This API lets you search through all the data that is reported by your organization’s sensors to find one or more processes based on specific criteria you set.
With visibility across your fleet of monitored endpoints, you can identify applications that are acting abnormally and over time, cull the outliers from the total observed process activity, and retroactively identify the origination point for attacks that previously escaped notice. You can also:
/facet_jobs
followed by /results
on the /facet_jobs/
call with job_id
in the request URIAlternative solutions:
Most API calls require all three headers:
X-Auth-Token
: (required) your authentication token is: API Secret Key/API ID
ABCDEFGHIJKLMNOPQRSTUVWX
and the API ID of 12345678
, his corresponding X-Auth-Token HTTP header is ABCDEFGHIJKLMNOPQRSTUVWX/12345678
Content-Type
: application/json
accept
: application/json
Many Platform Search functions are asynchronous and require a sequence of calls to start the process, check the status and retrieve the results. The following is an example of typical use:
/api/investigate/v2/orgs/{org_key}/processes/search_jobs
/api/investigate/v1/orgs/{org_key}/processes/search_jobs/{job_id}
to get search progress/api/investigate/v2/orgs/{org_key}/processes/search_jobs/{job_id}/results
route to retrieve the output of the job; if you haven’t waited until “contacted” equals “completed”, the results obtained will be incomplete.num_found
and num_available
field indicating how many results were found and how many of those are able to be paginated. A search matching more results than will be returned through pagination will report num_found
greater than num_available
; note that this limitation occurs to prevent performance degradation with searches matching a large number of events or processes. In order to return more of the matching results, you can apply a smaller time range to your search request, or use additional or more specific criteria, then make as many additional of these subset searches as needed to fetch the entire num_found
from your original search.The Process Search is able to be cancelled using Cancel a Process Search.
Note: when you insert your org_key, you must also remove the { } brackets.
This API has three types of calls:
Note: Some calls use “v1” in the path, and others use “v2”. Using the wrong path will result in an error.
The following calls search on and return processes.
Returns suggestions for a process search selected from fields and values as reported in the organization’s system. Will return values for the specified field if at least one character follows the colon. Returns null if no characters follow the colon.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_suggestions
Query Schema
Field | Definition | Data Type | Values |
---|---|---|---|
suggest.q REQUIRED
|
Query to generate suggestions for | String | N/A |
suggest.count |
Number of suggestions to return | Integer | Default: 50 |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully suggested process search fields | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_suggestions?suggest.q=process_cmd&suggest.count=1
Response
{
"suggestions": [
{
"term": "process_name",
"weight": 2800,
"required_skus_all": [],
"required_skus_some": [
"threathunter",
"defense"
]
}
]
}
Validates a given process query and potentially gives suggestions on how to fix invalid queries.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_validation
Query Schema
Field | Definition | Data Type | Values |
---|---|---|---|
q REQUIRED
|
Keeping this parameter as *:* allows you to query everything |
String | N/A |
cb.min_backend_timestamp |
Start time for the query | Integer | Epoch timestamp in milliseconds
Default: 0 |
cb.max_backend_timestamp |
End time for the query | Integer | Epoch timestamp in milliseconds |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully validated process search | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_validation?q=process
Response
{
"valid": true,
"value_search_query": true
}
Returns the minimum and maximum times at which events were reported by any sensor in your organization.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/limits
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully fetched the upper and lower time limits | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/limits
Response
{
"time_bounds": {
"lower": 1564686473166,
"upper": 1579023412990
}
}
Returns a list of all available process result sets in the form of query IDs. Callers can use query IDs to fetch results for previously created search jobs. query_id
is the previous name for the newer job_id
.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET <cbc-hostname>/api/investigate/v1/orgs/{org_key}/processes/search_jobs
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully got the list of available result sets | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_jobs
Response
{
"query_ids": [
"ABCD1234/005397cf-e334-4929-9977-d219047d9b96",
"ABCD1234/00b1df2f-4de0-4915-89e1-a9c19a25628e",
"ABCD1234/0108ad72-d13d-4f75-9bc5-de60750eb2f9",
"ABCD1234/014b9a78-f439-47fe-80ab-968a24431245",
"ABCD1234/023985e4-28dd-455c-b98a-28bb7e1ea276",
...
