This API lets you search through all the data that is reported by your organization’s sensors to find one or more processes based on specific criteria you set.
With visibility across your fleet of monitored endpoints, you can identify applications that are acting abnormally and over time, cull the outliers from the total observed process activity, and retroactively identify the origination point for attacks that previously escaped notice. You can also:
/facet_jobs followed by /results on the /facet_jobs/ call with job_id in the request URIAlternative solutions:
Most API calls require all three headers:
X-Auth-Token: (required) your authentication token is: API Secret Key/API ID
ABCDEFGHIJKLMNOPQRSTUVWX and the API ID of 12345678, his corresponding X-Auth-Token HTTP header is ABCDEFGHIJKLMNOPQRSTUVWX/12345678Content-Type: application/jsonaccept: application/jsonMany Platform Search functions are asynchronous and require a sequence of calls to start the process, check the status and retrieve the results. The following is an example of typical use:
/api/investigate/v2/orgs/{org_key}/processes/search_jobs/api/investigate/v1/orgs/{org_key}/processes/search_jobs/{job_id} to get search progress/api/investigate/v2/orgs/{org_key}/processes/search_jobs/{job_id}/results route to retrieve the output of the job; if you haven’t waited until “contacted” equals “completed”, the results obtained will be incomplete.num_found and num_available field indicating how many results were found and how many of those are able to be paginated. A search matching more results than will be returned through pagination will report num_found greater than num_available; note that this limitation occurs to prevent performance degradation with searches matching a large number of events or processes. In order to return more of the matching results, you can apply a smaller time range to your search request, or use additional or more specific criteria, then make as many additional of these subset searches as needed to fetch the entire num_found from your original search.Process searches aggregate events to construct the process models. The ‘approximate_unaggregated’ and ‘num_aggregated’ properties in the response provide greater insight into the processes that matched your search.
approximate_unaggregated indicates the number of matching events used to construct the processes which will be equivalent to num_found while the search finishes aggregating otherwise num_found may equal num_aggregated.
num_aggregated represents the processes that were constructed from the events which will be equal or greater than num_available. To retrieve more of the num_aggregated results adjust your criteria and/or time range, additionally if you set collapse to true in the process search creation then this will compress redundant events allowing for more results to be retrieved.
Note: If you create a broad or large time range search then Process Search Jobs can be cancelled using Cancel a Process Search
Note: when you insert your org_key, you must also remove the { } brackets.
This API has three types of calls:
Note: Some calls use “v1” in the path, and others use “v2”. Using the wrong path will result in an error.
The following calls search on and return processes.
Returns suggestions for a process search selected from fields and values as reported in the organization’s system. Will return values for the specified field if at least one character follows the colon. Returns null if no characters follow the colon.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_suggestions
Query Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
suggest.q REQUIRED
|
Query to generate suggestions for | String | N/A |
suggest.count |
Number of suggestions to return | Integer | Default: 50 |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully suggested process search fields | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_suggestions?suggest.q=process_cmd&suggest.count=1
Response
{
"suggestions": [
{
"term": "process_name",
"weight": 2800,
"required_skus_all": [],
"required_skus_some": [
"threathunter",
"defense"
]
}
]
}Validates a given process query and potentially gives suggestions on how to fix invalid queries.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_validation
Query Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
q REQUIRED
|
Keeping this parameter as *:* allows you to query everything |
String | N/A |
cb.min_backend_timestamp |
Start time for the query | Integer | Epoch timestamp in milliseconds
Default: 0 |
cb.max_backend_timestamp |
End time for the query | Integer | Epoch timestamp in milliseconds |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully validated process search | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_validation?q=process
Response
{
"valid": true,
"value_search_query": true
}Returns the minimum and maximum times at which events were reported by any sensor in your organization.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/limits
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully fetched the upper and lower time limits | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/limits
Response
{
"time_bounds": {
"lower": 1564686473166,
"upper": 1579023412990
}
}Returns a list of all available process result sets in the form of query IDs. Callers can use query IDs to fetch results for previously created search jobs. query_id is the previous name for the newer job_id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET <cbc-hostname>/api/investigate/v1/orgs/{org_key}/processes/search_jobs
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully got the list of available result sets | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_jobs
Response
{
"query_ids": [
"ABCD1234/005397cf-e334-4929-9977-d219047d9b96",
"ABCD1234/00b1df2f-4de0-4915-89e1-a9c19a25628e",
"ABCD1234/0108ad72-d13d-4f75-9bc5-de60750eb2f9",
"ABCD1234/014b9a78-f439-47fe-80ab-968a24431245",
"ABCD1234/023985e4-28dd-455c-b98a-28bb7e1ea276",
...
