parent_effective_reputation_source": "IGNORE",
      "parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
      "parent_hash": [
        "9ef51c8ad595c5e2a123c06ad39fccd7",
        "268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
      ],
      "parent_name": "c:\\windows\\system32\\wininit.exe",
      "parent_pid": 608,
      "parent_publisher": [
        "Microsoft Windows Publisher"
      ],
      "parent_publisher_state": [
        "FILE_SIGNATURE_STATE_VERIFIED",
        "FILE_SIGNATURE_STATE_OS",
        "FILE_SIGNATURE_STATE_TRUSTED",
        "FILE_SIGNATURE_STATE_SIGNED"
      ],
      "parent_reputation": "TRUSTED_WHITE_LIST",
      "process_cmdline": [
        "C:\\Windows\\system32\\lsass.exe"
      ],
      "process_cmdline_length": [
        29
      ],
      "process_company_name": "Microsoft Corporation",
      "process_effective_reputation": "TRUSTED_WHITE_LIST",
      "process_effective_reputation_source": "IGNORE",
      "process_elevated": true,
      "process_file_description": "Local Security Authority Process",
      "process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
      "process_hash": [
        "15a556def233f112d127025ab51ac2d3",
        "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
      ],
      "process_integrity_level": "SYSTEM",
      "process_internal_name": "lsass.exe",
      "process_name": "c:\\windows\\system32\\lsass.exe",
      "process_original_filename": "lsass.exe",
      "process_pid": [
        776
      ],
      "process_privileges": [
        "SeIncreaseBasePriorityPrivilege",
        "SeCreateGlobalPrivilege",
        "SeChangeNotifyPrivilege",
        "SeCreateSymbolicLinkPrivilege",
        "SeDelegateSessionUserImpersonatePrivilege",
        "SeSystemProfilePrivilege",
        "SeDebugPrivilege",
        "SeProfileSingleProcessPrivilege",
        "SeLockMemoryPrivilege",
        "SeCreatePagefilePrivilege",
        "SeTimeZonePrivilege",
        "SeTcbPrivilege",
        "SeIncreaseWorkingSetPrivilege",
        "SeImpersonatePrivilege",
        "SeCreatePermanentPrivilege",
        "SeAuditPrivilege"
      ],
      "process_product_name": "Microsoft® Windows® Operating System",
      "process_product_version": "10.0.19041.906",
      "process_publisher": [
        "Microsoft Windows Publisher"
      ],
      "process_publisher_state": [
        "FILE_SIGNATURE_STATE_VERIFIED",
        "FILE_SIGNATURE_STATE_OS",
        "FILE_SIGNATURE_STATE_TRUSTED",
        "FILE_SIGNATURE_STATE_SIGNED"
      ],
      "process_reputation": "TRUSTED_WHITE_LIST",
      "process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
      "process_start_time": "2023-01-13T14:47:02.982Z",
      "process_username": [
        "NT AUTHORITY\\SYSTEM"
      ],
      "regmod_count": 11,
      "scriptload_count": 0,
      "windows_event_id": 4624
    }
  ],
  "num_found": 1,
  "num_available": 1,
  "approximate_unaggregated": 1,
  "num_aggregated": 1,
  "contacted": 12,
  "completed": 12
}
To download or review the Carbon Black Cloud Postman collection, click here.

API Calls

Auth Events collection is disabled by default and must be enabled for each Policy. Verify that the Devices for which Auth Events are required have a policy assigned with Auth Event collection enabled.

Get Auth Events Descriptions

Returns the list of auth events and status message descriptions.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:read N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/descriptions


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A

Examples

Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/descriptions
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Response Body
{
  "event": {
    "4624": "An account was successfully logged on",
    "4625": "An account failed to log on",
    "4634": "An account was logged off",
    "4647": "User initiated logoff",
    "4648": "A logon was attempted using explicit credentials",
    "4672": "Special privileges assigned to new logon",
    "4740": "A user account was locked out",
    "4776": "The domain controller attempted to validate the credentials for an account",
    "4777": "The domain controller failed to validate credentials for an account",
    "6272": "Network Policy Server granted access to a user"
  },
  "status": [
    {
      "status_id": "0xC0000106L",
      "message_code": "STATUS_NAME_TOO_LONG",
      "message_description": "A specified name string is too long for its intended use."
    },
    {
      "status_id": "0xC000013DL",
      "message_code": "STATUS_REMOTE_RESOURCES",
      "message_description": "{Insufficient Resources on Remote Computer} The remote computer has insufficient resources to complete the network request. For instance, there may not be enough memory available on the remote computer to carry out the request at this time."
    }
    ... truncated ...
  ],
  "logon_type": {
    "4": {
      "title": "Batch",
      "description": "Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention."
    },
    "5": {
      "title": "Service",
      "description": "A service was started by the Service Control Manager."
    },
    "7": {
      "title": "Unlock",
      "description": "This workstation was unlocked."
    }
    ... truncated ...
  },
  "auth_event_action": {
    "ACCOUNT_LOCKED": "A user account was locked out",
    "LOGOFF_INITIATED": "User initiated logoff",
    "LOGOFF_SUCCESS": "An account was logged off",
    "LOGON_DISCOVERED": "Logon session detected",
    "LOGON_FAILED": "An account failed to log on",
    "LOGON_SUCCESS": "An account was successfully logged on",
    "PRIVILEGES_GRANTED": "Special privileges assigned to new logon"
  }
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/descriptions \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'
Response Body
{
  "event": {
    "4624": "An account was successfully logged on",
    "4625": "An account failed to log on",
    "4634": "An account was logged off",
    "4647": "User initiated logoff",
    "4648": "A logon was attempted using explicit credentials",
    "4672": "Special privileges assigned to new logon",
    "4740": "A user account was locked out",
    "4776": "The domain controller attempted to validate the credentials for an account",
    "4777": "The domain controller failed to validate credentials for an account",
    "6272": "Network Policy Server granted access to a user"
  },
  "status": [
    {
      "status_id": "0xC0000106L",
      "message_code": "STATUS_NAME_TOO_LONG",
      "message_description": "A specified name string is too long for its intended use."
    },
    {
      "status_id": "0xC000013DL",
      "message_code": "STATUS_REMOTE_RESOURCES",
      "message_description": "{Insufficient Resources on Remote Computer} The remote computer has insufficient resources to complete the network request. For instance, there may not be enough memory available on the remote computer to carry out the request at this time."
    }
    ... truncated ...
  ],
  "logon_type": {
    "4": {
      "title": "Batch",
      "description": "Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention."
    },
    "5": {
      "title": "Service",
      "description": "A service was started by the Service Control Manager."
    },
    "7": {
      "title": "Unlock",
      "description": "This workstation was unlocked."
    }
    ... truncated ...
  },
  "auth_event_action": {
    "ACCOUNT_LOCKED": "A user account was locked out",
    "LOGOFF_INITIATED": "User initiated logoff",
    "LOGOFF_SUCCESS": "An account was logged off",
    "LOGON_DISCOVERED": "Logon session detected",
    "LOGON_FAILED": "An account failed to log on",
    "LOGON_SUCCESS": "An account was successfully logged on",
    "PRIVILEGES_GRANTED": "Special privileges assigned to new logon"
  }
}
To download or review the Carbon Black Cloud Postman collection, click here.
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent

# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile="example_profile")

descriptions = AuthEvent.get_auth_events_descriptions(cb)
print(descriptions)
Result
{
  'event': {
    '4624': 'An account was successfully logged on',
    '4625': 'An account failed to log on',
    '4634': 'An account was logged off',
    '4647': 'User initiated logoff',
    '4648': 'A logon was attempted using explicit credentials',
    '4672': 'Special privileges assigned to new logon',
    '4740': 'A user account was locked out',
    '4776': 'The domain controller attempted to validate the credentials for an account',
    '4777': 'The domain controller failed to validate credentials for an account',
    '6272': 'Network Policy Server granted access to a user'
  },
  'status': [
    {
      'status_id': '0xC0000106L',
      'message_code': 'STATUS_NAME_TOO_LONG',
      'message_description': 'A specified name string is too long for its intended use.'
    },
    {
      'status_id': '0xC000013DL',
      'message_code': 'STATUS_REMOTE_RESOURCES',
      'message_description': '{Insufficient Resources on Remote Computer} The remote computer has insufficient resources to complete the network request. For instance, there may not be enough memory available on the remote computer to carry out the request at this time.'
    }
    ... truncated ...
  ],
  'logon_type': {
    '4': {
      'title': 'Batch',
      'description': 'Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.'
    },
    '5': {
      'title': 'Service',
      'description': 'A service was started by the Service Control Manager.'
    },
    '7': {
      'title': 'Unlock',
      'description': 'This workstation was unlocked.'
    }
    ... truncated ...
  },
  'auth_event_action': {
    'ACCOUNT_LOCKED': 'A user account was locked out',
    'LOGOFF_INITIATED': 'User initiated logoff',
    'LOGOFF_SUCCESS': 'An account was logged off',
    'LOGON_DISCOVERED': 'Logon session detected',
    'LOGON_FAILED': 'An account failed to log on',
    'LOGON_SUCCESS': 'An account was successfully logged on',
    'PRIVILEGES_GRANTED': 'Special privileges assigned to new logon'
  }
}
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.


