Processes Search API

Overview

This API lets you search through all the data that is reported by your organization’s sensors to find one or more processes based on specific criteria you set.

With visibility across your fleet of monitored endpoints, you can identify applications that are acting abnormally and over time, cull the outliers from the total observed process activity, and retroactively identify the origination point for attacks that previously escaped notice. You can also:

  • Test out a variety of approaches to querying your organization’s historical data before adding that query to a Watchlist
  • Get deep visibility into the security context of Windows processes including elevation, mandatory access control integrity level and privileges
  • Search across all Enterprise EDR Watchlist-hitting activity in your organization to hone in on patterns and outlier behavior

Use cases

  • Find the process that was identified in an Alert with a Process Search
  • Find processes that match targeted behavioral characteristics identified in Carbon Black or third-party threat intelligence reports with Get Report Hits
  • Find more details about processes that were potentially involved in malicious activity identified elsewhere with a Details Search on Processes
  • To get filtering terms or prevalent values, call /facet_jobs followed by /results on the /facet_jobs/ call with job_id in the request URI

Alternative solutions:

Requirements

  • Endpoint Standard or Enterprise EDR product
  • All API calls require an API key with appropriate permissions (see Authentication below)

Common Headers

Most API calls require all three headers:

  1. X-Auth-Token: (required) your authentication token is: API Secret Key/API ID
    • Example: If Adam from Company Q has the API Secret Key ABCDEFGHIJKLMNOPQRSTUVWX and the API ID of 12345678, his corresponding X-Auth-Token HTTP header is ABCDEFGHIJKLMNOPQRSTUVWX/12345678
  2. Content-Type: application/json
  3. accept: application/json

Quick Start Instructions

Asynchronous Quick Start Instructions

Many Platform Search functions are asynchronous and require a sequence of calls to start the process, check the status and retrieve the results. The following is an example of typical use:

  1. Start a search job: /api/investigate/v2/orgs/{org_key}/processes/search_jobs
  2. Receive the job_id
  3. Call /api/investigate/v1/orgs/{org_key}/processes/search_jobs/{job_id} to get search progress
  4. Repeat 3 until “contacted” equals “completed” in the response
  5. Call /api/investigate/v2/orgs/{org_key}/processes/search_jobs/{job_id}/results route to retrieve the output of the job; if you haven’t waited until “contacted” equals “completed”, the results obtained will be incomplete.

The Process Search is able to be cancelled using Cancel a Process Search.

Guides & Resources

Authentication

  • Access Level: Before you create your API Key, you need to create a “Custom” Access Level:
    • for the category Search > Events > "org.search.events", allow permission to CREATE, READ, UPDATE, DELETE (or see each call below for individual requirements)
  • API Key: When you create your API Key, use the Access Level Type of “Custom”, then select the Access Level you created.
  • Environment: use the URL of your Carbon Black Cloud console (this is the Dashboard URL) and is identified with {cbc-hostname} in the Request of each API call
  • API Route: Specific for each API call and defined in the Request section

Note: when you insert your org_key, you must also remove the { } brackets.

API calls

This API has three types of calls:

  • Calls for Processes - searches process data
  • Calls for Events - searches event data
  • Calls for Enterprise EDR - scans for hits against watchlists and reports

Note: Some calls use “v1” in the path, and others use “v2”. Using the wrong path will result in an error.

Calls for Processes

The following calls search on and return processes.

Process Search Suggestions (v1)

Returns suggestions for a process search selected from fields and values as reported in the organization’s system. Will return values for the specified field if at least one character follows the colon. Returns null if no characters follow the colon.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_suggestions

Query Schema

Field Definition Data Type Values
suggest.q REQUIRED Query to generate suggestions for String N/A
suggest.count Number of suggestions to return Integer Default: 50

Response

Code Description Content-Type Content
200 Successfully suggested process search fields application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_suggestions?suggest.q=process_cmd&suggest.count=1

Response

{
    "suggestions": [
        {
            "term": "process_name",
            "weight": 2800,
            "required_skus_all": [],
            "required_skus_some": [
                "threathunter",
                "defense"
            ]
        }
    ]
}

Process Search Validation (v1)

Validates a given process query and potentially gives suggestions on how to fix invalid queries.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_validation

Query Schema

Field Definition Data Type Values
q REQUIRED Keeping this parameter as *:* allows you to query everything String N/A
cb.min_backend_timestamp Start time for the query Integer Epoch timestamp in milliseconds
Default: 0
cb.max_backend_timestamp End time for the query Integer Epoch timestamp in milliseconds

Response

Code Description Content-Type Content
200 Successfully validated process search application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_validation?q=process

Response

{
    "valid": true,
    "value_search_query": true
}

Get Time Limits for Available Data (v1)

Returns the minimum and maximum times at which events were reported by any sensor in your organization.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/limits

Response

Code Description Content-Type Content
200 Successfully fetched the upper and lower time limits application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/limits

Response

{
    "time_bounds": {
        "lower": 1564686473166,
        "upper": 1579023412990
    }
}

Start a Process Search (v2)

Creates a process search job. The results for the search job may be requested using the job_id returned.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events CREATE