]
}
Creates a process search job. The results for the search job may be requested using the job_id returned.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
CREATE |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/search_jobs
Body
{
"criteria": "<object>",
"exclusions": "<object>",
"fields": ["<string>", "<string>"],
"query": "<string>",
"rows": "<long>",
"sort": [
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<long>",
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria /exclusion must be included. |
Object |
|
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria /exclusion must be included. |
Object |
|
fields |
A list of fields to include in the results, specify * to return all the default fields and add additional fields that are not returned by default |
String |
["*"] |
query |
Query in lucene syntax and/or including value searches. Either query or criteria /exclusion must be included. |
String | N/A |
rows |
Number of rows to request, can be paginated | Long | Default: 500
Max: 10k |
sort |
Sort is a collection of sort parameters that specify a field and order to sort the results. |
Array |
order supports asc or desc |
start |
First row to use for pagination | Long | Default: 0 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object |
window : “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start : ISO 8601 timestamp
end : ISO 8601 timestamp |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully submitted search for processes | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/search_jobs
Body
{
"criteria": {
"device_name": ["Win7x64"]
},
"query": "process_name:svchost.exe",
"fields": ["*", "process_start_time"],
"sort": [
{
"field": "device_timestamp",
"order": "asc"
}
],
"start": 0,
"time_range": {
"end": "2020-01-27T18:34:04Z",
"start": "2020-01-18T18:34:04Z"
}
}
Response
{
"job_id": "6b414c3e-c664-45ea-bb69-3aabf4430f7e"
}
Returns the status of a search job. A job is finished when “completed” is equal to the “contacted”. This call should be used when polling for search job completion as it is more efficient than fetching results each time.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_jobs/{job_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully retrieved status of process search | N/A | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_jobs/45694120-8b28-4905-a9aa-c84b04e77d78
Response
{
"contacted": 25,
"completed": 0,
"query": {
"cb.max_backend_timestamp": 1579025578116,
"cb.min_backend_timestamp": 0,
"cb.min_device_timestamp": 0,
"q": "*.*",
"rows": 500,
"start": 0
},
"search_initiated_time": 1579025578206,
"connector_id": "TZV468322A"
}
Retrieves the results of a process search identified by a job_id. Results will be sorted based on the sort parameter specified when starting the search. Confirm the search has completed by verifying that “contacted” equals “completed”.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/search_jobs/{job_id}/results
Query Schema
Field | Definition | Data Type | Values |
---|---|---|---|
start |
First row to use for pagination | Integer | Default: 0 |
rows |
Number of requested rows to fetch, used for paginating requested rows | Integer | Default: 10
Max: 100 |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully fetched processes | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/search_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results?start=0&rows=1
Response
{
"results": [
{
"backend_timestamp": "2020-01-19T15:25:31.064Z",
"childproc_count": 0,
"crossproc_count": 40,
"device_id": 43407,
"device_name": "win7x64",
"device_policy_id": 11200,
"device_timestamp": "2020-01-18T19:46:22.885Z",
"filemod_count": 0,
"index_class": "default",
"modload_count": 5,
"netconn_count": 55380,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-0000a98f-000001fc-00000000-1d5cb7eca37b799",
"parent_pid": 508,
"partition_id": 0,
"process_guid": "ABCD1234-0000a98f-0000051c-00000000-1d5cb7ed061e7ef",
"process_hash": [
"c78655bc80301d76ed4fef1c1ea40a7d",
"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"
],
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_pid": [
1308
],
"process_username": [
"NT AUTHORITY\\LOCAL SERVICE"
],
"regmod_count": 2,
"scriptload_count": 0
}
],
"num_found": 760,
"num_available": 33,
"contacted": 6,
"completed": 6
}
Cancels the search with the given job_id so no new search results will appear.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
DELETE |
Request
DELETE {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_jobs/{job_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
204 | Successfully deleted a process search | N/A | No Content |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