]
}Creates a process search job. The results for the search job may be requested using the job_id returned.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
CREATE |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/search_jobs
Body
{
"criteria": "<object>",
"exclusions": "<object>",
"fields": ["<string>", "<string>"],
"query": "<string>",
"rows": "<long>",
"sort": [
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<long>",
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. |
Object | |
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. |
Object | |
fields |
A list of fields to include in the results, specify * to return all the default fields and add additional fields that are not returned by default |
String | ["*"] |
query |
Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. |
String | N/A |
rows |
Number of rows to request, can be paginated | Long | Default: 500
Max: 10k |
sort |
Sort is a collection of sort parameters that specify a field and order to sort the results. |
Array | order supports asc or desc |
start |
First row to use for pagination | Long | Default: 0 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object | window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start: ISO 8601 timestamp
end: ISO 8601 timestamp |
collapse |
Set to false if you want to prevent search engine from attempting to collapse redundant results together during initial phase of search. Useful for obtaining exact and consistent counts of unaggregated results. | boolean | Default: false |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully submitted search for processes | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/search_jobs
Body
{
"criteria": {
"device_name": ["Win7x64"]
},
"query": "process_name:svchost.exe",
"fields": ["*", "process_start_time"],
"sort": [
{
"field": "device_timestamp",
"order": "asc"
}
],
"start": 0,
"time_range": {
"end": "2020-01-27T18:34:04Z",
"start": "2020-01-18T18:34:04Z"
}
}Response
{
"job_id": "6b414c3e-c664-45ea-bb69-3aabf4430f7e"
}Returns the status of a search job. A job is finished when “completed” is equal to the “contacted”. This call should be used when polling for search job completion as it is more efficient than fetching results each time.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_jobs/{job_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully retrieved status of process search | N/A | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_jobs/45694120-8b28-4905-a9aa-c84b04e77d78
Response
{
"contacted": 25,
"completed": 0,
"query": {
"cb.max_backend_timestamp": 1579025578116,
"cb.min_backend_timestamp": 0,
"cb.min_device_timestamp": 0,
"q": "*.*",
"rows": 500,
"start": 0
},
"search_initiated_time": 1579025578206,
"connector_id": "TZV468322A"
}Retrieves the results of a process search identified by a job_id. Results will be sorted based on the sort parameter specified when starting the search. Confirm the search has completed by verifying that “contacted” equals “completed”.
Note: Use num_aggregated instead of num_found to determine if there are more processes which need a refined search or time range to fetch. approximate_unaggregated and num_found represent the number of matching events which are being aggregated into processes.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/search_jobs/{job_id}/results
Query Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
start |
First row to use for pagination | Integer | Default: 0 |
rows |
Number of requested rows to fetch, used for paginating requested rows | Integer | Default: 10
Max: 100 |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully fetched processes | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/search_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results?start=0&rows=1
Response
{
"results": [
{
"backend_timestamp": "2020-01-19T15:25:31.064Z",
"childproc_count": 0,
"crossproc_count": 40,
"device_id": 43407,
"device_name": "win7x64",
"device_policy_id": 11200,
"device_timestamp": "2020-01-18T19:46:22.885Z",
"filemod_count": 0,
"index_class": "default",
"modload_count": 5,
"netconn_count": 55380,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-0000a98f-000001fc-00000000-1d5cb7eca37b799",
"parent_pid": 508,
"partition_id": 0,
"process_guid": "ABCD1234-0000a98f-0000051c-00000000-1d5cb7ed061e7ef",
"process_hash": [
"c78655bc80301d76ed4fef1c1ea40a7d",
"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"
],
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_pid": [
1308
],
"process_username": [
"NT AUTHORITY\\LOCAL SERVICE"
],
"regmod_count": 2,
"scriptload_count": 0
}
],
"num_found": 760,
"num_available": 33,
"num_aggregated": 50,
"approximate_unaggregated": 760,
"contacted": 6,
"completed": 6
}Cancels the search with the given job_id so no new search results will appear.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
DELETE |
Request
DELETE {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_jobs/{job_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successfully deleted a process search | N/A | No Content |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