Request

POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/search_jobs

Body

  
{
    "criteria": "<object>",
    "exclusions": "<object>",
    "fields": ["<string>", "<string>"],
    "query": "<string>",
    "rows": "<long>",
    "sort": [
        {
            "field": "<string>",
            "order": "<string>"
        }
    ],
    "start": "<long>",
    "time_range": {
        "end": "<string>",
        "start": "<string>",
        "window": "<string>"
    }
}

Body Schema

Field Definition Data Type Values
criteria Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields at Platform Search Fields
exclusions Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields at Platform Search Fields
fields A list of fields to include in the results, specify * to return all the default fields and add additional fields that are not returned by default String
[ "*", "process_start_time" ]
Default: ["*"]
query Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. String N/A
rows Number of rows to request, can be paginated Long Default: 500
Max: 10k
sort Sort is a collection of sort parameters that specify a field and order to sort the results. Array
[{
  "field": "device_timestamp",
  "order": "asc"
}]
order supports asc or desc
start First row to use for pagination Long Default: 0
time_range Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. Object
{
  "end": "2020-01-21T18:34:04Z",
  "start": "2020-01-18T18:34:04Z",
  "window": "-2w"
}
window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second

start: ISO 8601 timestamp

end: ISO 8601 timestamp

Response

Code Description Content-Type Content
200 Successfully submitted search for processes application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/search_jobs

Body

  
{
  "criteria": {
  	"device_name": ["Win7x64"]
  },
  "query": "process_name:svchost.exe",
  "fields": ["*", "process_start_time"],
  "sort": [
    {
      "field": "device_timestamp",
      "order": "asc"
    }
  ],
  "start": 0,
  "time_range": {
    "end": "2020-01-27T18:34:04Z",
    "start": "2020-01-18T18:34:04Z"
  }
}

Response

  
{
    "job_id": "6b414c3e-c664-45ea-bb69-3aabf4430f7e"
}

Get the Status of a Process Search (v1)

Returns the status of a search job. A job is finished when “completed” is equal to the “contacted”. This call should be used when polling for search job completion as it is more efficient than fetching results each time.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_jobs/{job_id}

Response

Code Description Content-Type Content
200 Successfully retrieved status of process search N/A View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_jobs/45694120-8b28-4905-a9aa-c84b04e77d78

Response

{
    "contacted": 25,
    "completed": 0,
    "query": {
        "cb.max_backend_timestamp": 1579025578116,
        "cb.min_backend_timestamp": 0,
        "cb.min_device_timestamp": 0,
        "q": "*.*",
        "rows": 500,
        "start": 0
    },
    "search_initiated_time": 1579025578206,
    "connector_id": "TZV468322A"
}

Retrieve Results for a Process Search (v2)

Retrieves the results of a process search identified by a job_id. Results will be sorted based on the sort parameter specified when starting the search. Confirm the search has completed by verifying that “contacted” equals “completed”.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/search_jobs/{job_id}/results

Query Schema

Field Definition Data Type Values
start First row to use for pagination Integer Default: 0
rows Number of requested rows to fetch, used for paginating requested rows Integer Default: 10

Response

Code Description Content-Type Content
200 Successfully fetched processes application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/search_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results?start=0&rows=1

Response

  
{
    "results": [
        {
            "backend_timestamp": "2020-01-19T15:25:31.064Z",
            "childproc_count": 0,
            "crossproc_count": 40,
            "device_id": 43407,
            "device_name": "win7x64",
            "device_policy_id": 11200,
            "device_timestamp": "2020-01-18T19:46:22.885Z",
            "filemod_count": 0,
            "index_class": "default",
            "modload_count": 5,
            "netconn_count": 55380,
            "org_id": "ABCD1234",
            "parent_guid": "ABCD1234-0000a98f-000001fc-00000000-1d5cb7eca37b799",
            "parent_pid": 508,
            "partition_id": 0,
            "process_guid": "ABCD1234-0000a98f-0000051c-00000000-1d5cb7ed061e7ef",
            "process_hash": [
                "c78655bc80301d76ed4fef1c1ea40a7d",
                "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"
            ],
            "process_name": "c:\\windows\\system32\\svchost.exe",
            "process_pid": [
                1308
            ],
            "process_username": [
                "NT AUTHORITY\\LOCAL SERVICE"
            ],
            "regmod_count": 2,
            "scriptload_count": 0
        }
    ],
    "num_found": 760,
    "num_available": 33,
    "contacted": 6,
    "completed": 6
}

Cancel a Process Search (v1)

Cancels the search with the given job_id so no new search results will appear.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events DELETE

Request

DELETE {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/search_jobs/{job_id}

Response

Code Description Content-Type Content
204 Successfully deleted a process search N/A No Content
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

DELETE https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/search_jobs/45694120-8b28-4905-a9aa-c84b04e77d78

Response

No content

Start a Facet Search on Processes (v2)

Initiates a process facet search which generates statistics indicating the relative weighting of values for the specified terms. The results for the search may be requested using the job_id returned.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events CREATE

Request

POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/facet_jobs

Body

  
{
    "criteria": "<object>",
    "exclusions": "<object>",
    "query": "<string>",
    "ranges": [
        {
            "bucket_size": "<object>",
            "end": "<object>",
            "field": "<string>",
            "start": "<object>"
        }
    ],
    "terms": {
        "fields": [
            "<string>"
        ],
        "rows": "<long>"
    },
    "time_range": {
        "end": "<string>",
        "start": "<string>",
        "window": "<string>"
    }
}