DELETE https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_jobs/45694120-8b28-4905-a9aa-c84b04e77d78
Response
No content
Initiates a process facet search which generates statistics indicating the relative weighting of values for the specified terms. The results for the search may be requested using the job_id returned.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
CREATE |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/facet_jobs
Body
{
"criteria": "<object>",
"exclusions": "<object>",
"query": "<string>",
"ranges": [
{
"bucket_size": "<object>",
"end": "<object>",
"field": "<string>",
"start": "<object>"
}
],
"terms": {
"fields": [
"<string>"
],
"rows": "<long>"
},
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria /exclusion must be included. |
Object |
|
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria /exclusion must be included. |
Object |
|
query |
Query in lucene syntax and/or including value searches. Either query or criteria /exclusion must be included. |
String | N/A |
ranges |
Allows grouping for properties that are ISO 8601 timestamps or numbers. Bucket size for ISO 8601 timestamps uses SOLR DateMathParser | Array |
|
terms |
The process fields to facet and how many of the top entries to return. | Object |
100 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object |
window : “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start : ISO 8601 timestamp
end : ISO 8601 timestamp |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully submitted search for process facets | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/facet_jobs
Body
{
"criteria": {
"device_name": ["Win7x64"]
},
"query": "process_name:svchost.exe",
"ranges": [
{
"bucket_size": 5,
"end": 10,
"field": "netconn_count",
"start": 0
}
],
"terms": {
"fields": [
"process_username"
],
"rows": 100
},
"time_range": {
"end": "2020-01-27T18:34:04Z",
"start": "2020-01-18T18:34:04Z"
}
}
Response
{
"job_id": "c167cc5b-5741-427e-8412-8b89f0b17f9c"
}
Retrieves the process facet results for a given job_id. Confirm the search has completed by verifying that “contacted” equals “completed”.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/facet_jobs/{job_id}/results
Query Schema
Field | Definition | Data Type | Values |
---|---|---|---|
limit |
Maximum number of facets per category (i.e Any Process Search Fields listed in terms.fields ) |
Integer | Default: 100 |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully fetched processes facets | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/facet_jobs/c167cc5b-5741-427e-8412-8b89f0b17f9c/results?limit=1
Response
{
"ranges": [
{
"start": 0,
"end": 10,
"bucket_size": 5,
"field": "netconn_count",
"values": [
{
"total": 10128,
"name": "0"
},
{
"total": 5,
"name": "5"
}
]
}
],
"terms": [
{
"values": [
{
"total": 10701,
"id": "NT AUTHORITY\\NETWORK SERVICE",
"name": "NT AUTHORITY\\NETWORK SERVICE"
}
],
"field": "process_username"
}
],
"num_found": 20818,
"contacted": 6,
"completed": 6
}
Creates a process detail job. The details will include all available information about the given process including information that’s not returnable from the standard Process Search call. These fields are annotated with DETAILS on Platform Search Fields. The results for the details search job may be requested using the job_id returned.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
CREATE |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/detail_jobs
Body
{
"process_guids": [
"<string>"
]
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
process_guids REQUIRED
|
A list of process guids to fetch | Array |
|
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Request | application/json | View example response below |
400 | Invalid request | N/A | N/A |
401 | Unauthorized | N/A | N/A |
403 | Forbidden | N/A | N/A |
404 | Not found | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/detail_jobs
Body
{
"process_guids": [
"ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e"
]
}
Response
{
"job_id": "6b414c3e-c664-45ea-bb69-3aabf4430f7e"
}
Retrieves the status for a process detail request for a given job_id. Continue to call the status check until “contacted” equals “completed”.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/detail_jobs/{job_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Request | application/json | View example response below |
400 | Invalid request | N/A | N/A |
401 | Unauthorized | N/A | N/A |
403 | Forbidden | N/A | N/A |
404 | Not found | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/detail_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e
Response
{
"completed": 5,
"contacted": 30
}
Retrieves the process detail results for a given job_id. Confirm the search has completed by verifying that “contacted” equals “completed”.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/detail_jobs/{job_id}/results