Start Auth Events Search Job

Creates an Auth Events Search job. The results for the search job may be requested using the job_id returned. This route will not request facets.

An alternative to execute searches and get the results in a zipped csv file is the Event Export functionality with api_resource = AUTH_EVENTS which leverages the Job Service API.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ, CREATE Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:read N/A - included in permission name Prod UK and AWS GovCloud (US)
VMware Cloud Services Platform _API.Search:org.Events:create N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_jobs


Request Body - application/json

{
  "collapse": <boolean>,
  "collapse_field": [ "<string>" ],
  "criteria": {
    "additionalProp1": [ { "<key>": "<value>"} ]
  },
  "exclusions": {
    "additionalProp1": [ { "<key>": "<value>"} ]
  },
  "fields": [ "<string>" ],
  "query": "<string>",
  "rows": <integer>,
  "sort": [
    {
      "field": "<string>",
      "order": "<string>"
    }
  ],
  "start": <integer>,
  "time_range": {
    "end": "<string>",
    "start": "<string>",
    "window": "<string>"
  }
}


Body Schema

Field Definition Data Type Values
collapse Collapse is a boolean representing whether or not a user wants the ‘fq’ solr param included in their search. Boolean true, false
collapse_field The field(s) to collapse the results by when searching. The search will only return one result per value for the specified field. Array
["device_id"]


Supported: device_id
criteria Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields list at Platform Search Fields
exclusions Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields list at Platform Search Fields
fields Fields to include in the results, specify * to return all the default fields. If additional fields are required, consider using the Details Job which is more performant. If needed by the use case, additional fields can be named in this list. Array Example:
[ "*", "backend_timestamp" ]

Values: auth_username, backend_timestamp, childproc_count, crossproc_count, device_group_id, device_id, device_name, device_policy_id, device_timestamp, event_id, filemod_count, ingress_time, modload_count, netconn_count, org_id, parent_guid, parent_pid, process_guid, process_hash, process_name, process_pid, process_username, regmod_count, scriptload_count, windows_event_id,auth_domain_name, auth_event_action, auth_remote_port
Default: ["*"]
query Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. String Example:
"auth_username:SYSTEM"
rows Number of rows to request for pagination Long Default: 500
Max: 10k
sort Sort is a collection of sort parameters that specify a field and order to sort the results. Array Example:
[{
  "field": "device_timestamp",
  "order": "asc"
}]
order supports asc or desc
start First row to use for pagination Long Default: 0
time_range Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. Object
{
  "end": "2020-01-21T18:34:04Z",
  "start": "2020-01-18T18:34:04Z",
  "window": "-2w"
}
window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second

start: ISO 8601 UTC timestamp

end: ISO 8601 UTC timestamp


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A

Examples

Request
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
Request Body
{
  "query": "auth_username:SYSTEM",
  "time_range": {
    "window": "-50w"
  }
}
Response Body
{
  "job_id": "62be5c2c-d080-4ce6-b4f3-7c519cc2b41c-sqs"
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \ -d '{ "query": "auth_username:SYSTEM", "time_range": { "window": "-50w" } }'
Response Body
{
  "job_id": "62be5c2c-d080-4ce6-b4f3-7c519cc2b41c-sqs"
}
To download or review the Carbon Black Cloud Postman collection, click here.
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent

# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')

events = cb.select(AuthEvent).where("auth_username:SYSTEM")
print(*events)
Result
AuthEvent object, bound to https://defense.conferdeploy.net
 Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------

     auth_domain_name: NT AUTHORITY
    auth_event_action: LOGOFF_SUCCESS
     auth_remote_port: 0
        auth_username: SYSTEM
    backend_timestamp: 2023-03-08T07:17:32.920Z
      childproc_count: 0
      crossproc_count: 1852
      device_group_id: 0
            device_id: 18101914
          device_name: richm\win11
     device_policy_id: 20886205
     device_timestamp: 2023-03-08T07:15:02.355Z
             event_id: 4497E16E-5B3C-4AC8-ADA1-51962D55A97F
        filemod_count: 33
         ingress_time: 1678259788862
        modload_count: 7
        netconn_count: 113
               org_id: ABCD1234
          parent_guid: ABCD1234-0114369a-000002ac-00000000-1d94538fb2b...
           parent_pid: 684
         process_guid: ABCD1234-0114369a-0000033c-00000000-1d94538fb4e...
         process_hash: [list:2 items]:
                       [0]: c0ba0caebf823de8f2ebf49eea9cc5e5
                       [1]: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
         process_name: c:\windows\system32\lsass.exe
          process_pid: [list:1 item]:
                       [0]: 828
     process_username: [list:1 item]:
                       [0]: NT AUTHORITY\SYSTEM
         regmod_count: 42
     scriptload_count: 0
     windows_event_id: 4634
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.

Get Auth Events Search Job Results

Retrieves the auth events search results for a given job_id. Results will be sorted based on the sort parameter used when starting the search. Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:read N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_jobs/{job_id}/results


Query Parameters

Parameter Required Description Values Default
start No Starting rows of events, used for pagination Integer 0
rows No Number of events to get, used for pagination Integer 10


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A


Examples

Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/a5f02ce7-b405-48de-8f52-8ced5789a7c7-sqs/results
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Response Body
{
  "results": [
    {
      "auth_domain_name": "NT AUTHORITY",
      "auth_event_action": "LOGON_SUCCESS",
      "auth_remote_device": "-",
      "auth_remote_port": 0,
      "auth_username": "SYSTEM",
      "backend_timestamp": "2023-01-13T17:19:01.013Z",
      "childproc_count": 0,
      "crossproc_count": 48,
      "device_group_id": 0,
      "device_id": 17686136,
      "device_name": "test_name",
      "device_policy_id": 20622246,
      "device_timestamp": "2023-01-13T17:17:45.322Z",
      "event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
      "filemod_count": 3,
      "ingress_time": 1673630293265,
      "modload_count": 1,
      "netconn_count": 35,
      "org_id": "ABCD1234",
      "parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
      "parent_pid": 608,
      "process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
      "process_hash": [
        "15a556def233f112d127025ab51ac2d3",
        "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
      ],
      "process_name": "c:\\windows\\system32\\lsass.exe",
      "process_pid": [
        776
      ],
      "process_username": [
        "NT AUTHORITY\\SYSTEM"
      ],
      "regmod_count": 11,
      "scriptload_count": 0,
      "windows_event_id": 4624
    }
  ],
  "num_found": 175,
  "num_available": 175,
  "approximate_unaggregated": 175,
  "num_aggregated": 175,
  "contacted": 12,
  "completed": 12
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/a5f02ce7-b405-48de-8f52-8ced5789a7c7-sqs/results \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'
Response Body
{
  "results": [
    {
      "auth_domain_name": "NT AUTHORITY",
      "auth_event_action": "LOGON_SUCCESS",
      "auth_remote_device": "-",
      "auth_remote_port": 0,
      "auth_username": "SYSTEM",
      "backend_timestamp": "2023-01-13T17:19:01.013Z",
      "childproc_count": 0,
      "crossproc_count": 48,
      "device_group_id": 0,
      "device_id": 17686136,
      "device_name": "test_name",
      "device_policy_id": 20622246,
      "device_timestamp": "2023-01-13T17:17:45.322Z",
      "event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
      "filemod_count": 3,
      "ingress_time": 1673630293265,
      "modload_count": 1,
      "netconn_count": 35,
      "org_id": "ABCD1234",
      "parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
      "parent_pid": 608,
      "process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
      "process_hash": [
        "15a556def233f112d127025ab51ac2d3",
        "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
      ],
      "process_name": "c:\\windows\\system32\\lsass.exe",
      "process_pid": [
        776
      ],
      "process_username": [
        "NT AUTHORITY\\SYSTEM"
      ],
      "regmod_count": 11,
      "scriptload_count": 0,
      "windows_event_id": 4624
    }
  ],
  "num_found": 175,
  "num_available": 175,
  "approximate_unaggregated": 175,
  "num_aggregated": 175,
  "contacted": 12,
  "completed": 12
}
To download or review the Carbon Black Cloud Postman collection, click here.
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent

# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')

events = cb.select(AuthEvent).where("auth_username:SYSTEM")
print(*events)
Result
AuthEvent object, bound to https://defense.conferdeploy.net
 Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------

     auth_domain_name: NT AUTHORITY
    auth_event_action: LOGOFF_SUCCESS
     auth_remote_port: 0
        auth_username: SYSTEM
    backend_timestamp: 2023-03-08T07:17:32.920Z
      childproc_count: 0
      crossproc_count: 1852
      device_group_id: 0
            device_id: 18101914
          device_name: richm\win11
     device_policy_id: 20886205
     device_timestamp: 2023-03-08T07:15:02.355Z
             event_id: 4497E16E-5B3C-4AC8-ADA1-51962D55A97F
        filemod_count: 33
         ingress_time: 1678259788862
        modload_count: 7
        netconn_count: 113
               org_id: ABCD1234
          parent_guid: ABCD1234-0114369a-000002ac-00000000-1d94538fb2b...
           parent_pid: 684
         process_guid: ABCD1234-0114369a-0000033c-00000000-1d94538fb4e...
         process_hash: [list:2 items]:
                       [0]: c0ba0caebf823de8f2ebf49eea9cc5e5
                       [1]: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
         process_name: c:\windows\system32\lsass.exe
          process_pid: [list:1 item]:
                       [0]: 828
     process_username: [list:1 item]:
                       [0]: NT AUTHORITY\SYSTEM
         regmod_count: 42
     scriptload_count: 0
     windows_event_id: 4634
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.