Body Schema

Field Definition Data Type Values
criteria Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields at Platform Search Fields
exclusions Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields at Platform Search Fields
query Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. String N/A
ranges Allows grouping for properties that are ISO 8601 timestamps or numbers. Bucket size for ISO 8601 timestamps uses SOLR DateMathParser Array
[{
  "bucket_size": 100,
  "end": 100,
  "field": "process_duration",
  "start": 0
}]
or
[{
  "bucket_size": "+1DAY",
  "end": "2020-01-21T18:34:04Z",
  "field": "process_start_time",
  "start": "2020-01-18T18:34:04Z"
}]
terms The process fields to facet and how many of the top entries to return. Object
{
  "fields": [
    "process_name"
  ],
  "rows": 100
}
Default: 100
time_range Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. Object
{
  "end": "2020-01-21T18:34:04Z",
  "start": "2020-01-18T18:34:04Z",
  "window": "-2w"
}
window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second

start: ISO 8601 timestamp

end: ISO 8601 timestamp

Response

Code Description Content-Type Content
200 Successfully submitted search for process facets application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/facet_jobs

Body

  
{
  "criteria": {
  	"device_name": ["Win7x64"]
  },
  "query": "process_name:svchost.exe",
  "ranges": [
      {
          "bucket_size": 5,
          "end": 10,
          "field": "netconn_count",
          "start": 0
      }
  ],
  "terms": {
    "fields": [
      "process_username"
    ],
    "rows": 100
  },
  "time_range": {
    "end": "2020-01-27T18:34:04Z",
    "start": "2020-01-18T18:34:04Z"
  }
}

Response

  
{
    "job_id": "c167cc5b-5741-427e-8412-8b89f0b17f9c"
}

Retrieve Results for a Process Facets Search (v2)

Retrieves the process facet results for a given job_id. Confirm the search has completed by verifying that “contacted” equals “completed”.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/facet_jobs/{job_id}/results

Query Schema

Field Definition Data Type Values
limit Maximum number of facets per category (i.e Any Process Search Fields listed in terms.fields) Integer Default: 100

Response

Code Description Content-Type Content
200 Successfully fetched processes facets application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/facet_jobs/c167cc5b-5741-427e-8412-8b89f0b17f9c/results?limit=1

Response

  
{
    "ranges": [
        {
            "start": 0,
            "end": 10,
            "bucket_size": 5,
            "field": "netconn_count",
            "values": [
               {
                   "total": 10128,
                   "name": "0"
               },
               {
                   "total": 5,
                   "name": "5"
               }
            ]
        }
    ],
    "terms": [
        {
            "values": [
                {
                    "total": 10701,
                    "id": "NT AUTHORITY\\NETWORK SERVICE",
                    "name": "NT AUTHORITY\\NETWORK SERVICE"
                }
            ],
            "field": "process_username"
        }
    ],
    "num_found": 20818,
    "contacted": 6,
    "completed": 6
}

Request Details of Processes (v2)

Note: This call is for preview only and may be subject to unannounced updates.

Creates a process detail job. The details will include all available information about the given process including information that’s not returnable from the standard Process Search call. These fields are annotated with DETAILS on Platform Search Fields. The results for the details search job may be requested using the job_id returned.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/detail_jobs

Body

{
  "process_guids": [
    "<string>"
  ]
}

Body Schema

Field Definition Data Type Values
process_guids REQUIRED A list of process guids to fetch Array
[ "ABCD1234-0000a98f-0000051c-00000000-1d5cb7ed061e7ef", "ABCD1234-0000a98f-000001fc-00000000-1d5cb7eca37b799" ]
Max: 100 process_guids

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 Invalid request N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/detail_jobs

Body

{
  "process_guids": [
    "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e"
  ]
}

Response

{
  "job_id": "6b414c3e-c664-45ea-bb69-3aabf4430f7e"
}

Get the Status of a Process Detail Search (v2)

Note: This call is for preview only and may be subject to unannounced updates.

Retrieves the status for a process detail request for a given job_id. Continue to call the status check until “contacted” equals “completed”.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/detail_jobs/{job_id}

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 Invalid request N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/detail_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e

Response

{
  "completed": 5,
  "contacted": 30
}

Retrieve Results for a Process Detail Search (v2)

Note: This call is for preview only and may be subject to unannounced updates.