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Request | application/json | View example response below |
400 | Invalid request | N/A | N/A |
401 | Unauthorized | N/A | N/A |
403 | Forbidden | N/A | N/A |
404 | Not found | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/detail_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results
Response
{
"completed": 30,
"contacted": 30,
"num_available": 500,
"num_found": 1000,
"results": [
{
"backend_timestamp": "2020-08-28T19:14:40.394Z",
"childproc_count": 333576,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_location": "UNKNOWN",
"device_name": "devr-dev",
"device_os": "LINUX",
"device_os_version": "CentOS 7.6-1810",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_target_priority": "MEDIUM",
"device_timestamp": "2020-08-28T19:12:41.178Z",
"document_guid": "6Gqoe-abQXu-k9LagGOoQg",
"filemod_count": 0,
"ingress_time": 1598642021337,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"parent_effective_reputation": "NOT_LISTED",
"parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"parent_hash": [
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
"e4b9902024ac32b3ca37f6b4c9b841e8"
],
"parent_name": "/usr/lib/systemd/systemd",
"parent_pid": 1,
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_NOT_SIGNED"
],
"parent_reputation": "NOT_LISTED",
"process_cmdline": [
"/bin/bash /usr/sbin/ksmtuned"
],
"process_cmdline_length": [
28
],
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e",
"process_hash": [
"285044ad8f8b9322d0cc5e929e2cc18c",
"5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a"
],
"process_name": "/usr/bin/bash",
"process_pid": [
449,
2855,
3416
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_NOT_SIGNED"
],
"process_reputation": "NOT_LISTED",
"process_sha256": "5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a",
"process_start_time": "2020-05-04T21:34:03.968Z",
"process_username": [
"root"
],
"regmod_count": 0,
"scriptload_count": 0
}
]
}
Creates a process summary job. The summary will include information about the given process including its children, parents, and siblings. The results for the search job may be requested using the job_id returned.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
CREATE |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/summary_jobs
Body
{
"parent_guid": "<string>",
"process_guid": "<string>",
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
process_guid REQUIRED
|
The global unique identifier for a process | String | N/A |
parent_guid |
The global unique identifier for the parent of the specified process_guid | String | N/A |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object |
window : “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start : ISO 8601 timestamp
end : ISO 8601 timestamp |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Request | application/json | View example response below |
400 | Invalid request | N/A | N/A |
401 | Unauthorized | N/A | N/A |
403 | Forbidden | N/A | N/A |
404 | Not found | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs
Body
{
"parent_guid": "ABCD1234-0000a98f-000001fc-00000000-1d5cb7eca37b799",
"process_guid": "ABCD1234-0000a98f-0000051c-00000000-1d5cb7ed061e7ef",
"time_range": {
"window": "-2w"
}
}
Response
{
"job_id": "6b414c3e-c664-45ea-bb69-3aabf4430f7e"
}
Retrieves the status for a process summary request for a given job_id. Continue to call the status check until “contacted” equals “completed”.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/summary_jobs/{job_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Request | application/json | View example response below |
400 | Invalid request | N/A | N/A |
401 | Unauthorized | N/A | N/A |
403 | Forbidden | N/A | N/A |
404 | Not found | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e
Response
{
"completed": 5,
"contacted": 30
}
Retrieves the process summary results for a given job_id in summary or tree format. Most callers will prefer the summary format, but you may request the tree format for convenience of building user interfaces. Confirm the search has completed by verifying that “contacted” equals “completed”.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/summary_jobs/{job_id}/results
Query Schema
Field | Definition | Data Type | Values |
---|---|---|---|
format |
The format for the summary to be returned | String | Default: summary
Options: summary or tree |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Request | application/json | View example response below |
400 | Invalid request | N/A | N/A |
401 | Unauthorized | N/A | N/A |
403 | Forbidden | N/A | N/A |
404 | Not found | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results?format=summary
