CB ThreatHunter’s process searches are asynchronous. This means that in order to get results for some search, you must start a search by calling POST /start
and then get results by calling POST /results
with query_id
as a parameter.
Most API routes require all three headers, however, there are exceptions.
X-Auth-Token
: required. This is your authentication token, it is api_key/connector_id
.Content-Type
: application/json
accept
: application/json
<psc-hostname>
is the parent URL for your PSC instance.{{org_key}}
or org_key
refers to your organization key found in the PSC’s APIs page.This endpoint does a simple health check for the search service.
Request
GET <psc-hostname>/threathunter/search/health_check
Response
Code | Description | Content |
---|---|---|
200 |
Service is available | None |
Returns all events associated with the required parameter cb.process_guid
.
Request
POST <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/events/_search
Parameters
These parameters are required in the request body:
cb.process_guid
: Required. This is a process GUID, obtained from CB ThreatHunter.q
: Required. Keeping this parameter as *:*
allows you to query everything.{
"search_params": {
"q": "*:*",
"cb.process_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d"
}
}
Response
{
"response_header": {
"num_found": 1,
"num_available": 1,
"total_segments": 242,
"processed_segments": 242
},
"docs": [
{
"backend_timestamp": "2019-04-01T19:35:40.185Z",
"childproc_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --field-trial-handle=1540,7846969548857954607,7659868123879754097,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=61023531599599 --mojo-platform-channel-handle=5000 --ignored=\" --type=renderer \" /prefetch:8",
"childproc_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"childproc_process_guid": "BOSTON7-00004763-000015ac-00000000-1d4e4a516131954",
"childproc_reputation": "REP_WHITE",
"childproc_sha256": "fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad",
"childproc_username": "WIN10-\\bit9",
"created_timestamp": "2019-04-04T14:49:08.057Z",
"event_guid": "bqQyVaZIQoGDeCpsgqrnew",
"event_hash": "3c863a7610ce2142b2cc38a893ed68d4",
"event_timestamp": "2019-03-27T13:57:59.168Z",
"event_type": "childproc",
"legacy": true,
"legacy_description": "The application \"<share><link hash=\"fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\" invoked the application \"<share><link hash=\"fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\". ",
"process_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d"
}
],
"facet_counts": {
"facet_fields": {},
"facet_queries": {},
"facet_ranges": {},
"facet_intervals": {},
"num_found": 0
}
}
Validates a event search query.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/events/search_validation?q="alert_id:ALBPZQR3"
Parameters
q
: Required. Query to validate.cb.min_backend_timestamp
: start time for the querycb.max_backend_timestamp
: end time for the queryResponse
{"valid":true}
Provides suggestions to complete an event search.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/events/search_suggestions?suggest.q=pro&suggest.count=10
Parameters
suggest.q
: Required. Query to generate suggestions for.suggest.count
: Number of suggestions to return.Response
{
"suggestions": [
{
"term": "process_guid",
"weight": 100
},
{
"term": "childproc_childproc_count",
"weight": 90
},
{
"term": "childproc_cmdline",
"weight": 90
},
{
"term": "childproc_crossproc_actor_count",
"weight": 90
},
{
"term": "childproc_crossproc_target_count",
"weight": 90
},
{
"term": "childproc_filemod_count",
"weight": 90
},
{
"term": "childproc_md5",
"weight": 90
},
{
"term": "childproc_modload_count",
"weight": 90
},
{
"term": "childproc_name",
"weight": 90
},
{
"term": "childproc_netconn_count",
"weight": 90
}
]
}
Retrieves the lower and upper time limits for data available in the given org_key
.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/limits
Response
{
"time_bounds": {
"lower": 1553529591856,
"upper": 1554147375527
}
}
Retrieve a list of all available process result sets from the API.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs
Response
The response body combines org_key/query_id
.