Retrieves the process detail results for a given job_id. Confirm the search has completed by verifying that “contacted” equals “completed”.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/detail_jobs/{job_id}/results

Query Schema

Field Definition Data Type Values
start First row to use for pagination Integer Default: 0
rows Number of requested rows to fetch, used for paginating requested rows Integer Default: 10

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 Invalid request N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/detail_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results

Response

{
  "completed": 30,
  "contacted": 30,
  "num_available": 500,
  "num_found": 1000,
  "results": [
    {
        "backend_timestamp": "2020-08-28T19:14:40.394Z",
        "childproc_count": 333576,
        "crossproc_count": 0,
        "device_external_ip": "34.56.78.90",
        "device_group_id": 0,
        "device_id": 176678,
        "device_location": "UNKNOWN",
        "device_name": "devr-dev",
        "device_os": "LINUX",
        "device_os_version": "CentOS 7.6-1810",
        "device_policy": "sm-restrictive",
        "device_policy_id": 11200,
        "device_target_priority": "MEDIUM",
        "device_timestamp": "2020-08-28T19:12:41.178Z",
        "document_guid": "6Gqoe-abQXu-k9LagGOoQg",
        "filemod_count": 0,
        "ingress_time": 1598642021337,
        "modload_count": 0,
        "netconn_count": 0,
        "org_id": "ABCD1234",
        "parent_effective_reputation": "NOT_LISTED",
        "parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
        "parent_hash": [
            "81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
            "e4b9902024ac32b3ca37f6b4c9b841e8"
        ],
        "parent_name": "/usr/lib/systemd/systemd",
        "parent_pid": 1,
        "parent_publisher_state": [
            "FILE_SIGNATURE_STATE_NOT_SIGNED"
        ],
        "parent_reputation": "NOT_LISTED",
        "process_cmdline": [
            "/bin/bash /usr/sbin/ksmtuned"
        ],
        "process_cmdline_length": [
            28
        ],
        "process_effective_reputation": "NOT_LISTED",
        "process_guid": "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e",
        "process_hash": [
            "285044ad8f8b9322d0cc5e929e2cc18c",
            "5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a"
        ],
        "process_name": "/usr/bin/bash",
        "process_pid": [
            449,
            2855,
            3416
        ],
        "process_publisher_state": [
            "FILE_SIGNATURE_STATE_NOT_SIGNED"
        ],
        "process_reputation": "NOT_LISTED",
        "process_sha256": "5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a",
        "process_start_time": "2020-05-04T21:34:03.968Z",
        "process_username": [
            "root"
        ],
        "regmod_count": 0,
        "scriptload_count": 0
    }
  ]
}

Start a Process Summary Search (v2)

Note: This call is for preview only and may be subject to unannounced updates.

Creates a process summary job. The summary will include information about the given process including its children, parents, and siblings. The results for the search job may be requested using the job_id returned.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/summary_jobs

Body

  
{
  "parent_guid": "<string>",
  "process_guid": "<string>",
  "time_range": {
      "end": "<string>",
      "start": "<string>",
      "window": "<string>"
  }
}

Body Schema

Field Definition Data Type Values
process_guid REQUIRED The global unique identifier for a process String N/A
parent_guid The global unique identifier for the parent of the specified process_guid String N/A
time_range Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. Object
{
  "end": "2020-01-21T18:34:04Z",
  "start": "2020-01-18T18:34:04Z",
  "window": "-2w"
}
window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second

start: ISO 8601 timestamp

end: ISO 8601 timestamp

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 Invalid request N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs

Body

  
{
  "parent_guid": "ABCD1234-0000a98f-000001fc-00000000-1d5cb7eca37b799",
  "process_guid": "ABCD1234-0000a98f-0000051c-00000000-1d5cb7ed061e7ef",
  "time_range": {
    "window": "-2w"
  }
}

Response

{
  "job_id": "6b414c3e-c664-45ea-bb69-3aabf4430f7e"
}

Get the Status of Process Summary Search (v2)

Note: This call is for preview only and may be subject to unannounced updates.

Retrieves the status for a process summary request for a given job_id. Continue to call the status check until “contacted” equals “completed”.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/summary_jobs/{job_id}

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 Invalid request N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e

Response

{
  "completed": 5,
  "contacted": 30
}

Retrieve Results for a Process Summary or Tree Search (v2)

Note: This call is for preview only and may be subject to unannounced updates.

Retrieves the process summary results for a given job_id in summary or tree format. Most callers will prefer the summary format, but you may request the tree format for convenience of building user interfaces. Confirm the search has completed by verifying that “contacted” equals “completed”.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/processes/summary_jobs/{job_id}/results

Query Schema

Field Definition Data Type Values
format The format for the summary to be returned String Default: summary
Options: summary or tree

Response

Code Description Content-Type Content
200 Successful Request application/json View example response below
400 Invalid request N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results?format=summary