DELETE https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_jobs/45694120-8b28-4905-a9aa-c84b04e77d78
Response
No content
Initiates a process facet search which generates statistics indicating the relative weighting of values for the specified terms. The results for the search may be requested using the job_id returned.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
CREATE |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/facet_jobs
Body
{
"criteria": "<object>",
"exclusions": "<object>",
"query": "<string>",
"ranges": [
{
"bucket_size": "<object>",
"end": "<object>",
"field": "<string>",
"start": "<object>"
}
],
"terms": {
"fields": [
"<string>"
],
"rows": "<long>"
},
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. |
Object | |
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. |
Object | |
query |
Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. |
String | N/A |
ranges |
Allows grouping for properties that are ISO 8601 timestamps or numbers. Bucket size for ISO 8601 timestamps uses SOLR DateMathParser | Array | |
terms |
The process fields to facet and how many of the top entries to return. | Object | 100 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object | window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start: ISO 8601 timestamp
end: ISO 8601 timestamp |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully submitted search for process facets | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/facet_jobs
Body
{
"criteria": {
"device_name": ["Win7x64"]
},
"query": "process_name:svchost.exe",
"ranges": [
{
"bucket_size": 5,
"end": 10,
"field": "netconn_count",
"start": 0
}
],
"terms": {
"fields": [
"process_username"
],
"rows": 100
},
"time_range": {
"end": "2020-01-27T18:34:04Z",
"start": "2020-01-18T18:34:04Z"
}
}Response
{
"job_id": "c167cc5b-5741-427e-8412-8b89f0b17f9c"
}Retrieves the process facet results for a given job_id. Confirm the search has completed by verifying that “contacted” equals “completed”.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/facet_jobs/{job_id}/results
Query Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
limit |
Maximum number of facets per category (i.e Any Process Search Fields listed in terms.fields) |
Integer | Default: 100 |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully fetched processes facets | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/facet_jobs/c167cc5b-5741-427e-8412-8b89f0b17f9c/results?limit=1
Response
{
"ranges": [
{
"start": 0,
"end": 10,
"bucket_size": 5,
"field": "netconn_count",
"values": [
{
"total": 10128,
"name": "0"
},
{
"total": 5,
"name": "5"
}
]
}
],
"terms": [
{
"values": [
{
"total": 10701,
"id": "NT AUTHORITY\\NETWORK SERVICE",
"name": "NT AUTHORITY\\NETWORK SERVICE"
}
],
"field": "process_username"
}
],
"num_found": 20818,
"contacted": 6,
"completed": 6
}Creates a process detail job. The details will include all available information about the given process including information that’s not returnable from the standard Process Search call. These fields are annotated with DETAILS on Platform Search Fields. The results for the details search job may be requested using the job_id returned.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
CREATE |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/detail_jobs
Body
{
"process_guids": [
"<string>"
]
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
process_guids REQUIRED
|
A list of process guids to fetch | Array | |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | Invalid request | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/detail_jobs
Body
{
"process_guids": [
"ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e"
]
}Response
{
"job_id": "6b414c3e-c664-45ea-bb69-3aabf4430f7e"
}Retrieves the status for a process detail request for a given job_id. Continue to call the status check until “contacted” equals “completed”.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/detail_jobs/{job_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | Invalid request | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/detail_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e
Response
{
"completed": 5,
"contacted": 30
}Retrieves the process detail results for a given job_id. Confirm the search has completed by verifying that “contacted” equals “completed”.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/detail_jobs/{job_id}/results
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | Invalid request | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/detail_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results
Response
{
"completed": 30,
"contacted": 30,
"num_available": 500,
"num_found": 1000,
"results": [
{
"backend_timestamp": "2020-08-28T19:14:40.394Z",
"childproc_count": 333576,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_location": "UNKNOWN",
"device_name": "devr-dev",
"device_os": "LINUX",