Response
{
"completed": 30,
"contacted": 30,
"exception": "string",
"summary": {
"children": [],
"parent": {
"_process_filename": "systemd",
"backend_timestamp": "2020-08-28T19:12:07.989Z",
"childproc_count": 0,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-28T19:10:02.123Z",
"filemod_count": 0,
"has_children": true,
"hits": false,
"ingress_time": 1598641901273,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"process_hash": [
"e4b9902024ac32b3ca37f6b4c9b841e8",
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85"
],
"process_name": "/usr/lib/systemd/systemd",
"process_pid": [
1
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-05-04T21:34:03.968Z",
"regmod_count": 0,
"scriptload_count": 0
},
"process": {
"_process_filename": "bash",
"backend_timestamp": "2020-08-28T19:16:11.959Z",
"childproc_count": 333580,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-28T19:14:41.231Z",
"filemod_count": 0,
"ingress_time": 1598642141411,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"parent_hash": [
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
"e4b9902024ac32b3ca37f6b4c9b841e8"
],
"parent_name": "/usr/lib/systemd/systemd",
"parent_pid": 1,
"process_cmdline": [
"/bin/bash /usr/sbin/ksmtuned"
],
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e",
"process_hash": [
"285044ad8f8b9322d0cc5e929e2cc18c",
"5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a"
],
"process_name": "/usr/bin/bash",
"process_pid": [
5653,
16139
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-05-04T21:34:03.968Z",
"process_username": [
"root"
],
"regmod_count": 0,
"scriptload_count": 0
},
"siblings": [
{
"_process_filename": "nm-dispatcher",
"backend_timestamp": "2020-08-19T20:55:33.446Z",
"childproc_count": 1,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-19T20:54:44.980Z",
"filemod_count": 0,
"has_children": true,
"hits": false,
"ingress_time": 1597870506825,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"parent_hash": [
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
"e4b9902024ac32b3ca37f6b4c9b841e8"
],
"parent_name": "/usr/lib/systemd/systemd",
"parent_pid": 1,
"process_cmdline": [
"/usr/libexec/nm-dispatcher"
],
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00005742-00000000-1d6766af7bedb39",
"process_hash": [
"04b2450579a663c964f3960cd0cf93a8",
"2206d95e0a435aadad6c84b5bce370d076137efecf6adbbf6feddbe0515fb17e"
],
"process_name": "/usr/libexec/nm-dispatcher",
"process_pid": [
22338
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-08-19T20:54:44.909Z",
"process_username": [
"root"
],
"regmod_count": 0,
"scriptload_count": 0
}
]
}
}
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results?format=tree
Response
{
"completed": 30,
"contacted": 30,
"exception": "string",
"tree": {
"_process_filename": "systemd",
"backend_timestamp": "2020-08-28T19:12:07.989Z",
"childproc_count": 1,
"children": [
{
"_process_filename": "bash",
"backend_timestamp": "2020-08-28T19:16:11.959Z",
"childproc_count": 333580,
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-28T19:14:41.231Z",
"filemod_count": 0,
"ingress_time": 1598642141411,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"parent_hash": [
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
"e4b9902024ac32b3ca37f6b4c9b841e8"
],
"parent_name": "/usr/lib/systemd/systemd",
"parent_pid": 1,
"process_cmdline": [
"/bin/bash /usr/sbin/ksmtuned"
],
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e",
"process_hash": [
"285044ad8f8b9322d0cc5e929e2cc18c",
"5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a"
],
"process_name": "/usr/bin/bash",
"process_pid": [
5653,
16139
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-05-04T21:34:03.968Z",
"process_username": [
"root"
],
"regmod_count": 0,
"scriptload_count": 0
}
],
"crossproc_count": 0,
"device_external_ip": "34.56.78.90",
"device_group_id": 0,
"device_id": 176678,
"device_name": "devr-dev",
"device_os": "LINUX",
"device_policy": "sm-restrictive",
"device_policy_id": 11200,
"device_timestamp": "2020-08-28T19:10:02.123Z",
"filemod_count": 0,
"has_children": true,
"hits": false,
"ingress_time": 1598641901273,
"modload_count": 0,
"netconn_count": 0,
"org_id": "ABCD1234",
"process_effective_reputation": "NOT_LISTED",
"process_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
"process_hash": [
"e4b9902024ac32b3ca37f6b4c9b841e8",
"81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85"
],
"process_name": "/usr/lib/systemd/systemd",
"process_pid": [
1
],
"process_reputation": "NOT_LISTED",
"process_start_time": "2020-05-04T21:34:03.968Z",
"regmod_count": 0,
"scriptload_count": 0
}
}
Events search in the Processes Search API gives access to all events reported for a particular process on one endpoint.