Response

{
  "completed": 30,
  "contacted": 30,
  "exception": "string",
  "summary": {
    "children": [],
    "parent": {
        "_process_filename": "systemd",
        "backend_timestamp": "2020-08-28T19:12:07.989Z",
        "childproc_count": 0,
        "crossproc_count": 0,
        "device_external_ip": "34.56.78.90",
        "device_group_id": 0,
        "device_id": 176678,
        "device_name": "devr-dev",
        "device_os": "LINUX",
        "device_policy": "sm-restrictive",
        "device_policy_id": 11200,
        "device_timestamp": "2020-08-28T19:10:02.123Z",
        "filemod_count": 0,
        "has_children": true,
        "hits": false,
        "ingress_time": 1598641901273,
        "modload_count": 0,
        "netconn_count": 0,
        "org_id": "ABCD1234",
        "process_effective_reputation": "NOT_LISTED",
        "process_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
        "process_hash": [
            "e4b9902024ac32b3ca37f6b4c9b841e8",
            "81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85"
        ],
        "process_name": "/usr/lib/systemd/systemd",
        "process_pid": [
            1
        ],
        "process_reputation": "NOT_LISTED",
        "process_start_time": "2020-05-04T21:34:03.968Z",
        "regmod_count": 0,
        "scriptload_count": 0
    },
    "process": {
      "_process_filename": "bash",
      "backend_timestamp": "2020-08-28T19:16:11.959Z",
      "childproc_count": 333580,
      "crossproc_count": 0,
      "device_external_ip": "34.56.78.90",
      "device_group_id": 0,
      "device_id": 176678,
      "device_name": "devr-dev",
      "device_os": "LINUX",
      "device_policy": "sm-restrictive",
      "device_policy_id": 11200,
      "device_timestamp": "2020-08-28T19:14:41.231Z",
      "filemod_count": 0,
      "ingress_time": 1598642141411,
      "modload_count": 0,
      "netconn_count": 0,
      "org_id": "ABCD1234",
      "parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
      "parent_hash": [
          "81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
          "e4b9902024ac32b3ca37f6b4c9b841e8"
      ],
      "parent_name": "/usr/lib/systemd/systemd",
      "parent_pid": 1,
      "process_cmdline": [
          "/bin/bash /usr/sbin/ksmtuned"
      ],
      "process_effective_reputation": "NOT_LISTED",
      "process_guid": "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e",
      "process_hash": [
          "285044ad8f8b9322d0cc5e929e2cc18c",
          "5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a"
      ],
      "process_name": "/usr/bin/bash",
      "process_pid": [
          5653,
          16139
      ],
      "process_reputation": "NOT_LISTED",
      "process_start_time": "2020-05-04T21:34:03.968Z",
      "process_username": [
          "root"
      ],
      "regmod_count": 0,
      "scriptload_count": 0
    },
    "siblings": [
      {
        "_process_filename": "nm-dispatcher",
        "backend_timestamp": "2020-08-19T20:55:33.446Z",
        "childproc_count": 1,
        "crossproc_count": 0,
        "device_external_ip": "34.56.78.90",
        "device_group_id": 0,
        "device_id": 176678,
        "device_name": "devr-dev",
        "device_os": "LINUX",
        "device_policy": "sm-restrictive",
        "device_policy_id": 11200,
        "device_timestamp": "2020-08-19T20:54:44.980Z",
        "filemod_count": 0,
        "has_children": true,
        "hits": false,
        "ingress_time": 1597870506825,
        "modload_count": 0,
        "netconn_count": 0,
        "org_id": "ABCD1234",
        "parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
        "parent_hash": [
            "81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
            "e4b9902024ac32b3ca37f6b4c9b841e8"
        ],
        "parent_name": "/usr/lib/systemd/systemd",
        "parent_pid": 1,
        "process_cmdline": [
            "/usr/libexec/nm-dispatcher"
        ],
        "process_effective_reputation": "NOT_LISTED",
        "process_guid": "ABCD1234-0002b226-00005742-00000000-1d6766af7bedb39",
        "process_hash": [
            "04b2450579a663c964f3960cd0cf93a8",
            "2206d95e0a435aadad6c84b5bce370d076137efecf6adbbf6feddbe0515fb17e"
        ],
        "process_name": "/usr/libexec/nm-dispatcher",
        "process_pid": [
            22338
        ],
        "process_reputation": "NOT_LISTED",
        "process_start_time": "2020-08-19T20:54:44.909Z",
        "process_username": [
            "root"
        ],
        "regmod_count": 0,
        "scriptload_count": 0
      }
    ]
  }
}

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/processes/summary_jobs/6b414c3e-c664-45ea-bb69-3aabf4430f7e/results?format=tree

Response

{
  "completed": 30,
  "contacted": 30,
  "exception": "string",
  "tree": {
    "_process_filename": "systemd",
    "backend_timestamp": "2020-08-28T19:12:07.989Z",
    "childproc_count": 1,
    "children": [
      {
        "_process_filename": "bash",
        "backend_timestamp": "2020-08-28T19:16:11.959Z",
        "childproc_count": 333580,
        "crossproc_count": 0,
        "device_external_ip": "34.56.78.90",
        "device_group_id": 0,
        "device_id": 176678,
        "device_name": "devr-dev",
        "device_os": "LINUX",
        "device_policy": "sm-restrictive",
        "device_policy_id": 11200,
        "device_timestamp": "2020-08-28T19:14:41.231Z",
        "filemod_count": 0,
        "ingress_time": 1598642141411,
        "modload_count": 0,
        "netconn_count": 0,
        "org_id": "ABCD1234",
        "parent_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
        "parent_hash": [
            "81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85",
            "e4b9902024ac32b3ca37f6b4c9b841e8"
        ],
        "parent_name": "/usr/lib/systemd/systemd",
        "parent_pid": 1,
        "process_cmdline": [
            "/bin/bash /usr/sbin/ksmtuned"
        ],
        "process_effective_reputation": "NOT_LISTED",
        "process_guid": "ABCD1234-0002b226-00001615-00000000-1d6225bbba75e5e",
        "process_hash": [
            "285044ad8f8b9322d0cc5e929e2cc18c",
            "5975d972eea6b1c53ef9a69452797439ed5bf63fae72e1780761ea1c2cb6976a"
        ],
        "process_name": "/usr/bin/bash",
        "process_pid": [
            5653,
            16139
        ],
        "process_reputation": "NOT_LISTED",
        "process_start_time": "2020-05-04T21:34:03.968Z",
        "process_username": [
            "root"
        ],
        "regmod_count": 0,
        "scriptload_count": 0
      }
    ],
    "crossproc_count": 0,
    "device_external_ip": "34.56.78.90",
    "device_group_id": 0,
    "device_id": 176678,
    "device_name": "devr-dev",
    "device_os": "LINUX",
    "device_policy": "sm-restrictive",
    "device_policy_id": 11200,
    "device_timestamp": "2020-08-28T19:10:02.123Z",
    "filemod_count": 0,
    "has_children": true,
    "hits": false,
    "ingress_time": 1598641901273,
    "modload_count": 0,
    "netconn_count": 0,
    "org_id": "ABCD1234",
    "process_effective_reputation": "NOT_LISTED",
    "process_guid": "ABCD1234-0002b226-00000001-00000000-1d6225bbba75e43",
    "process_hash": [
        "e4b9902024ac32b3ca37f6b4c9b841e8",
        "81b37dcb0321108e564d528df827580153ab64005be3bcafd5162e9e7e707e85"
    ],
    "process_name": "/usr/lib/systemd/systemd",
    "process_pid": [
        1
    ],
    "process_reputation": "NOT_LISTED",
    "process_start_time": "2020-05-04T21:34:03.968Z",
    "regmod_count": 0,
    "scriptload_count": 0
  }
}