{
"query_ids": [
"BOSTON7/027937f5-a5d9-40f1-86b9-4dcd165d5dfe",
"BOSTON7/02a21556-6eef-4d78-9479-c3ba618362a1",
"BOSTON7/02dc0d0d-5559-4e20-9b16-6f514a04de51",
"BOSTON7/032b1204-6cc6-46ec-a18e-28cedf4caea8",
"BOSTON7/040fddfc-ee23-4ef0-9761-ae114dac9867",
"BOSTON7/043ab29e-01f3-497c-93ff-d1f43b849336",
"BOSTON7/04a8ecd7-cfe5-41f5-a6e7-7052916c04ce",
"BOSTON7/0d23b67c-3f6e-42e5-9619-237e675fa575",
"BOSTON7/0dce30c5-115b-4c28-a38b-79a603db0fca",
"BOSTON7/0dfc64ea-ca6f-4f93-976c-ed98b97abc06",
"BOSTON7/0e2402cd-07b5-468e-a2f2-aa1bd779f929"
]
}
Initiate an asynchronous process search. This request will respond with a query_id
, which can be used to fetch the results of this search.
Request
POST <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs
Body:
{"search_params": {"q": "*:*"}}
Response
{
"query_id": "5e7a401f-21a3-4675-9a55-24508cc5f3a1",
"query": {
"cb.max_backend_timestamp": 1554429214000,
"cb.max_device_timestamp": 1554429214000,
"cb.min_backend_timestamp": 0,
"cb.min_device_timestamp": 0,
"q": "*:*",
"rows": 500,
"start": 0
}
}
Retrieve results for a process search for a given query_id
after you start a search.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs/{{query_id}}/results
Response
{
"query_id": "5e7a401f-21a3-4675-9a55-24508cc5f3a1",
"response_header": {
"num_found": 18621,
"num_available": 1000,
"searchers_meta": {
"contacted": 2,
"completed": 2
},
"start_time": 0,
"end_time": 1554429214000
},
"data": [
{
"backend_timestamp": "2019-04-01T19:35:20.461Z",
"childproc_count": 0,
"crossproc_count": 0,
"device_id": 18275,
"device_name": "jalapeno-win10-pepper",
"device_timestamp": "2019-03-25T17:16:33.804Z",
"event_description": "The file \"<share><link hash=\"01dc1266c53b75f38656512a7a03dd5e3958e1bedb5f67fb64e2a3f79bc67d78\">C:\\$windows.~bt\\newos\\windows\\winsxs\\amd64_dual_mdmnis1u.inf_31bf3856ad364e35_10.0.17134.1_none_78bb5023c53f482a\\mdmnis1u.inf</link></share>\" was first detected on a local disk. The device was off the corporate network using the public address 98.122.36.116 (located in Blythewood SC, United States). The file is not signed. The file was created by the application \"<share><link hash=\"be04cbe6a367123fc36f675359683b9713f7ff354987ecf28540a780faaa7f03\">C:\\$windows.~bt\\sources\\setuphost.exe</link></share>\".",
"filemod_count": 0,
"kinesis_partition_id": "BOSTON7:0",
"legacy": true,
"modload_count": 0,
"netconn_count": 0,
"org_id": "BOSTON7",
"org_size_perc": 1,
"parent_guid": "BOSTON7-00004763-00000dd0-00000000-1d4e32b25021b75",
"parent_pid": 3536,
"partition_id": 0,
"process_guid": "BOSTON7-00004763-00000298-00000000-1d4e32b26631de4",
"process_hash": [
"5d96ae8615d5411f1a3d4d17e97bed3b",
"be04cbe6a367123fc36f675359683b9713f7ff354987ecf28540a780faaa7f03"
],
"process_name": "c:\\$windows.~bt\\sources\\setuphost.exe",
"process_pid": [
664
],
"process_terminated": false,
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 0,
"scriptload_count": 0
},
{
"backend_timestamp": "2019-04-01T19:35:20.461Z",
"childproc_count": 0,
"crossproc_count": 0,
"device_id": 18275,
"device_name": "jalapeno-win10-pepper",
"device_timestamp": "2019-03-25T17:23:45.230Z",