Returns suggestions for an event search selected from fields from the Platform Search Fields. Will return field names if the “suggest.q” parameter does not yet contain a colon and will return no suggestion otherwise. This call does not support value suggestions.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/events/search_suggestions
Query Schema
Field | Definition | Data Type | Values |
---|---|---|---|
suggest.q REQUIRED
|
Query to generate suggestions for | String | N/A |
suggest.count |
Number of suggestions to return | Integer | Default: 50 |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully suggested search fields | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
404 | Not found | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/events/search_suggestions?suggest.q=pro&suggest.count=1
Response
{
"suggestions": [
{
"term": "process_guid",
"weight": 1450,
"required_skus_all": [],
"required_skus_some": [
"threathunter",
"defense"
]
}
]
}
Validates a given event query and potentially gives suggestions on how to fix invalid queries.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/events/search_validation
Query Schema
Field | Definition | Data Type | Values |
---|---|---|---|
q REQUIRED
|
Keeping this parameter as *:* allows you to query everything |
String | N/A |
cb.min_backend_timestamp |
Start time for the query | Integer | Epoch timestamp in milliseconds
Default: 0 |
cb.max_backend_timestamp |
End time for the query | Integer | Epoch timestamp in milliseconds |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully validated search | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
401 | Unauthorized | N/A | N/A |
403 | Forbidden | N/A | N/A |
404 | Not found | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Valid Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/events/search_validation?q=alert_id:ALBPZQR3
Response
{
"valid": true
}
Invalid Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/events/search_validation?q=alert_idZZZZ:ALBPZQR3
Response
{
"invalid_message": "org.apache.solr.common.SolrException: undefined field alertzzzzz_id",
"valid": false,
"invalid_trigger_offset": 0
}
Fetch the events associated with a given process. These events are often more complete than the enriched events but, unlike the enriched event searches, must be limited to one process at a time.
Note: This call reports its progress as soon as it can and continues to enumerate process events in the background. To receive the full results, you must resubmit the request until processed_segments
is equal to total_segments
.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/events/{process_guid}/_search
Body
{
"criteria": "<object>",
"exclusions": "<object>",
"fields": ["<string>", "<string>"],
"query": "<string>",
"rows": "<long>",
"sort": [
{
"field": "<string>",
"order": "<string>"
}
],
"start": "<long>",
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria /exclusion must be included. |
Object |
|
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria /exclusion must be included. |
Object |
|
fields |
A list of fields to include in the results, specify * to return all the default fields and add additional fields that are not returned by default |
String |
["*"] |
query |
Query in lucene syntax and/or including value searches. Either query or criteria /exclusion must be included. |
String | N/A |
rows |
Number of rows to request, can be paginated | Long | Default: 500
Max: 10k |
sort |
Sort is a collection of sort parameters that specify a field and order to sort the results. |
Array |
order supports asc or desc |
start |
First row to use for pagination | Long | Default: 0 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object |
window : “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start : ISO 8601 timestamp
end : ISO 8601 timestamp |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully fetched events | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/events/ABCD1234-0000a98f-0000034c-00000000-1d5cb7ef5152b42/_search
Body
{
"criteria": {
"event_type": ["netconn"]
},
"query": "netconn_action:ACTION_CONNECTION_CREATE OR netconn_action:ACTION_CONNECTION_ESTABLISHED",
"fields": ["*"],
"time_range": {
"end": "2020-01-27T18:34:04Z",
"start": "2020-01-18T18:34:04Z"
}
}
Response
{
"results": [
{
"backend_timestamp": "2020-01-23T22:48:14.099Z",
"created_timestamp": "2020-01-30T21:11:29.490Z",
"enriched": true,
"enriched_event_type": "NETWORK",