Calls for Events

Events search in the Processes Search API gives access to all events reported for a particular process on one endpoint.

Get Suggestions for Event Searching (v1)

Returns suggestions for an event search selected from fields from the Platform Search Fields. Will return field names if the “suggest.q” parameter does not yet contain a colon and will return no suggestion otherwise. This call does not support value suggestions.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/events/search_suggestions

Query Schema

Field Definition Data Type Values
suggest.q REQUIRED Query to generate suggestions for String N/A
suggest.count Number of suggestions to return Integer Default: 50

Response

Code Description Content-Type Content
200 Successfully suggested search fields application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/events/search_suggestions?suggest.q=pro&suggest.count=1

Response

{
    "suggestions": [
        {
            "term": "process_guid",
            "weight": 1450,
            "required_skus_all": [],
            "required_skus_some": [
                "threathunter",
                "defense"
            ]
        }
    ]
}

Get Validation for Event Search (v1)

Validates a given event query and potentially gives suggestions on how to fix invalid queries.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/events/search_validation

Query Schema

Field Definition Data Type Values
q REQUIRED Keeping this parameter as *:* allows you to query everything String N/A
cb.min_backend_timestamp Start time for the query Integer Epoch timestamp in milliseconds
Default: 0
cb.max_backend_timestamp End time for the query Integer Epoch timestamp in milliseconds

Response

Code Description Content-Type Content
200 Successfully validated search application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
401 Unauthorized N/A N/A
403 Forbidden N/A N/A
404 Not found N/A N/A
500 Internal Server Error N/A N/A

Example

Valid Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/events/search_validation?q=alert_id:ALBPZQR3

Response

{
    "valid": true
}

Invalid Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/events/search_validation?q=alert_idZZZZ:ALBPZQR3

Response

{
    "invalid_message": "org.apache.solr.common.SolrException: undefined field alertzzzzz_id",
    "valid": false,
    "invalid_trigger_offset": 0
}

Get Events Associated with a Given Process (v2)

Fetch the events associated with a given process. These events are often more complete than the enriched events but, unlike the enriched event searches, must be limited to one process at a time.

Note: This call reports its progress as soon as it can and continues to enumerate process events in the background. To receive the full results, you must resubmit the request until processed_segments is equal to total_segments.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/events/{process_guid}/_search

Body

  
{
    "criteria": "<object>",
    "exclusions": "<object>",
    "fields": ["<string>", "<string>"],
    "query": "<string>",
    "rows": "<long>",
    "sort": [
        {
            "field": "<string>",
            "order": "<string>"
        }
    ],
    "start": "<long>",
    "time_range": {
        "end": "<string>",
        "start": "<string>",
        "window": "<string>"
    }
}

Body Schema

Field Definition Data Type Values
criteria Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields at Platform Search Fields
exclusions Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields at Platform Search Fields
fields A list of fields to include in the results, specify * to return all the default fields and add additional fields that are not returned by default String
[ "*", "process_start_time" ]
Default: ["*"]
query Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. String N/A
rows Number of rows to request, can be paginated Long Default: 500
Max: 10k
sort Sort is a collection of sort parameters that specify a field and order to sort the results. Array
[{
  "field": "device_timestamp",
  "order": "asc"
}]
order supports asc or desc
start First row to use for pagination Long Default: 0
time_range Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. Object
{
  "end": "2020-01-21T18:34:04Z",
  "start": "2020-01-18T18:34:04Z",
  "window": "-2w"
}
window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second

start: ISO 8601 timestamp

end: ISO 8601 timestamp

Response

Code Description Content-Type Content
200 Successfully fetched events application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/events/ABCD1234-0000a98f-0000034c-00000000-1d5cb7ef5152b42/_search