Get Auth Events Search Suggestions

Returns suggestions for an Auth Events Search based on fields in the organization’s system. Will return field names if the “suggest.q” parameter does not yet contain a colon and will return no suggestion otherwise.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:read N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_suggestions


Query Parameters

Parameter Required Description Values Default
suggest.q Yes The query to generate suggestions for N/A N/A
suggest.count No The number of suggestions to return N/A 50


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A

Examples

Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_suggestions?suggest.q=auth
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Response Body
{
  "suggestions": [
    {
      "term": "auth_cleartext_credentials_logon",
      "weight": 350,
      "required_skus_all": [
        "auth"
      ],
      "required_skus_some": []
    },
    {
      "term": "auth_daemon_logon",
      "weight": 350,
      "required_skus_all": [
        "auth"
      ],
      "required_skus_some": []
    },
    {
      "term": "auth_domain_name",
      "weight": 350,
      "required_skus_all": [
        "auth"
      ],
      "required_skus_some": []
    },
    {
      "term": "auth_username",
      "weight": 350,
      "required_skus_all": [
        "auth"
      ],
      "required_skus_some": []
    },
    {
      "term": "auth_virtual_account_logon",
      "weight": 350,
      "required_skus_all": [
        "auth"
      ],
      "required_skus_some": []
    }
  ]
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_suggestions?suggest.q=auth \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'
Response Body
{
  "suggestions": [
    {
      "term": "auth_cleartext_credentials_logon",
      "weight": 350,
      "required_skus_all": [
        "auth"
      ],
      "required_skus_some": []
    },
    {
      "term": "auth_daemon_logon",
      "weight": 350,
      "required_skus_all": [
        "auth"
      ],
      "required_skus_some": []
    },
    {
      "term": "auth_username",
      "weight": 350,
      "required_skus_all": [
        "auth"
      ],
      "required_skus_some": []
    },
    {
      "term": "auth_virtual_account_logon",
      "weight": 350,
      "required_skus_all": [
        "auth"
      ],
      "required_skus_some": []
    }
  ]
}
To download or review the Carbon Black Cloud Postman collection, click here.
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent

# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile="example_profile")
suggestions = AuthEvent.search_suggestions(cb, 'auth')
print(suggestions)
Result
{'term': 'auth_cleartext_credentials_logon', 'weight': 200, 'required_skus_all': ['auth'], 'required_skus_some': []}
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.

Get Auth Events Search Validation

Returns the validation status of a given Auth Events query and potentially provides validation on how to fix invalid queries.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:read N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_validation


Query Parameters

Parameter Required Description Values Default
q Yes The query to validate N/A N/A


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A

Examples

Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_validation?q="(auth_username:Administrator)AND(device_name:test)"
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Response Body
{
  "valid": true,
  "value_search_query": true
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_validation?q="(auth_username:Administrator)AND(device_name:test)" \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'
Response Body
{
  "valid": true,
  "value_search_query": true
}
To download or review the Carbon Black Cloud Postman collection, click here.

Get Auth Events Search Group Results

Retrieves the auth events search group results for a given job_id. Results will be grouped based on the fields provided and/or by timestamp field duration.

Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.

Grouping with timestamp field

There are two different methods of grouping available when timestamp field is specified:

Interval (default) - groups the events when the timestamp difference between two consecutive sorted events is less than the duration requested.
Example:
{ event1 = 10:00:00, event2 = 10:07:00, event3 = 10:21:00, event4 = 10:09:00, duration = 10m }
event1, event2, and event4 will be grouped into one since the time difference between sorted consecutive events is less than duration.

Bucket - groups the documents in buckets of duration length, meaning the max time difference between the min and max within a group can be up to the duration.
Example:
{ event1 = 10:00:00, event2 = 10:07:00, event3 = 10:13:00, event4 = 10:21:00, duration = 10m }
event1 and event2 will be grouped into the first group since the time difference between them is less than duration, event3 will not be added to the first group it exceeds the max capacity of Bucket.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:read N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/search_jobs/{job_id}/group_results


Request Body - application/json

{
  "fields": [
    "<field>"
  ],
  "max_events_per_group": <integer>,
  "range": {
    "duration": "<string>",
    "field": "<string>",
    "method": "<string>"
  },
  "rows": <integer>,
  "start": <integer>
}


Body Schema

Field Definition Data Type Values
fields Fields to include in the results, specify * to return all the default returned fields and add additional fields that have docvalues Array Example:
[ "*", "backend_timestamp" ]

Values: auth_username, backend_timestamp, childproc_count, crossproc_count, device_group_id, device_id, device_name, device_policy_id, device_timestamp, event_id, filemod_count, ingress_time, modload_count, netconn_count, org_id, parent_guid, parent_pid, process_guid, process_hash, process_name, process_pid, process_username, regmod_count, scriptload_count, windows_event_id,auth_domain_name, auth_event_action, auth_remote_port
Default: ["*"]
max_events_per_group Maximum number of events in a group, if not provided, all events will be returned Integer N/A
range Describes a time window to restrict the search Object
{
  "method": "<string>",
  "field": "<string>",
  "duration": "<string>"
}
method: Method of grouping either interval or bucket
field: Timestamp field is used to group the range of results e.g. device_timestamp
duration: Duration for grouping in hours, minutes or seconds like 3h, 5m, 100s
rows Number of rows to request for pagination Long Default: 500
Max: 10k
start First row to use for pagination Long Default: 0