"device_os_version": "CentOS 7.6-1810",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_target_priority": "MEDIUM",
"device_timestamp": "2020-08-28T19:12:41.178Z",
"document_guid": "6Gqoe-abQXu-k9LagGOoQg",
"filemod_count": 0,
"ingress_time": 1598642021337,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"parent_effective_reputation": "NOT_LISTED",
"parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"parent_hash": [
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
"e4b9902024ac32b3ca37f6b4c9b841e8"
],
"parent_name": "/usr/lib/systemd/systemd",
"parent_pid": 1,
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_NOT_SIGNED"
],
"parent_reputation": "NOT_LISTED",
"process_cmdline": [
"/bin/bash /usr/sbin/ksmtuned"
],
"process_cmdline_length": [
28
],
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e",
"process_hash": [
"285044ad8f8b9322d0cc5e929e2cc18c",
"5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a"
],
"process_name": "/usr/bin/bash",
"process_pid": [
449,
2855,
3416
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_NOT_SIGNED"
],
"process_reputation": "NOT_LISTED",
"process_sha256": "5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a",
"process_start_time": "2020-05-04T21:34:03.968Z",
"process_username": [
"root"
],
"regmod_count": 0,
"scriptload_count": 0
}
]
}Creates a process summary job. The summary will include information about the given process including its children, parents, and siblings. The results for the search job may be requested using the job_id returned.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
CREATE |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/summary_jobs
Body
{
"parent_guid": "<string>",
"process_guid": "<string>",
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
process_guid REQUIRED
|
The global unique identifier for a process | String | N/A |
parent_guid |
The global unique identifier for the parent of the specified process_guid | String | N/A |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object | window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start: ISO 8601 timestamp
end: ISO 8601 timestamp |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | Invalid request | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs
Body
{
"parent_guid": "ABCD1234-0000a98f-000001fc-00000000-1d5cb7eca37b799",
"process_guid": "ABCD1234-0000a98f-0000051c-00000000-1d5cb7ed061e7ef",
"time_range": {
"window": "-2w"
}
}Response
{
"job_id": "6b414c3e-c664-45ea-bb69-3aabf4430f7e"
}Retrieves the status for a process summary request for a given job_id. Continue to call the status check until “contacted” equals “completed”.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/summary_jobs/{job_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | Invalid request | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e
Response
{
"completed": 5,
"contacted": 30
}Retrieves the process summary results for a given job_id in summary or tree format. Most callers will prefer the summary format, but you may request the tree format for convenience of building user interfaces. Confirm the search has completed by verifying that “contacted” equals “completed”.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/summary_jobs/{job_id}/results
Query Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
format |
The format for the summary to be returned | String | Default: summary
Options: summary or tree |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | Invalid request | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results?format=summary
Response
{
"completed": 30,
"contacted": 30,
"exception": "string",
"summary": {
"children": [],
"parent": {
"_process_filename": "systemd",
"backend_timestamp": "2020-08-28T19:12:07.989Z",
"childproc_count": 0,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-28T19:10:02.123Z",
"filemod_count": 0,
"has_children": true,
"hits": false,
"ingress_time": 1598641901273,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"process_hash": [
"e4b9902024ac32b3ca37f6b4c9b841e8",
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85"
],
"process_name": "/usr/lib/systemd/systemd",
"process_pid": [
1
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-05-04T21:34:03.968Z",
"regmod_count": 0,
"scriptload_count": 0
},
"process": {
"_process_filename": "bash",
"backend_timestamp": "2020-08-28T19:16:11.959Z",
"childproc_count": 333580,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-28T19:14:41.231Z",
"filemod_count": 0,
"ingress_time": 1598642141411,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"parent_hash": [
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
"e4b9902024ac32b3ca37f6b4c9b841e8"
],
"parent_name": "/usr/lib/systemd/systemd",
"parent_pid": 1,
"process_cmdline": [
"/bin/bash /usr/sbin/ksmtuned"
],
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e",
"process_hash": [
"285044ad8f8b9322d0cc5e929e2cc18c",
"5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a"
],
"process_name": "/usr/bin/bash",
"process_pid": [
5653,
16139