Body

  
{
  "criteria": {
  	"event_type": ["netconn"]
  },
  "query": "netconn_action:ACTION_CONNECTION_CREATE OR netconn_action:ACTION_CONNECTION_ESTABLISHED",
  "fields": ["*"],
  "time_range": {
    "end": "2020-01-27T18:34:04Z",
    "start": "2020-01-18T18:34:04Z"
  }
}

Response

  
{
    "results": [
        {
            "backend_timestamp": "2020-01-23T22:48:14.099Z",
            "created_timestamp": "2020-01-30T21:11:29.490Z",
            "enriched": true,
            "enriched_event_type": "NETWORK",
            "event_description": "The application \"<share><link hash=\"1030ce4102dac701fab043e40444e8f6c96c8c04b5bd512a59e1a4999d22b38c\">C:\\windows\\system32\\svchost.exe</link></share>\" attempted to establish a <accent>TCP/443</accent> connection to <share><accent>20.36.218.63</accent></share><accent>:443</accent> from <share><accent>12.34.56.78</accent></share><accent>:57503</accent>. The device was off the corporate network using the public address <accent>34.56.78.90</accent>. The operation was blocked by the operating system.",
            "event_guid": "U_xc-0FeSu-77aY2CSKgXA",
            "event_hash": "a78709ea459e525d30ab9ddc89b1ce6c",
            "event_timestamp": "2020-01-23T22:45:41.207Z",
            "event_type": "netconn",
            "legacy": true,
            "legacy_description": "The application \"<share><link hash=\"1030ce4102dac701fab043e40444e8f6c96c8c04b5bd512a59e1a4999d22b38c\">C:\\windows\\system32\\svchost.exe</link></share>\" attempted to establish a <accent>TCP/443</accent> connection to <share><accent>20.36.218.63</accent></share><accent>:443</accent> from <share><accent>12.34.56.78</accent></share><accent>:57503</accent>. The device was off the corporate network using the public address <accent>34.56.78.90</accent>. The operation was blocked by the operating system.",
            "netconn_action": "ACTION_CONNECTION_CREATE",
            "netconn_inbound": false,
            "netconn_local_ipv4": 181543190,
            "netconn_local_port": 57503,
            "netconn_protocol": "PROTO_TCP",
            "netconn_remote_ipv4": 337959487,
            "netconn_remote_port": 443,
            "process_guid": "ABCD1234-003d630d-0000041c-0000041c-1d5abbc325c58b4",
            "process_pid": 1052
        },
        ...
      ],
      "num_found": 6,
      "num_available": 6,
      "total_segments": 13,
      "processed_segments": 13
}

Get Events Facet Associated with a Process (v2)

Get facets for the events associated with the specified process. A facet provides statistics indicating the relative weighting of values for the specified terms.

Note: This is an asynchronous request, you must resubmit the request until processed_segments is equal to total_segments in order to receive the full results

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events READ

Request

POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/events/{process_guid}/_facet

Body

  
{
    "criteria": "<object>",
    "exclusions": "<object>",
    "query": "<string>",
    "ranges": [
        {
            "bucket_size": "<object>",
            "end": "<object>",
            "field": "<string>",
            "start": "<object>"
        }
    ],
    "terms": {
        "fields": [
            "<string>"
        ],
        "rows": "<long>"
    },
    "time_range": {
        "end": "<string>",
        "start": "<string>",
        "window": "<string>"
    }
}

Body Schema

Field Definition Data Type Values
criteria Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields at Platform Search Fields
exclusions Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. Object
{
  "process_name": [
    "chrome.exe"
  ]
}
Additional fields at Platform Search Fields
query Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. String N/A
ranges Allows grouping for properties that are ISO 8601 timestamps or numbers. Bucket size for ISO 8601 timestamps uses SOLR DateMathParser Array
[{
  "bucket_size": 100,
  "end": 100,
  "field": "process_duration",
  "start": 0
}]
or
[{
  "bucket_size": "+1DAY",
  "end": "2020-01-21T18:34:04Z",
  "field": "process_start_time",
  "start": "2020-01-18T18:34:04Z"
}]
terms The events fields to facet and how many of the top entries to return. Object
{
  "fields": [
    "process_name"
  ],
  "rows": 100
}
Default: 100
time_range Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. Object
{
  "end": "2020-01-21T18:34:04Z",
  "start": "2020-01-18T18:34:04Z",
  "window": "-2w"
}
window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second

start: ISO 8601 timestamp

end: ISO 8601 timestamp

Response

Code Description Content-Type Content
200 Successfully fetched event facets application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/events/ABCD1234-0000a98f-0000034c-00000000-1d5cb7ef5152b42/_facet

Body

  
{
  "query": "*:*",
  "ranges": [
      {
          "bucket_size": "+12HOUR",
          "end": "2020-08-31T11:19:37Z",
          "field": "device_timestamp",
          "start": "2020-08-29T00:00:00Z"
      }
  ],
  "terms": {
    "fields": [
      "event_type"
    ],
    "rows": 10
  },
  "time_range": {
    "end": "2020-08-31T11:19:37Z",
    "start": "2020-08-29T00:00:00Z"
  }
}