"event_description": "The application \"<share><link hash=\"1030ce4102dac701fab043e40444e8f6c96c8c04b5bd512a59e1a4999d22b38c\">C:\\windows\\system32\\svchost.exe</link></share>\" attempted to establish a <accent>TCP/443</accent> connection to <share><accent>20.36.218.63</accent></share><accent>:443</accent> from <share><accent>12.34.56.78</accent></share><accent>:57503</accent>. The device was off the corporate network using the public address <accent>34.56.78.90</accent>. The operation was blocked by the operating system.",
"event_guid": "U_xc-0FeSu-77aY2CSKgXA",
"event_hash": "a78709ea459e525d30ab9ddc89b1ce6c",
"event_timestamp": "2020-01-23T22:45:41.207Z",
"event_type": "netconn",
"legacy": true,
"legacy_description": "The application \"<share><link hash=\"1030ce4102dac701fab043e40444e8f6c96c8c04b5bd512a59e1a4999d22b38c\">C:\\windows\\system32\\svchost.exe</link></share>\" attempted to establish a <accent>TCP/443</accent> connection to <share><accent>20.36.218.63</accent></share><accent>:443</accent> from <share><accent>12.34.56.78</accent></share><accent>:57503</accent>. The device was off the corporate network using the public address <accent>34.56.78.90</accent>. The operation was blocked by the operating system.",
"netconn_action": "ACTION_CONNECTION_CREATE",
"netconn_inbound": false,
"netconn_local_ipv4": 181543190,
"netconn_local_port": 57503,
"netconn_protocol": "PROTO_TCP",
"netconn_remote_ipv4": 337959487,
"netconn_remote_port": 443,
"process_guid": "ABCD1234-003d630d-0000041c-0000041c-1d5abbc325c58b4",
"process_pid": 1052
},
...
],
"num_found": 6,
"num_available": 6,
"total_segments": 13,
"processed_segments": 13
}
Get facets for the events associated with the specified process. A facet provides statistics indicating the relative weighting of values for the specified terms.
Note: This is an asynchronous request, you must resubmit the request until processed_segments
is equal to total_segments
in order to receive the full results
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
READ |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/events/{process_guid}/_facet
Body
{
"criteria": "<object>",
"exclusions": "<object>",
"query": "<string>",
"ranges": [
{
"bucket_size": "<object>",
"end": "<object>",
"field": "<string>",
"start": "<object>"
}
],
"terms": {
"fields": [
"<string>"
],
"rows": "<long>"
},
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria /exclusion must be included. |
Object |
|
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria /exclusion must be included. |
Object |
|
query |
Query in lucene syntax and/or including value searches. Either query or criteria /exclusion must be included. |
String | N/A |
ranges |
Allows grouping for properties that are ISO 8601 timestamps or numbers. Bucket size for ISO 8601 timestamps uses SOLR DateMathParser | Array |
|
terms |
The events fields to facet and how many of the top entries to return. | Object |
100 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object |
window : “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start : ISO 8601 timestamp
end : ISO 8601 timestamp |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully fetched event facets | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/events/ABCD1234-0000a98f-0000034c-00000000-1d5cb7ef5152b42/_facet
Body
{
"query": "*:*",
"ranges": [
{
"bucket_size": "+12HOUR",
"end": "2020-08-31T11:19:37Z",
"field": "device_timestamp",
"start": "2020-08-29T00:00:00Z"
}
],
"terms": {
"fields": [
"event_type"
],
"rows": 10
},
"time_range": {
"end": "2020-08-31T11:19:37Z",
"start": "2020-08-29T00:00:00Z"
}
}
Response
{
"ranges": [
{
"start": "2020-08-29T00:00:00Z",
"end": "2020-08-31T12:00:00Z",
"bucket_size": "+12HOUR",
"field": "device_timestamp",
"values": [
{
"total": 9850,
"name": "2020-08-29T00:00:00Z"
},
{
"total": 9346,
"name": "2020-08-29T12:00:00Z"
},
{
"total": 9910,
"name": "2020-08-30T00:00:00Z"
},
{
"total": 8581,
"name": "2020-08-30T12:00:00Z"
},
{
"total": 8716,
"name": "2020-08-31T00:00:00Z"
}
]
}
],
"terms": [
{
"values": [
{
"total": 41517,
"id": "netconn",
"name": "netconn"
},
{
"total": 4829,
"id": "filemod",
"name": "filemod"
},
{
"total": 31,
"id": "crossproc",
"name": "crossproc"
},
{
"total": 26,
"id": "childproc",
"name": "childproc"
}
],
"field": "event_type"
}
],
"num_found": 46403,
"total_segments": 23385,
"processed_segments": 23385
}
These Process Search API calls are only available to Enterprise EDR customers.