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-05-04T21:34:03.968Z",
"process_username": [
"root"
],
"regmod_count": 0,
"scriptload_count": 0
},
"siblings": [
{
"_process_filename": "nm-dispatcher",
"backend_timestamp": "2020-08-19T20:55:33.446Z",
"childproc_count": 1,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-19T20:54:44.980Z",
"filemod_count": 0,
"has_children": true,
"hits": false,
"ingress_time": 1597870506825,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"parent_hash": [
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
"e4b9902024ac32b3ca37f6b4c9b841e8"
],
"parent_name": "/usr/lib/systemd/systemd",
"parent_pid": 1,
"process_cmdline": [
"/usr/libexec/nm-dispatcher"
],
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00005742-00000000-1d6766af7bedb39",
"process_hash": [
"04b2450579a663c964f3960cd0cf93a8",
"2206d95e0a435aadad6c84b5bce370d076137efecf6adbbf6feddbe0515fb17e"
],
"process_name": "/usr/libexec/nm-dispatcher",
"process_pid": [
22338
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-08-19T20:54:44.909Z",
"process_username": [
"root"
],
"regmod_count": 0,
"scriptload_count": 0
}
]
}
}Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results?format=tree
Response
{
"completed": 30,
"contacted": 30,
"exception": "string",
"tree": {
"_process_filename": "systemd",
"backend_timestamp": "2020-08-28T19:12:07.989Z",
"childproc_count": 1,
"children": [
{
"_process_filename": "bash",
"backend_timestamp": "2020-08-28T19:16:11.959Z",
"childproc_count": 333580,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-28T19:14:41.231Z",
"filemod_count": 0,
"ingress_time": 1598642141411,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"parent_hash": [
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
"e4b9902024ac32b3ca37f6b4c9b841e8"
],
"parent_name": "/usr/lib/systemd/systemd",
"parent_pid": 1,
"process_cmdline": [
"/bin/bash /usr/sbin/ksmtuned"
],
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e",
"process_hash": [
"285044ad8f8b9322d0cc5e929e2cc18c",
"5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a"
],
"process_name": "/usr/bin/bash",
"process_pid": [
5653,
16139
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-05-04T21:34:03.968Z",
"process_username": [
"root"
],
"regmod_count": 0,
"scriptload_count": 0
}
],
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-28T19:10:02.123Z",
"filemod_count": 0,
"has_children": true,
"hits": false,
"ingress_time": 1598641901273,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"process_hash": [
"e4b9902024ac32b3ca37f6b4c9b841e8",
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85"
],
"process_name": "/usr/lib/systemd/systemd",
"process_pid": [
1
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-05-04T21:34:03.968Z",
"regmod_count": 0,
"scriptload_count": 0
}
}Events search in the Processes Search API gives access to all events reported for a particular process on one endpoint.
Returns suggestions for an event search selected from fields from the Platform Search Fields. Will return field names if the “suggest.q” parameter does not yet contain a colon and will return no suggestion otherwise. This call does not support value suggestions.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/events/search_suggestions
Query Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
suggest.q REQUIRED
|
Query to generate suggestions for | String | N/A |
suggest.count |
Number of suggestions to return | Integer | Default: 50 |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully suggested search fields | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/events/search_suggestions?suggest.q=pro&suggest.count=1
Response
{
"suggestions": [
{
"term": "process_guid",
"weight": 1450,
"required_skus_all": [],
"required_skus_some": [
"threathunter",
"defense"
]
}
]
}Validates a given event query and potentially gives suggestions on how to fix invalid queries.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/events/search_validation
Query Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
q REQUIRED
|
Keeping this parameter as *:* allows you to query everything |
String | N/A |
cb.min_backend_timestamp |
Start time for the query | Integer | Epoch timestamp in milliseconds
Default: 0 |
cb.max_backend_timestamp |
End time for the query | Integer | Epoch timestamp in milliseconds |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully validated search | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Valid Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/events/search_validation?q=alert_id:ALBPZQR3
Response
{
"valid": true
}Invalid Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/events/search_validation?q=alert_idZZZZ:ALBPZQR3
Response
{
"invalid_message": "org.apache.solr.common.SolrException: undefined field alertzzzzz_id",
"valid": false,
"invalid_trigger_offset": 0
}Fetch the events associated with a given process. These events are often more complete than the enriched events but, unlike the enriched event searches, must be limited to one process at a time.