Response

  
{
    "ranges": [
        {
            "start": "2020-08-29T00:00:00Z",
            "end": "2020-08-31T12:00:00Z",
            "bucket_size": "+12HOUR",
            "field": "device_timestamp",
            "values": [
                {
                    "total": 9850,
                    "name": "2020-08-29T00:00:00Z"
                },
                {
                    "total": 9346,
                    "name": "2020-08-29T12:00:00Z"
                },
                {
                    "total": 9910,
                    "name": "2020-08-30T00:00:00Z"
                },
                {
                    "total": 8581,
                    "name": "2020-08-30T12:00:00Z"
                },
                {
                    "total": 8716,
                    "name": "2020-08-31T00:00:00Z"
                }
            ]
        }
    ],
    "terms": [
        {
            "values": [
                {
                    "total": 41517,
                    "id": "netconn",
                    "name": "netconn"
                },
                {
                    "total": 4829,
                    "id": "filemod",
                    "name": "filemod"
                },
                {
                    "total": 31,
                    "id": "crossproc",
                    "name": "crossproc"
                },
                {
                    "total": 26,
                    "id": "childproc",
                    "name": "childproc"
                }
            ],
            "field": "event_type"
        }
    ],
    "num_found": 46403,
    "total_segments": 23385,
    "processed_segments": 23385
}

Calls using Enterprise EDR Watchlist Features

These Process Search API calls are only available to Enterprise EDR customers.

Evaluate Processes for a Watchlist (v1)

Instructs the Carbon Black Cloud to look for “hits” across all processes reported for the organization’s endpoints within the time range for the given watchlist, report and IOC. Watchlist hits will be available in subsequent search results asynchronously and are not guaranteed to be visible directly after this call.

RBAC Permissions Required

Permission (.notation name) Operation(s)
org.search.events UPDATE

Request

POST {cbc-hostname}/api/investigate/v1/orgs/{org_key}/processes/watchlist_evaluation

Request Body

{
    "watchlist_id": "<string>",
    "report_id": "<string>",
    "cb.max_backend_timestamp": "<integer>",
    "cb.min_backend_timestamp": "<integer>",
    "ioc_id": "<string>"
}

Request Body Schema

Field Definition Data Type Values
watchlist_id REQUIRED Watchlist ID String N/A
report_id REQUIRED Report ID String N/A
ioc_id Indicator of compromise ID String N/A
cb.min_backend_timestamp Start time for the query Integer Epoch timestamp in milliseconds
Default: 0
cb.max_backend_timestamp End time for the query Integer Epoch timestamp in milliseconds

Response

Code Description Content-Type Content
204 Successfully evaluated and tagged processes application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/processes/watchlist_evaluation

Body

{
    "watchlist_id": "b5LGY1CCTtyogVBUwTWLA",
    "report_id": "1"
}

Response

No content

Get Report Hits (v1)

Fetches report hits associated with a single process. This includes both ingress and query hits that are associated with the organization’s subscribed watchlists.

Request

GET {cbc-hostname}/api/investigate/v1/orgs/{org_key}/report_hits

Query Schema

Field Definition Data Type Values
process_guid REQUIRED Process GUID for which to get report hits String N/A
rows Number of report hits to get. Integer Default: 10

Response

Code Description Content-Type Content
200 Successfully fetched report hits application/json View example response below
400 The JSON body was malformed, or some part of the JSON body included an invalid value N/A N/A
403 Forbidden N/A N/A
500 Internal Server Error N/A N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/ABCD1234/report_hits?process_guid=ABCD1234-0000a98f-000013c8-00000000-1d5c4bc2bf4b39d&rows=1

Response

{
    "report_hits": {
      "lryC1EGShaTsb4bjxjLTQ-ipv4_iocs": [
        {
          "backend_timestamp": "2020-08-28T08:36:11.745Z",
          "device_timestamp": "2020-08-28T08:34:39.437Z",
          "hit_document_guids": [
              "2ybSlFnGQeCRP5Srn2WfqA"
          ],
          "iocs_field": "netconn_ipv4",
          "iocs_hit": "13.107.4.50",
          "iocs_id": "demo-ipv4",
          "report_id": "lryC1EGShaTsb4bjxjLTQ-ipv4_iocs",
          "report_link": "https://example.com",
          "report_severity": 5,
          "report_timestamp": "2020-08-02T10:56:39.437Z",
          "report_title": "IPV4 IOCs",
          "report_watchlists": [
              {
                  "alert": true,
                  "id": "7hpd1usTWaNG5lHfGmjVg",
                  "name": "Demo"
              }
          ]
        }
      ]
    }
  }
}

Troubleshooting & FAQ

What is a “Value Search”?

  • Platform Search supports either field:value syntax or what is called ‘value searches’ where the field name is not included e.g. where process_name:chrome.exe is a well-specified search query, a search merely for chrome.exe can return all those results as well as results where chrome.exe shows up in other fields that you didn’t have to know to specify.

What is a “hit”?

  • Enterprise EDR watchlists will report a “hit” on any process that matches on a specific IOC from one of the organization’s watchlists. These hits will be reported as process search results where the watchlist_hit field is included
  • These are separate from Alerts which are optionally reported for any watchlist hit generated by a subscribed Watchlist where “Enable Watchlist Alerts” has been set.
Last modified on October 7, 2020