Instructs the Carbon Black Cloud to look for “hits” across all processes reported for the organization’s endpoints within the time range for the given watchlist, report and IOC. Watchlist hits will be available in subsequent search results asynchronously and are not guaranteed to be visible directly after this call.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events |
UPDATE |
Request
POST {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/watchlist_evaluation
Request Body
{
"watchlist_id": "<string>",
"report_id": "<string>",
"cb.max_backend_timestamp": "<integer>",
"cb.min_backend_timestamp": "<integer>",
"ioc_id": "<string>"
}
Request Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
watchlist_id REQUIRED
|
Watchlist ID | String | N/A |
report_id REQUIRED
|
Report ID | String | N/A |
ioc_id |
Indicator of compromise ID | String | N/A |
cb.min_backend_timestamp |
Start time for the query | Integer | Epoch timestamp in milliseconds
Default: 0 |
cb.max_backend_timestamp |
End time for the query | Integer | Epoch timestamp in milliseconds |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
204 | Successfully evaluated and tagged processes | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/watchlist_evaluation
Body
{
"watchlist_id": "b5LGY1CCTtyogVBUwTWLA",
"report_id": "1"
}
Response
No content
Fetches report hits associated with a single process. This includes both ingress and query hits that are associated with the organization’s subscribed watchlists.
Request
GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/report_hits
Query Schema
Field | Definition | Data Type | Values |
---|---|---|---|
process_guid REQUIRED
|
Process GUID for which to get report hits | String | N/A |
rows |
Number of report hits to get. | Integer | Default: 10 |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully fetched report hits | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/report_hits?process_guid=ABCD1234-0000a98f-000013c8-00000000-1d5c4bc2bf4b39d&rows=1
Response
{
"report_hits": {
"lryC1EGShaTsb4bjxjLTQ-ipv4_iocs": [
{
"backend_timestamp": "2020-08-28T08:36:11.745Z",
"device_timestamp": "2020-08-28T08:34:39.437Z",
"hit_document_guids": [
"2ybSlFnGQeCRP5Srn2WfqA"
],
"iocs_field": "netconn_ipv4",
"iocs_hit": "13.107.4.50",
"iocs_id": "demo-ipv4",
"report_id": "lryC1EGShaTsb4bjxjLTQ-ipv4_iocs",
"report_link": "https://example.com",
"report_severity": 5,
"report_timestamp": "2020-08-02T10:56:39.437Z",
"report_title": "IPV4 IOCs",
"report_watchlists": [
{
"alert": true,
"id": "7hpd1usTWaNG5lHfGmjVg",
"name": "Demo"
}
]
}
]
}
}
}
What is a “Value Search”?
process_name:chrome.exe
is a well-specified search query, a search merely for chrome.exe can return all those results as well as results where chrome.exe shows up in other fields that you didn’t have to know to specify.What is a “hit”?