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A

Examples

Request
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs/group_results
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
Request Body
{
  "fields": [
    "auth_username"
  ],
  "range": {},
  "rows": 1
}
Response Body
{
  "group_results": [
    {
      "group_key": "auth_username",
      "group_value": "SYSTEM",
      "group_start_timestamp": "2023-01-13T17:17:45.322Z",
      "group_end_timestamp": "2023-01-13T17:17:45.322Z",
      "results": [
        {
          "auth_cleartext_credentials_logon": false,
          "auth_daemon_logon": true,
          "auth_domain_name": "NT AUTHORITY",
          "auth_elevated_token_logon": true,
          "auth_event_action": "LOGON_SUCCESS",
          "auth_failed_logon_count": 0,
          "auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
          "auth_interactive_logon": false,
          "auth_key_length": 0,
          "auth_logon_id": "00000000-000003E7",
          "auth_logon_type": 5,
          "auth_package": "Negotiate",
          "auth_remote_device": "-",
          "auth_remote_logon": false,
          "auth_remote_port": 0,
          "auth_restricted_admin_logon": false,
          "auth_user_id": "S-1-5-18",
          "auth_username": "SYSTEM",
          "auth_virtual_account_logon": false,
          "backend_timestamp": "2023-01-13T17:18:36.195Z",
          "childproc_count": 0,
          "crossproc_count": 48,
          "device_external_ip": "52.116.18.136",
          "device_group_id": 0,
          "device_id": 17686136,
          "device_installed_by": "CBAWTD\\Administrator",
          "device_internal_ip": "192.168.231.164",
          "device_location": "UNKNOWN",
          "device_name": "test_name",
          "device_os": "WINDOWS",
          "device_os_version": "Windows 10 x64",
          "device_policy": "test-monitor",
          "device_policy_id": 20622246,
          "device_sensor_version": "3.9.0.2352",
          "device_target_priority": "MEDIUM",
          "device_timestamp": "2023-01-13T17:17:45.322Z",
          "document_guid": "e0Huct8dQRyYfOEHImpfkA",
          "event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
          "event_report_code": "SUB_RPT_NONE",
          "filemod_count": 3,
          "ingress_time": 1673630293265,
          "modload_count": 1,
          "netconn_count": 35,
          "org_id": "ABCD1234",
          "parent_cmdline": "wininit.exe",
          "parent_cmdline_length": 11,
          "parent_effective_reputation": "TRUSTED_WHITE_LIST",
          "parent_effective_reputation_source": "IGNORE",
          "parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
          "parent_hash": [
            "9ef51c8ad595c5e2a123c06ad39fccd7",
            "268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
          ],
          "parent_name": "c:\\windows\\system32\\wininit.exe",
          "parent_pid": 608,
          "parent_publisher": [
            "Microsoft Windows Publisher"
          ],
          "parent_publisher_state": [
            "FILE_SIGNATURE_STATE_VERIFIED",
            "FILE_SIGNATURE_STATE_OS",
            "FILE_SIGNATURE_STATE_TRUSTED",
            "FILE_SIGNATURE_STATE_SIGNED"
          ],
          "parent_reputation": "TRUSTED_WHITE_LIST",
          "process_cmdline": [
            "C:\\Windows\\system32\\lsass.exe"
          ],
          "process_cmdline_length": [
            29
          ],
          "process_company_name": "Microsoft Corporation",
          "process_effective_reputation": "TRUSTED_WHITE_LIST",
          "process_effective_reputation_source": "IGNORE",
          "process_elevated": true,
          "process_file_description": "Local Security Authority Process",
          "process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
          "process_hash": [
            "15a556def233f112d127025ab51ac2d3",
            "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
          ],
          "process_integrity_level": "SYSTEM",
          "process_internal_name": "lsass.exe",
          "process_name": "c:\\windows\\system32\\lsass.exe",
          "process_original_filename": "lsass.exe",
          "process_pid": [
            776
          ],
          "process_privileges": [
            "SeIncreaseBasePriorityPrivilege",
            "SeCreateGlobalPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeDelegateSessionUserImpersonatePrivilege",
            "SeSystemProfilePrivilege",
            "SeDebugPrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeLockMemoryPrivilege",
            "SeCreatePagefilePrivilege",
            "SeTimeZonePrivilege",
            "SeTcbPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeImpersonatePrivilege",
            "SeCreatePermanentPrivilege",
            "SeAuditPrivilege"
          ],
          "process_product_name": "Microsoft® Windows® Operating System",
          "process_product_version": "10.0.19041.906",
          "process_publisher": [
            "Microsoft Windows Publisher"
          ],
          "process_publisher_state": [
            "FILE_SIGNATURE_STATE_VERIFIED",
            "FILE_SIGNATURE_STATE_OS",
            "FILE_SIGNATURE_STATE_TRUSTED",
            "FILE_SIGNATURE_STATE_SIGNED"
          ],
          "process_reputation": "TRUSTED_WHITE_LIST",
          "process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
          "process_start_time": "2023-01-13T14:47:02.982Z",
          "process_username": [
            "NT AUTHORITY\\SYSTEM"
          ],
          "regmod_count": 11,
          "scriptload_count": 0,
          "windows_event_id": 4624
        }
      ],
      "total_events": 1
    }
  ],
  "num_found": 1,
  "num_available": 1,
  "groups_num_available": 1,
  "approximate_unaggregated": 1,
  "num_aggregated": 1,
  "contacted": 11,
  "completed": 11
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/search_jobs/6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs/group_results \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \ -d '{ "fields": [ "auth_username" ], "range": {}, "rows": 1 }'
Response Body
{
  "group_results": [
    {
      "group_key": "auth_username",
      "group_value": "SYSTEM",
      "group_start_timestamp": "2023-01-13T17:17:45.322Z",
      "group_end_timestamp": "2023-01-13T17:17:45.322Z",
      "results": [
        {
          "auth_cleartext_credentials_logon": false,
          "auth_daemon_logon": true,
          "auth_domain_name": "NT AUTHORITY",
          "auth_elevated_token_logon": true,
          "auth_event_action": "LOGON_SUCCESS",
          "auth_failed_logon_count": 0,
          "auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
          "auth_interactive_logon": false,
          "auth_key_length": 0,
          "auth_logon_id": "00000000-000003E7",
          "auth_logon_type": 5,
          "auth_package": "Negotiate",
          "auth_remote_device": "-",
          "auth_remote_logon": false,
          "auth_remote_port": 0,
          "auth_restricted_admin_logon": false,
          "auth_user_id": "S-1-5-18",
          "auth_username": "SYSTEM",
          "auth_virtual_account_logon": false,
          "backend_timestamp": "2023-01-13T17:18:36.195Z",
          "childproc_count": 0,
          "crossproc_count": 48,
          "device_external_ip": "52.116.18.136",
          "device_group_id": 0,
          "device_id": 17686136,
          "device_installed_by": "CBAWTD\\Administrator",
          "device_internal_ip": "192.168.231.164",
          "device_location": "UNKNOWN",
          "device_name": "test_name",
          "device_os": "WINDOWS",
          "device_os_version": "Windows 10 x64",
          "device_policy": "test-monitor",
          "device_policy_id": 20622246,
          "device_sensor_version": "3.9.0.2352",
          "device_target_priority": "MEDIUM",
          "device_timestamp": "2023-01-13T17:17:45.322Z",
          "document_guid": "e0Huct8dQRyYfOEHImpfkA",
          "event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
          "event_report_code": "SUB_RPT_NONE",
          "filemod_count": 3,
          "ingress_time": 1673630293265,
          "modload_count": 1,
          "netconn_count": 35,
          "org_id": "ABCD1234",
          "parent_cmdline": "wininit.exe",
          "parent_cmdline_length": 11,
          "parent_effective_reputation": "TRUSTED_WHITE_LIST",
          "parent_effective_reputation_source": "IGNORE",
          "parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
          "parent_hash": [
            "9ef51c8ad595c5e2a123c06ad39fccd7",
            "268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
          ],
          "parent_name": "c:\\windows\\system32\\wininit.exe",
          "parent_pid": 608,
          "parent_publisher": [
            "Microsoft Windows Publisher"
          ],
          "parent_publisher_state": [
            "FILE_SIGNATURE_STATE_VERIFIED",
            "FILE_SIGNATURE_STATE_OS",
            "FILE_SIGNATURE_STATE_TRUSTED",
            "FILE_SIGNATURE_STATE_SIGNED"
          ],
          "parent_reputation": "TRUSTED_WHITE_LIST",
          "process_cmdline": [
            "C:\\Windows\\system32\\lsass.exe"
          ],
          "process_cmdline_length": [
            29
          ],
          "process_company_name": "Microsoft Corporation",
          "process_effective_reputation": "TRUSTED_WHITE_LIST",
          "process_effective_reputation_source": "IGNORE",
          "process_elevated": true,
          "process_file_description": "Local Security Authority Process",
          "process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
          "process_hash": [
            "15a556def233f112d127025ab51ac2d3",
            "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
          ],
          "process_integrity_level": "SYSTEM",
          "process_internal_name": "lsass.exe",
          "process_name": "c:\\windows\\system32\\lsass.exe",
          "process_original_filename": "lsass.exe",
          "process_pid": [
            776
          ],
          "process_privileges": [
            "SeIncreaseBasePriorityPrivilege",
            "SeCreateGlobalPrivilege",
            "SeChangeNotifyPrivilege",
            "SeCreateSymbolicLinkPrivilege",
            "SeDelegateSessionUserImpersonatePrivilege",
            "SeSystemProfilePrivilege",
            "SeDebugPrivilege",
            "SeProfileSingleProcessPrivilege",
            "SeLockMemoryPrivilege",
            "SeCreatePagefilePrivilege",
            "SeTimeZonePrivilege",
            "SeTcbPrivilege",
            "SeIncreaseWorkingSetPrivilege",
            "SeImpersonatePrivilege",
            "SeCreatePermanentPrivilege",
            "SeAuditPrivilege"
          ],
          "process_product_name": "Microsoft® Windows® Operating System",
          "process_product_version": "10.0.19041.906",
          "process_publisher": [
            "Microsoft Windows Publisher"
          ],
          "process_publisher_state": [
            "FILE_SIGNATURE_STATE_VERIFIED",
            "FILE_SIGNATURE_STATE_OS",
            "FILE_SIGNATURE_STATE_TRUSTED",
            "FILE_SIGNATURE_STATE_SIGNED"
          ],
          "process_reputation": "TRUSTED_WHITE_LIST",
          "process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
          "process_start_time": "2023-01-13T14:47:02.982Z",
          "process_username": [
            "NT AUTHORITY\\SYSTEM"
          ],
          "regmod_count": 11,
          "scriptload_count": 0,
          "windows_event_id": 4624
        }
      ],
      "total_events": 1
    }
  ],
  "num_found": 1,
  "num_available": 1,
  "groups_num_available": 1,
  "approximate_unaggregated": 1,
  "num_aggregated": 1,
  "contacted": 11,
  "completed": 11
}
To download or review the Carbon Black Cloud Postman collection, click here.
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent

# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')

groups = set(cb.select(AuthEvent).where(process_pid=2000).group_results("device_name"))
for group in groups:
    print(group._info)
Result
{'group_key': 'device_name', 'group_value': 'knox\\win10-02', 'group_start_timestamp': '2023-02-27T14:24:10.244Z', 'group_end_timestamp': '2023-02-27T14:24:10.244Z', 'results': [{'auth_domain_name': 'NT AUTHORITY', 'auth_event_action': 'PRIVILEGES_GRANTED', 'auth_remote_port': 0, 'auth_username': 'SYSTEM', 'backend_timestamp': '2023-02-27T14:25:56.267Z', 'childproc_count': 0, 'crossproc_count': 61, 'device_group_id': 0, 'device_id': 18105995, 'device_name': 'knox\\win10-02', 'device_policy_id': 20622246, 'device_timestamp': '2023-02-27T14:24:10.244Z', 'event_id': '867E90CC-DE87-4427-B1AB-648EC70BD3B9', 'filemod_count': 6, 'ingress_time': 1677507889528, 'modload_count': 0, 'netconn_count': 18, 'org_id': 'ABCD1234', 'parent_guid': 'ABCD1234-0114468b-00000200-00000000-1d948635dae8317', 'parent_pid': 512, 'process_guid': 'ABCD1234-0114468b-00000284-00000000-1d948635e4b072c', 'process_hash': ['8ea6fe0cdac6dd3bae1fadc04d168a4f', 'b77aa726acd44c7c89d32dd46aa07583b88fbe2c34aed394eb6e005824e40893'], 'process_name': 'c:\\windows\\system32\\lsass.exe', 'process_pid': [644], 'process_username': ['NT AUTHORITY\\SYSTEM'], 'regmod_count': 20, 'scriptload_count': 0, 'windows_event_id': 4672}, {'auth_domain_name': 'NT AUTHORITY', 'auth_event_action': 'LOGON_SUCCESS', 'auth_remote_device': '-', 'auth_remote_port': 0, 'auth_username': 'SYSTEM', 'backend_timestamp': '2023-02-27T14:24:54.237Z', 'childproc_count': 0, 'crossproc_count': 61, 'device_group_id': 0, 'device_id': 18105995, 'device_name': 'knox\\win10-02', 'device_policy_id': 20622246, 'device_timestamp': '2023-02-27T14:24:10.244Z', 'event_id': 'F70E0699-05F3-4CD3-BC1F-EB6A0900F910', 'filemod_count': 6, 'ingress_time': 1677507880707, 'modload_count': 0, 'netconn_count': 18, 'org_id': 'ABCD1234', 'parent_guid': 'ABCD1234-0114468b-00000200-00000000-1d948635dae8317', 'parent_pid': 512, 'process_guid': 'ABCD1234-0114468b-00000284-00000000-1d948635e4b072c', 'process_hash': ['8ea6fe0cdac6dd3bae1fadc04d168a4f', 'b77aa726acd44c7c89d32dd46aa07583b88fbe2c34aed394eb6e005824e40893'], 'process_name': 'c:\\windows\\system32\\lsass.exe', 'process_pid': [644], 'process_username': ['NT AUTHORITY\\SYSTEM'], 'regmod_count': 20, 'scriptload_count': 0, 'windows_event_id': 4624}], 'total_events': 2}
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.

Events Details


Start Auth Events Detail Job

Creates an auth events detail job. The details will include information about the event that’s not normally accessible during a search. The results for the search job may be requested using the job ID returned.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ, CREATE Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:create N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/detail_jobs


Request Body - application/json

{
  "alert_id": "string",
  "event_ids": [ "string" ]
}


Body Schema

Field Definition Data Type Values
alert_id An alert id to fetch associated observations String N/A
event_ids A list of event ids to fetch Array
["string"]


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A

Examples

Request
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
Request Body
{
  "event_ids": ["DA9E269E-421D-469D-A212-9062888A02F4"]
}
Response Body
{
  "job_id": "6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs"
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \ -d '{ "event_ids": ["D06DC822-B25E-4162-A5A7-6166BFA9B8DF"] }'
Response Body
{
  "job_id": "cf037be0-b51d-4d89-8513-f85069f81dac-sqs"
}
To download or review the Carbon Black Cloud Postman collection, click here.
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent

# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')

# Get the details of all the results
all_events = cb.select(AuthEvent).where(process_pid=2000)

# Get the details of a particular result by id
event = cb.select(AuthEvent, "example-event-id")

print(all_events[0].get_details())
Result
  AuthEvent object, bound to https://defense.conferdeploy.net.
   Partially initialized. Use .refresh() to load all attributes
  -------------------------------------------------------------------------------

         auth_cleartext_credentials_logon: False
                        auth_daemon_logon: False
                         auth_domain_name: NT AUTHORITY
                auth_elevated_token_logon: False
                        auth_event_action: LOGOFF_SUCCESS
                  auth_failed_logon_count: 0
                 auth_impersonation_level: IMPERSONATION_INVALID
                   auth_interactive_logon: False
                          auth_key_length: 0
                            auth_logon_id: 00000000-302883E9
                          auth_logon_type: 9
                             auth_package: Negotiate
                        auth_remote_logon: False
                         auth_remote_port: 0
              auth_restricted_admin_logon: False
                             auth_user_id: S-1-5-18
                            auth_username: SYSTEM
               auth_virtual_account_logon: False
                        backend_timestamp: 2023-03-08T08:18:19.790Z
                          childproc_count: 0
                          crossproc_count: 1859
                       device_external_ip: 81.153.81.191
                          device_group_id: 0
                                device_id: 18101914
                      device_installed_by: RICHM\Administrator
                       device_internal_ip: 192.168.200.15
                          device_location: UNKNOWN
                              device_name: richm\win11
                                device_os: WINDOWS
                        device_os_version: Windows 11 x64
                            device_policy: richm_policy
                         device_policy_id: 20886205
                    device_sensor_version: 3.9.1.2464
                   device_target_priority: MEDIUM
                         device_timestamp: 2023-03-08T08:15:03.090Z
                            document_guid: Svx0mK2hQfurTDWL8XsHiw
                                 event_id: 9D137450-6428-446E-8C23-F0C526156A0C
                        event_report_code: SUB_RPT_NONE
                            filemod_count: 33
                             ingress_time: 1678263444460
                            modload_count: 7
                            netconn_count: 113
                                   org_id: ABCD1234
                           parent_cmdline: wininit.exe
                    parent_cmdline_length: 11
              parent_effective_reputation: LOCAL_WHITE
       parent_effective_reputation_source: IGNORE
                              parent_guid: ABCD1234-0114369a-000002ac-00000000-1d94538fb2b...
                              parent_hash: [list:2 items]:
                                           [0]: 9efa02fba3a4a914f7e800f3d5b2df54
                                           [1]: 1f3f889b5a0150f4620d1ef4d23d778de243febb8b4d3b7...
                              parent_name: c:\windows\system32\wininit.exe
                               parent_pid: 684
                         parent_publisher: [list:1 item]:
                                           [0]: Microsoft Windows Publisher
                   parent_publisher_state: [list:4 items]:
                                           [0]: FILE_SIGNATURE_STATE_VERIFIED
                                           [1]: FILE_SIGNATURE_STATE_OS
                                           [2]: FILE_SIGNATURE_STATE_TRUSTED
                                           [...]
                        parent_reputation: NOT_LISTED
                          process_cmdline: [list:1 item]:
                                           [0]: C:\Windows\system32\lsass.exe
                   process_cmdline_length: [list:1 item]:
                                           [0]: 29
                     process_company_name: Microsoft Corporation
             process_effective_reputation: LOCAL_WHITE
      process_effective_reputation_source: IGNORE
                         process_elevated: True
                 process_file_description: Local Security Authority Process
                             process_guid: ABCD1234-0114369a-0000033c-00000000-1d94538fb4e...
                             process_hash: [list:2 items]:
                                           [0]: c0ba0caebf823de8f2ebf49eea9cc5e5
                                           [1]: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
                  process_integrity_level: SYSTEM
                    process_internal_name: lsass.exe
                             process_name: c:\windows\system32\lsass.exe
                process_original_filename: lsass.exe
                              process_pid: [list:1 item]:
                                           [0]: 828
                       process_privileges: [list:19 items]:
                                           [0]: SeIncreaseBasePriorityPrivilege
                                           [1]: SeCreateGlobalPrivilege
                                           [2]: SeChangeNotifyPrivilege
                                           [...]
                     process_product_name: Microsoft® Windows® Operating System
                  process_product_version: 10.0.22000.1098
                        process_publisher: [list:1 item]:
                                           [0]: Microsoft Windows Publisher
                  process_publisher_state: [list:4 items]:
                                           [0]: FILE_SIGNATURE_STATE_VERIFIED
                                           [1]: FILE_SIGNATURE_STATE_OS
                                           [2]: FILE_SIGNATURE_STATE_TRUSTED
                                           [...]
                       process_reputation: NOT_LISTED
                           process_sha256: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
                       process_start_time: 2023-02-20T14:38:22.087Z
                         process_username: [list:1 item]:
                                           [0]: NT AUTHORITY\SYSTEM
                             regmod_count: 42
                         scriptload_count: 0
                         windows_event_id: 4634
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.

Get Auth Events Detail Job Results

Retrieves the Auth Events Detail Job results for a given job ID.

Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:read N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/detail_jobs/{job_id}/results


Query Parameters

Parameter Required Description Values Default
start No First row to use for pagination Long Default: 0
rows No Number of rows to request for pagination Long Default: 500
Max: 10k


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A

Examples

Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs/6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs/results
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Response Body
{
  "results": [
    {
      "auth_cleartext_credentials_logon": false,
      "auth_daemon_logon": true,
      "auth_domain_name": "NT AUTHORITY",
      "auth_elevated_token_logon": true,
      "auth_event_action": "LOGON_SUCCESS",
      "auth_failed_logon_count": 0,
      "auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
      "auth_interactive_logon": false,
      "auth_key_length": 0,
      "auth_logon_id": "00000000-000003E7",
      "auth_logon_type": 5,
      "auth_package": "Negotiate",
      "auth_remote_device": "-",
      "auth_remote_logon": false,
      "auth_remote_port": 0,
      "auth_restricted_admin_logon": false,
      "auth_user_id": "S-1-5-18",
      "auth_username": "SYSTEM",
      "auth_virtual_account_logon": false,
      "backend_timestamp": "2023-01-13T17:18:36.195Z",
      "childproc_count": 0,
      "crossproc_count": 48,
      "device_external_ip": "52.116.18.136",
      "device_group_id": 0,
      "device_id": 12345678,
      "device_installed_by": "CBAWTD\\Administrator",
      "device_internal_ip": "192.168.231.164",
      "device_location": "UNKNOWN",
      "device_name": "test_name",
      "device_os": "WINDOWS",
      "device_os_version": "Windows 10 x64",
      "device_policy": "test-monitor",
      "device_policy_id": 20622246,
      "device_sensor_version": "3.9.0.2352",
      "device_target_priority": "MEDIUM",
      "device_timestamp": "2023-01-13T17:17:45.322Z",
      "document_guid": "e0Huct8dQRyYfOEHImpfkA",
      "event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
      "event_report_code": "SUB_RPT_NONE",
      "filemod_count": 3,
      "ingress_time": 1673630293265,
      "modload_count": 1,
      "netconn_count": 35,
      "org_id": "ABCD1234",
      "parent_cmdline": "wininit.exe",
      "parent_cmdline_length": 11,
      "parent_effective_reputation": "TRUSTED_WHITE_LIST",
      "parent_effective_reputation_source": "IGNORE",
      "parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
      "parent_hash": [
        "9ef51c8ad595c5e2a123c06ad39fccd7",
        "268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
      ],
      "parent_name": "c:\\windows\\system32\\wininit.exe",
      "parent_pid": 608,
      "parent_publisher": [
        "Microsoft Windows Publisher"
      ],
      "parent_publisher_state": [
        "FILE_SIGNATURE_STATE_VERIFIED",
        "FILE_SIGNATURE_STATE_OS",
        "FILE_SIGNATURE_STATE_TRUSTED",
        "FILE_SIGNATURE_STATE_SIGNED"
      ],
      "parent_reputation": "TRUSTED_WHITE_LIST",
      "process_cmdline": [
        "C:\\Windows\\system32\\lsass.exe"
      ],
      "process_cmdline_length": [
        29
      ],
      "process_company_name": "Microsoft Corporation",
      "process_effective_reputation": "TRUSTED_WHITE_LIST",
      "process_effective_reputation_source": "IGNORE",
      "process_elevated": true,
      "process_file_description": "Local Security Authority Process",
      "process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
      "process_hash": [
        "15a556def233f112d127025ab51ac2d3",
        "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
      ],
      "process_integrity_level": "SYSTEM",
      "process_internal_name": "lsass.exe",
      "process_name": "c:\\windows\\system32\\lsass.exe",
      "process_original_filename": "lsass.exe",
      "process_pid": [
        776
      ],
      "process_privileges": [
        "SeIncreaseBasePriorityPrivilege",
        "SeCreateGlobalPrivilege",
        "SeChangeNotifyPrivilege",
        "SeCreateSymbolicLinkPrivilege",
        "SeDelegateSessionUserImpersonatePrivilege",
        "SeSystemProfilePrivilege",
        "SeDebugPrivilege",
        "SeProfileSingleProcessPrivilege",
        "SeLockMemoryPrivilege",
        "SeCreatePagefilePrivilege",
        "SeTimeZonePrivilege",
        "SeTcbPrivilege",
        "SeIncreaseWorkingSetPrivilege",
        "SeImpersonatePrivilege",
        "SeCreatePermanentPrivilege",
        "SeAuditPrivilege"
      ],
      "process_product_name": "Microsoft® Windows® Operating System",
      "process_product_version": "10.0.19041.906",
      "process_publisher": [
        "Microsoft Windows Publisher"
      ],
      "process_publisher_state": [
        "FILE_SIGNATURE_STATE_VERIFIED",
        "FILE_SIGNATURE_STATE_OS",
        "FILE_SIGNATURE_STATE_TRUSTED",
        "FILE_SIGNATURE_STATE_SIGNED"
      ],
      "process_reputation": "TRUSTED_WHITE_LIST",
      "process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
      "process_start_time": "2023-01-13T14:47:02.982Z",
      "process_username": [
        "NT AUTHORITY\\SYSTEM"
      ],
      "regmod_count": 11,
      "scriptload_count": 0,
      "windows_event_id": 4624
    }
  ],
  "num_found": 1,
  "num_available": 1,
  "approximate_unaggregated": 1,
  "num_aggregated": 1,
  "contacted": 11,
  "completed": 11
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/detail_jobs/6525d831-c8d3-4966-a335-97a5a5d7d6b0-sqs/results \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'
Response Body
{
  "results": [
    {
      "auth_cleartext_credentials_logon": false,
      "auth_daemon_logon": true,
      "auth_domain_name": "NT AUTHORITY",
      "auth_elevated_token_logon": true,
      "auth_event_action": "LOGON_SUCCESS",
      "auth_failed_logon_count": 0,
      "auth_impersonation_level": "IMPERSONATION_LOCAL_ONLY",
      "auth_interactive_logon": false,
      "auth_key_length": 0,
      "auth_logon_id": "00000000-000003E7",
      "auth_logon_type": 5,
      "auth_package": "Negotiate",
      "auth_remote_device": "-",
      "auth_remote_logon": false,
      "auth_remote_port": 0,
      "auth_restricted_admin_logon": false,
      "auth_user_id": "S-1-5-18",
      "auth_username": "SYSTEM",
      "auth_virtual_account_logon": false,
      "backend_timestamp": "2023-01-13T17:18:36.195Z",
      "childproc_count": 0,
      "crossproc_count": 48,
      "device_external_ip": "52.116.18.136",
      "device_group_id": 0,
      "device_id": 12345678,
      "device_installed_by": "CBAWTD\\Administrator",
      "device_internal_ip": "192.168.231.164",
      "device_location": "UNKNOWN",
      "device_name": "test_name",
      "device_os": "WINDOWS",
      "device_os_version": "Windows 10 x64",
      "device_policy": "test-monitor",
      "device_policy_id": 20622246,
      "device_sensor_version": "3.9.0.2352",
      "device_target_priority": "MEDIUM",
      "device_timestamp": "2023-01-13T17:17:45.322Z",
      "document_guid": "e0Huct8dQRyYfOEHImpfkA",
      "event_id": "DA9E269E-421D-469D-A212-9062888A02F4",
      "event_report_code": "SUB_RPT_NONE",
      "filemod_count": 3,
      "ingress_time": 1673630293265,
      "modload_count": 1,
      "netconn_count": 35,
      "org_id": "ABCD1234",
      "parent_cmdline": "wininit.exe",
      "parent_cmdline_length": 11,
      "parent_effective_reputation": "TRUSTED_WHITE_LIST",
      "parent_effective_reputation_source": "IGNORE",
      "parent_guid": "ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262",
      "parent_hash": [
        "9ef51c8ad595c5e2a123c06ad39fccd7",
        "268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"
      ],
      "parent_name": "c:\\windows\\system32\\wininit.exe",
      "parent_pid": 608,
      "parent_publisher": [
        "Microsoft Windows Publisher"
      ],
      "parent_publisher_state": [
        "FILE_SIGNATURE_STATE_VERIFIED",
        "FILE_SIGNATURE_STATE_OS",
        "FILE_SIGNATURE_STATE_TRUSTED",
        "FILE_SIGNATURE_STATE_SIGNED"
      ],
      "parent_reputation": "TRUSTED_WHITE_LIST",
      "process_cmdline": [
        "C:\\Windows\\system32\\lsass.exe"
      ],
      "process_cmdline_length": [
        29
      ],
      "process_company_name": "Microsoft Corporation",
      "process_effective_reputation": "TRUSTED_WHITE_LIST",
      "process_effective_reputation_source": "IGNORE",
      "process_elevated": true,
      "process_file_description": "Local Security Authority Process",
      "process_guid": "ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7",
      "process_hash": [
        "15a556def233f112d127025ab51ac2d3",
        "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"
      ],
      "process_integrity_level": "SYSTEM",
      "process_internal_name": "lsass.exe",
      "process_name": "c:\\windows\\system32\\lsass.exe",
      "process_original_filename": "lsass.exe",
      "process_pid": [
        776
      ],
      "process_privileges": [
        "SeIncreaseBasePriorityPrivilege",
        "SeCreateGlobalPrivilege",
        "SeChangeNotifyPrivilege",
        "SeCreateSymbolicLinkPrivilege",
        "SeDelegateSessionUserImpersonatePrivilege",
        "SeSystemProfilePrivilege",
        "SeDebugPrivilege",
        "SeProfileSingleProcessPrivilege",
        "SeLockMemoryPrivilege",
        "SeCreatePagefilePrivilege",
        "SeTimeZonePrivilege",
        "SeTcbPrivilege",
        "SeIncreaseWorkingSetPrivilege",
        "SeImpersonatePrivilege",
        "SeCreatePermanentPrivilege",
        "SeAuditPrivilege"
      ],
      "process_product_name": "Microsoft® Windows® Operating System",
      "process_product_version": "10.0.19041.906",
      "process_publisher": [
        "Microsoft Windows Publisher"
      ],
      "process_publisher_state": [
        "FILE_SIGNATURE_STATE_VERIFIED",
        "FILE_SIGNATURE_STATE_OS",
        "FILE_SIGNATURE_STATE_TRUSTED",
        "FILE_SIGNATURE_STATE_SIGNED"
      ],
      "process_reputation": "TRUSTED_WHITE_LIST",
      "process_sha256": "362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427",
      "process_start_time": "2023-01-13T14:47:02.982Z",
      "process_username": [
        "NT AUTHORITY\\SYSTEM"
      ],
      "regmod_count": 11,
      "scriptload_count": 0,
      "windows_event_id": 4624
    }
  ],
  "num_found": 1,
  "num_available": 1,
  "approximate_unaggregated": 1,
  "num_aggregated": 1,
  "contacted": 11,
  "completed": 11
}
To download or review the Carbon Black Cloud Postman collection, click here.
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent

# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')

# Get the details of all the results
all_events = cb.select(AuthEvent).where(process_pid=2000)

# Get the details of a particular result by id
event = cb.select(AuthEvent, "example-event-id")

print(all_events[0].get_details())
Result
  AuthEvent object, bound to https://defense.conferdeploy.net.
   Partially initialized. Use .refresh() to load all attributes
  -------------------------------------------------------------------------------

         auth_cleartext_credentials_logon: False
                        auth_daemon_logon: False
                         auth_domain_name: NT AUTHORITY
                auth_elevated_token_logon: False
                        auth_event_action: LOGOFF_SUCCESS
                  auth_failed_logon_count: 0
                 auth_impersonation_level: IMPERSONATION_INVALID
                   auth_interactive_logon: False
                          auth_key_length: 0
                            auth_logon_id: 00000000-302883E9
                          auth_logon_type: 9
                             auth_package: Negotiate
                        auth_remote_logon: False
                         auth_remote_port: 0
              auth_restricted_admin_logon: False
                             auth_user_id: S-1-5-18
                            auth_username: SYSTEM
               auth_virtual_account_logon: False
                        backend_timestamp: 2023-03-08T08:18:19.790Z
                          childproc_count: 0
                          crossproc_count: 1859
                       device_external_ip: 81.153.81.191
                          device_group_id: 0
                                device_id: 18101914
                      device_installed_by: RICHM\Administrator
                       device_internal_ip: 192.168.200.15
                          device_location: UNKNOWN
                              device_name: richm\win11
                                device_os: WINDOWS
                        device_os_version: Windows 11 x64
                            device_policy: richm_policy
                         device_policy_id: 20886205
                    device_sensor_version: 3.9.1.2464
                   device_target_priority: MEDIUM
                         device_timestamp: 2023-03-08T08:15:03.090Z
                            document_guid: Svx0mK2hQfurTDWL8XsHiw
                                 event_id: 9D137450-6428-446E-8C23-F0C526156A0C
                        event_report_code: SUB_RPT_NONE
                            filemod_count: 33
                             ingress_time: 1678263444460
                            modload_count: 7
                            netconn_count: 113
                                   org_id: ABCD1234
                           parent_cmdline: wininit.exe
                    parent_cmdline_length: 11
              parent_effective_reputation: LOCAL_WHITE
       parent_effective_reputation_source: IGNORE
                              parent_guid: ABCD1234-0114369a-000002ac-00000000-1d94538fb2b...
                              parent_hash: [list:2 items]:
                                           [0]: 9efa02fba3a4a914f7e800f3d5b2df54
                                           [1]: 1f3f889b5a0150f4620d1ef4d23d778de243febb8b4d3b7...
                              parent_name: c:\windows\system32\wininit.exe
                               parent_pid: 684
                         parent_publisher: [list:1 item]:
                                           [0]: Microsoft Windows Publisher
                   parent_publisher_state: [list:4 items]:
                                           [0]: FILE_SIGNATURE_STATE_VERIFIED
                                           [1]: FILE_SIGNATURE_STATE_OS
                                           [2]: FILE_SIGNATURE_STATE_TRUSTED
                                           [...]
                        parent_reputation: NOT_LISTED
                          process_cmdline: [list:1 item]:
                                           [0]: C:\Windows\system32\lsass.exe
                   process_cmdline_length: [list:1 item]:
                                           [0]: 29
                     process_company_name: Microsoft Corporation
             process_effective_reputation: LOCAL_WHITE
      process_effective_reputation_source: IGNORE
                         process_elevated: True
                 process_file_description: Local Security Authority Process
                             process_guid: ABCD1234-0114369a-0000033c-00000000-1d94538fb4e...
                             process_hash: [list:2 items]:
                                           [0]: c0ba0caebf823de8f2ebf49eea9cc5e5
                                           [1]: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
                  process_integrity_level: SYSTEM
                    process_internal_name: lsass.exe
                             process_name: c:\windows\system32\lsass.exe
                process_original_filename: lsass.exe
                              process_pid: [list:1 item]:
                                           [0]: 828
                       process_privileges: [list:19 items]:
                                           [0]: SeIncreaseBasePriorityPrivilege
                                           [1]: SeCreateGlobalPrivilege
                                           [2]: SeChangeNotifyPrivilege
                                           [...]
                     process_product_name: Microsoft® Windows® Operating System
                  process_product_version: 10.0.22000.1098
                        process_publisher: [list:1 item]:
                                           [0]: Microsoft Windows Publisher
                  process_publisher_state: [list:4 items]:
                                           [0]: FILE_SIGNATURE_STATE_VERIFIED
                                           [1]: FILE_SIGNATURE_STATE_OS
                                           [2]: FILE_SIGNATURE_STATE_TRUSTED
                                           [...]
                       process_reputation: NOT_LISTED
                           process_sha256: c72b9e35e307fefe59bacc3c65842e93b963f6c37329340...
                       process_start_time: 2023-02-20T14:38:22.087Z
                         process_username: [list:1 item]:
                                           [0]: NT AUTHORITY\SYSTEM
                             regmod_count: 42
                         scriptload_count: 0
                         windows_event_id: 4634
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.

Events Facet


Start Auth Events Facet Job

Creates an Auth Events Facet job. The results for the facet job may be requested using the job_id returned. This route will not request processes.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ, CREATE Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:read N/A - included in permission name Prod UK and AWS GovCloud (US)
VMware Cloud Services Platform _API.Search:org.Events:create N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/facet_jobs


Request Body - application/json

{
  "criteria": {
    "<additionalProp1>": [ { "<key>": "<value>" } ]
  },
  "exclusions": {
    "<additionalProp1>": [ { "<key>": "<value>" } ]
  },
  "query": "<string>",
  "ranges": [
    {
      "bucket_size": { "<key>": "<value>" },
      "end": { "<key>": "<value>" },
      "field": "<string>",
      "start": { "<key>": "<value>" }
    }
  ],
  "terms": {
    "fields": [ "<string>" ],
    "rows": <integer>
  },
  "time_range": {
    "end": "<string>",
    "start": "<string>",
    "window": "<string>"
  }
}


Body Schema

Field Definition Data Type Values
criteria Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields list at Platform Search Fields
exclusions Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields list at Platform Search Fields
query Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. String Example:
"auth_username:SYSTEM"
ranges Allows grouping for properties that are ISO 8601 UTC timestamps or numbers. Bucket size for ISO 8601 UTC timestamps uses SOLR DateMathParser Array
[{
  "bucket_size": 100,
  "end": 100,
  "field": "process_duration",
  "start": 0
}]
or
[{
  "bucket_size": "+1DAY",
  "end": "2020-01-21T18:34:04Z",
  "field": "process_start_time",
  "start": "2020-01-18T18:34:04Z"
}]
terms The enriched events fields to facet and how many of the top entries to return. Object
{
  "fields": [
    "process_name"
  ],
  "rows": 100
}
Default: 100
time_range Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. Object
{
  "end": "2020-01-21T18:34:04Z",
  "start": "2020-01-18T18:34:04Z",
  "window": "-2w"
}
window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second

start: ISO 8601 UTC timestamp

end: ISO 8601 UTC timestamp


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A

Examples

Request
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/facet_jobs
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
Request Body
{
  "criteria": {},
  "exclusions": {},
  "query": "(auth_username:Administrator) AND (device_name:test_name)",
  "terms": {
    "fields": [
      "windows_event_id",
      "auth_username",
      "auth_user_id",
      "auth_logon_type",
      "auth_logon_id",
      "auth_domain_name",
      "auth_remote_device",
      "auth_remote_ipv4",
      "auth_remote_port",
      "auth_privileges",
      "auth_interactive_logon",
      "auth_remote_logon",
      "parent_guid",
      "process_name",
      "device_name"
    ],
    "rows": 1
  },
  "time_range": {
    "start": "2023-01-10T16:20:40.471Z",
    "end": "2023-01-20T16:20:40.471Z"
  }
}
Response Body
{
  "job_id": "ff19b247-8b27-4bec-84d8-7b316660c389"
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/facet_jobs \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \ -d '{ "criteria": {}, "exclusions": {}, "query": "(auth_username:Administrator) AND (device_name:w10cbws2thtplt)", "terms": { "fields": [ "windows_event_id", "auth_username", "process_name", "device_name" ], "rows": 1 }, "time_range": { "window": "-50w" } }'
Response Body
{
  "job_id": "ff19b247-8b27-4bec-84d8-7b316660c389"
}
To download or review the Carbon Black Cloud Postman collection, click here.
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent

# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')

events_facet = cb.select(AuthEventFacet).where("auth_username:SYSTEM").add_facet_field("process_name")
print(events_facet.results)
Result
AuthEventFacet object, bound to https://defense.conferdeploy.net.
-------------------------------------------------------------------------------

    completed: 54
    contacted: 54
       job_id: 05292684-7661-4b25-8803-e9be7116c0a0
    num_found: 198
       ranges: [list:0 items]
        terms: [list:1 item]:
               [0]: {'values': [{'total': 198, 'id': 'c:\\windows\\...
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.

Get Auth Events Facet Job Results

Retrieves the auth event facet results for a given job_id.

Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.


API Permissions Required

Identity Manager Permission (.notation name) Operation(s) Environment
Carbon Black Cloud org.search.events READ Majority of environments
VMware Cloud Services Platform _API.Search:org.Events:read N/A - included in permission name Prod UK and AWS GovCloud (US)

Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/auth_events/facet_jobs/{job_id}/results


Query Parameters

Parameter Required Description Values Default
limit No Maximum number of facets per category Integer 100


Response Codes

Code Description Content-Type Content
200 OK application/json Example response below
400 Bad Request application/json N/A
403 Forbidden application/json N/A
429 Too Many Requests application/json N/A
500 Internal Server Error application/json N/A

Examples

Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/facet_jobs/ff19b247-8b27-4bec-84d8-7b316660c389/results
Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Response Body
{
  "ranges": [],
  "terms": [
    {
      "values": [
        {
          "total": 26,
          "id": "CBAWTD",
          "name": "CBAWTD"
        }
      ],
      "field": "auth_domain_name"
    },
    {
      "values": [
        {
          "total": 21,
          "id": "true",
          "name": "true"
        }
      ],
      "field": "auth_interactive_logon"
    },
    {
      "values": [
        {
          "total": 3,
          "id": "00000000-000682E5",
          "name": "00000000-000682E5"
        }
      ],
      "field": "auth_logon_id"
    },
    {
      "values": [
        {
          "total": 10,
          "id": "11",
          "name": "11"
        }
      ],
      "field": "auth_logon_type"
    },
    {
      "values": [
        {
          "total": 5,
          "id": "SeBackupPrivilege",
          "name": "SeBackupPrivilege"
        }
      ],
      "field": "auth_privileges"
    },
    {
      "values": [
        {
          "total": 15,
          "id": "W10CBWS2THTPLT",
          "name": "W10CBWS2THTPLT"
        }
      ],
      "field": "auth_remote_device"
    },
    {
      "values": [
        {
          "total": 10,
          "id": "127.0.0.1",
          "name": "127.0.0.1"
        }
      ],
      "field": "auth_remote_ipv4"
    },
    {
      "values": [
        {
          "total": 26,
          "id": "false",
          "name": "false"
        }
      ],
      "field": "auth_remote_logon"
    },
    {
      "values": [
        {
          "total": 26,
          "id": "0",
          "name": "0"
        }
      ],
      "field": "auth_remote_port"
    },
    {
      "values": [
        {
          "total": 21,
          "id": "S-1-5-21-1613105849-671609947-2392320032-500",
          "name": "S-1-5-21-1613105849-671609947-2392320032-500"
        }
      ],
      "field": "auth_user_id"
    },
    {
      "values": [
        {
          "total": 26,
          "id": "Administrator",
          "name": "Administrator"
        }
      ],
      "field": "auth_username"
    },
    {
      "values": [
        {
          "total": 26,
          "id": "test_name",
          "name": "test_name"
        }
      ],
      "field": "device_name"
    },
    {
      "values": [
        {
          "total": 4,
          "id": "ABCD1234-010dde78-0000025c-00000000-1d9273b461e9f0f",
          "name": "ABCD1234-010dde78-0000025c-00000000-1d9273b461e9f0f"
        }
      ],
      "field": "parent_guid"
    },
    {
      "values": [
        {
          "total": 20,
          "id": "c:\\windows\\system32\\lsass.exe",
          "name": "c:\\windows\\system32\\lsass.exe"
        }
      ],
      "field": "process_name"
    },
    {
      "values": [
        {
          "total": 10,
          "id": "4624",
          "name": "4624"
        }
      ],
      "field": "windows_event_id"
    }
  ],
  "num_found": 26,
  "contacted": 9,
  "completed": 9
}
To download or review the Carbon Black Cloud Postman collection, click here.
Request
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/auth_events/facet_jobs/ff19b247-8b27-4bec-84d8-7b316660c389/results \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'
Response Body
{
  "ranges": [],
  "terms": [
    {
      "values": [
        {
          "total": 26,
          "id": "CBAWTD",
          "name": "CBAWTD"
        }
      ],
      "field": "auth_domain_name"
    },
    {
      "values": [
        {
          "total": 21,
          "id": "true",
          "name": "true"
        }
      ],
      "field": "auth_interactive_logon"
    },
    {
      "values": [
        {
          "total": 3,
          "id": "00000000-000682E5",
          "name": "00000000-000682E5"
        }
      ],
      "field": "auth_logon_id"
    },
    {
      "values": [
        {
          "total": 10,
          "id": "11",
          "name": "11"
        }
      ],
      "field": "auth_logon_type"
    },
    {
      "values": [
        {
          "total": 5,
          "id": "SeBackupPrivilege",
          "name": "SeBackupPrivilege"
        }
      ],
      "field": "auth_privileges"
    },
    {
      "values": [
        {
          "total": 15,
          "id": "W10CBWS2THTPLT",
          "name": "W10CBWS2THTPLT"
        }
      ],
      "field": "auth_remote_device"
    },
    {
      "values": [
        {
          "total": 10,
          "id": "127.0.0.1",
          "name": "127.0.0.1"
        }
      ],
      "field": "auth_remote_ipv4"
    },
    {
      "values": [
        {
          "total": 26,
          "id": "false",
          "name": "false"
        }
      ],
      "field": "auth_remote_logon"
    },
    {
      "values": [
        {
          "total": 26,
          "id": "0",
          "name": "0"
        }
      ],
      "field": "auth_remote_port"
    },
    {
      "values": [
        {
          "total": 21,
          "id": "S-1-5-21-1613105849-671609947-2392320032-500",
          "name": "S-1-5-21-1613105849-671609947-2392320032-500"
        }
      ],
      "field": "auth_user_id"
    },
    {
      "values": [
        {
          "total": 26,
          "id": "Administrator",
          "name": "Administrator"
        }
      ],
      "field": "auth_username"
    },
    {
      "values": [
        {
          "total": 26,
          "id": "test_name",
          "name": "test_name"
        }
      ],
      "field": "device_name"
    },
    {
      "values": [
        {
          "total": 4,
          "id": "ABCD1234-010dde78-0000025c-00000000-1d9273b461e9f0f",
          "name": "ABCD1234-010dde78-0000025c-00000000-1d9273b461e9f0f"
        }
      ],
      "field": "parent_guid"
    },
    {
      "values": [
        {
          "total": 20,
          "id": "c:\\windows\\system32\\lsass.exe",
          "name": "c:\\windows\\system32\\lsass.exe"
        }
      ],
      "field": "process_name"
    },
    {
      "values": [
        {
          "total": 10,
          "id": "4624",
          "name": "4624"
        }
      ],
      "field": "windows_event_id"
    }
  ],
  "num_found": 26,
  "contacted": 9,
  "completed": 9
}
To download or review the Carbon Black Cloud Postman collection, click here.
Code
from cbc_sdk import CBCloudAPI
from cbc_sdk.enterprise_edr import AuthEvent

# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
cb = CBCloudAPI(profile='example_profile')

events_facet = cb.select(AuthEventFacet).where("auth_username:SYSTEM").add_facet_field("process_name")
print(events_facet.results)
Result
AuthEventFacet object, bound to https://defense.conferdeploy.net.
-------------------------------------------------------------------------------

    completed: 54
    contacted: 54
       job_id: 05292684-7661-4b25-8803-e9be7116c0a0
    num_found: 198
       ranges: [list:0 items]
        terms: [list:1 item]:
               [0]: {'values': [{'total': 198, 'id': 'c:\\windows\\...
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.

Last modified on July 17, 2024