Note: This call reports its progress as soon as it can and continues to enumerate process events in the background. To receive the full results, you must resubmit the request until processed_segments is equal to total_segments.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/events/{process_guid}/_search
Body
{
"criteria": "<object>",
"exclusions": "<object>",
"fields": ["<string>", "<string>"],
"query": "<string>",
"rows": "<long>",
"sort": [
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<long>",
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. |
Object | |
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. |
Object | |
fields |
A list of fields to include in the results, specify * to return all the default fields and add additional fields that are not returned by default |
String | ["*"] |
query |
Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. |
String | N/A |
rows |
Number of rows to request, can be paginated | Long | Default: 500
Max: 10k |
sort |
Sort is a collection of sort parameters that specify a field and order to sort the results. |
Array | order supports asc or desc |
start |
First row to use for pagination | Long | Default: 0 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object | window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start: ISO 8601 timestamp
end: ISO 8601 timestamp |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully fetched events | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/events/ABCD1234-0000a98f-0000034c-00000000-1d5cb7ef5152b42/_search
Body
{
"criteria": {
"event_type": ["netconn"]
},
"query": "netconn_action:ACTION_CONNECTION_CREATE OR netconn_action:ACTION_CONNECTION_ESTABLISHED",
"fields": ["*"],
"time_range": {
"end": "2020-01-27T18:34:04Z",
"start": "2020-01-18T18:34:04Z"
}
}Response
{
"results": [
{
"backend_timestamp": "2020-01-23T22:48:14.099Z",
"created_timestamp": "2020-01-30T21:11:29.490Z",
"enriched": true,
"enriched_event_type": "NETWORK",
"event_description": "The application \"<share><link hash=\"1030ce4102dac701fab043e40444e8f6c96c8c04b5bd512a59e1a4999d22b38c\">C:\\windows\\system32\\svchost.exe</link></share>\" attempted to establish a <accent>TCP/443</accent> connection to <share><accent>20.36.218.63</accent></share><accent>:443</accent> from <share><accent>12.34.56.78</accent></share><accent>:57503</accent>. The device was off the corporate network using the public address <accent>34.56.78.90</accent>. The operation was blocked by the operating system.",
"event_guid": "U_xc-0FeSu-77aY2CSKgXA",
"event_hash": "a78709ea459e525d30ab9ddc89b1ce6c",
"event_timestamp": "2020-01-23T22:45:41.207Z",
"event_type": "netconn",
"legacy": true,
"legacy_description": "The application \"<share><link hash=\"1030ce4102dac701fab043e40444e8f6c96c8c04b5bd512a59e1a4999d22b38c\">C:\\windows\\system32\\svchost.exe</link></share>\" attempted to establish a <accent>TCP/443</accent> connection to <share><accent>20.36.218.63</accent></share><accent>:443</accent> from <share><accent>12.34.56.78</accent></share><accent>:57503</accent>. The device was off the corporate network using the public address <accent>34.56.78.90</accent>. The operation was blocked by the operating system.",
"netconn_action": "ACTION_CONNECTION_CREATE",
"netconn_inbound": false,
"netconn_local_ipv4": 181543190,
"netconn_local_port": 57503,
"netconn_protocol": "PROTO_TCP",
"netconn_remote_ipv4": 337959487,
"netconn_remote_port": 443,
"process_guid": "ABCD1234-003d630d-0000041c-0000041c-1d5abbc325c58b4",
"process_pid": 1052
},
...
],
"num_found": 6,
"num_available": 6,
"total_segments": 13,
"processed_segments": 13
}Get facets for the events associated with the specified process. A facet provides statistics indicating the relative weighting of values for the specified terms.
Note: This is an asynchronous request, you must resubmit the request until processed_segments is equal to total_segments in order to receive the full results
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
READ |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/events/{process_guid}/_facet
Body
{
"criteria": "<object>",
"exclusions": "<object>",
"query": "<string>",
"ranges": [
{
"bucket_size": "<object>",
"end": "<object>",
"field": "<string>",
"start": "<object>"
}
],
"terms": {
"fields": [
"<string>"
],
"rows": "<long>"
},
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. |
Object | |
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. |
Object | |
query |
Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. |
String | N/A |
ranges |
Allows grouping for properties that are ISO 8601 timestamps or numbers. Bucket size for ISO 8601 timestamps uses SOLR DateMathParser | Array | |
terms |
The events fields to facet and how many of the top entries to return. | Object | 100 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object | window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start: ISO 8601 timestamp
end: ISO 8601 timestamp |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully fetched event facets | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/events/ABCD1234-0000a98f-0000034c-00000000-1d5cb7ef5152b42/_facet
Body
{
"query": "*:*",
"ranges": [
{
"bucket_size": "+12HOUR",
"end": "2020-08-31T11:19:37Z",
"field": "device_timestamp",
"start": "2020-08-29T00:00:00Z"
}
],
"terms": {
"fields": [
"event_type"
],
"rows": 10
},
"time_range": {
"end": "2020-08-31T11:19:37Z",
"start": "2020-08-29T00:00:00Z"
}
}Response
{
"ranges": [
{
"start": "2020-08-29T00:00:00Z",
"end": "2020-08-31T12:00:00Z",
"bucket_size": "+12HOUR",
"field": "device_timestamp",
"values": [
{
"total": 9850,
"name": "2020-08-29T00:00:00Z"
},
{
"total": 9346,
"name": "2020-08-29T12:00:00Z"
},
{
"total": 9910,
"name": "2020-08-30T00:00:00Z"
},
{
"total": 8581,
"name": "2020-08-30T12:00:00Z"
},
{
"total": 8716,
"name": "2020-08-31T00:00:00Z"
}
]
}
],
"terms": [
{
"values": [
{
"total": 41517,
"id": "netconn",
"name": "netconn"
},
{
"total": 4829,
"id": "filemod",
"name": "filemod"
},
{
"total": 31,
"id": "crossproc",
"name": "crossproc"
},
{
"total": 26,
"id": "childproc",
"name": "childproc"
}
],
"field": "event_type"
}
],
"num_found": 46403,
"total_segments": 23385,
"processed_segments": 23385
}These Process Search API calls are only available to Enterprise EDR customers.
Instructs the Carbon Black Cloud to look for “hits” across all processes reported for the organization’s endpoints within the time range for the given watchlist, report and IOC. Watchlist hits will be available in subsequent search results asynchronously and are not guaranteed to be visible directly after this call.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
org.search.events |
UPDATE |
Request
POST {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/watchlist_evaluation
Request Body
{
"watchlist_id": "<string>",
"report_id": "<string>",
"cb.max_backend_timestamp": "<integer>",
"cb.min_backend_timestamp": "<integer>",
"ioc_id": "<string>"
}Request Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
watchlist_id REQUIRED
|
Watchlist ID | String | N/A |
report_id REQUIRED
|
Report ID | String | N/A |
ioc_id |
Indicator of compromise ID | String | N/A |
cb.min_backend_timestamp |
Start time for the query | Integer | Epoch timestamp in milliseconds
Default: 0 |
cb.max_backend_timestamp |
End time for the query | Integer | Epoch timestamp in milliseconds |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successfully evaluated and tagged processes | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/watchlist_evaluation
Body
{
"watchlist_id": "b5LGY1CCTtyogVBUwTWLA",
"report_id": "1"
}Response
No content
Fetches report hits associated with a single process. This includes both ingress and query hits that are associated with the organization’s subscribed watchlists.
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/report_hits
Query Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
process_guid REQUIRED
|
Process GUID for which to get report hits | String | N/A |
rows |
Number of report hits to get. | Integer | Default: 10 |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully fetched report hits | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/report_hits?process_guid=ABCD1234-0000a98f-000013c8-00000000-1d5c4bc2bf4b39d&rows=1
Response
{
"report_hits": {
"lryC1EGShaTsb4bjxjLTQ-ipv4_iocs": [
{
"backend_timestamp": "2020-08-28T08:36:11.745Z",
"device_timestamp": "2020-08-28T08:34:39.437Z",
"hit_document_guids": [
"2ybSlFnGQeCRP5Srn2WfqA"
],
"iocs_field": "netconn_ipv4",
"iocs_hit": "13.107.4.50",
"iocs_id": "demo-ipv4",
"report_id": "lryC1EGShaTsb4bjxjLTQ-ipv4_iocs",
"report_link": "https://example.com",
"report_severity": 5,
"report_timestamp": "2020-08-02T10:56:39.437Z",
"report_title": "IPV4 IOCs",
"report_watchlists": [
{
"alert": true,
"id": "7hpd1usTWaNG5lHfGmjVg",
"name": "Demo"
}
]
}
]
}
}
}What is a “Value Search”?
process_name:chrome.exe is a well-specified search query, a search merely for chrome.exe can return all those results as well as results where chrome.exe shows up in other fields that you didn’t have to know to specify.What is a “hit”?
Why don’t I get matches on the Events APIs when I search by alert_id until a few minutes after I find the Alert?
Why are backend_timestamp and device_timestamp different?
backend_timestamp is typically a few minutes later than device_timestamp due to asynchronous processing. It varies more when communications between sensor and backend are interrupted, and varies wildly if the sensor’s endpoint clock is ahead or behind. device_timestamp is pulled from the time assigned in the batch of events by the sensor before the sensor sends the events to the backend, whereas backend_timestamp is assigned by the backend as soon as it receives the batch of events.