"event_description": "The file \"<share><link hash=\"9bef963b0030921f70c3ddf46eff6e315b2d6fb0d7cc2fc47551983657e94402\">C:\\$windows.~bt\\newos\\windows\\winsxs\\amd64_microsoft-windows-timezone-sync_31bf3856ad364e35_10.0.17134.1_none_74b17c3b897f3ad9\\tzsync.exe</link></share>\" was first detected on a local disk. The device was off the corporate network using the public address 98.122.36.116 (located in Blythewood SC, United States). The file is not signed. The file was created by the application \"<share><link hash=\"be04cbe6a367123fc36f675359683b9713f7ff354987ecf28540a780faaa7f03\">C:\\$windows.~bt\\sources\\setuphost.exe</link></share>\".",
"filemod_count": 0,
"kinesis_partition_id": "BOSTON7:0",
"legacy": true,
"modload_count": 0,
"netconn_count": 0,
"org_id": "BOSTON7",
"org_size_perc": 1,
"parent_guid": "BOSTON7-00004763-00000dd0-00000000-1d4e32b25021b75",
"parent_pid": 3536,
"partition_id": 0,
"process_guid": "BOSTON7-00004763-00000298-00000000-1d4e32b26631de4",
"process_hash": [
"1c46a81ea1ea413a4fbde1fdbf71becc",
"be04cbe6a367123fc36f675359683b9713f7ff354987ecf28540a780faaa7f03"
],
"process_name": "c:\\$windows.~bt\\sources\\setuphost.exe",
"process_pid": [
664
],
"process_terminated": false,
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 0,
"scriptload_count": 0
}
],
"facets": {
"facet_fields": {},
"facet_queries": {},
"facet_ranges": {},
"facet_intervals": {},
"num_found": 0
}
}
Cancel the process search for a given query_id
. This is useful if a long running query needs to be modified and restarted.
Example query_id
: 0e2402cd-07b5-468e-a2f2-aa1bd779f929
Request
DELETE <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs/{{query_id}}
Response
Process result deleted
Get the status of a process search request with the given queryID.
Example query_id
: 0e2402cd-07b5-468e-a2f2-aa1bd779f929
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs/{{query_id}}
Response
{
"contacted": 2,
"completed": 2
}
Get suggestions for a given process search.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_suggestions?suggest.q=pro&suggest.count=10
Parameters
suggest.q
: Required. Query to generate suggestions for.suggest.count
: Number of suggestions to return.Response
{
"suggestions": [
{
"term": "process_name",
"weight": 200
},
{
"term": "process_cmdline",
"weight": 100
},
{
"term": "process_duration",
"weight": 100
},
{
"term": "process_effective_reputation",
"weight": 100
},
{
"term": "process_file_description",
"weight": 100
},
{
"term": "process_guid",
"weight": 100
},
{
"term": "process_hash",
"weight": 100
},
{
"term": "process_original_filename",
"weight": 100
},
{
"term": "process_pid",
"weight": 100
},
{
"term": "process_product_name",
"weight": 100
}
]
}
Validate a process search query.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_validation?q=process_name:chrome.exe
Parameters
q
: Required. Query to validate.cb.min_backend_timestamp
: start time for the querycb.max_backend_timestamp
: end time for the queryResponse
{
"valid": true,
"value_search_query": false
}
Retrieve a process summary for a given process_guid
.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/summary?process_guid=BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d
Parameters
process_guid
: Required. Process GUID that should represent the main node of the treeparent_guid
: Parent process for the main node processResponse
{
"incomplete_results": false,
"process": {
"_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169c0594afd:1e94d:1204",
"backend_timestamp": "2019-03-27T18:11:11.228Z",
"childproc_count": 91,
"crossproc_count": 22,
"device_external_ip": "98.122.36.116",
"device_id": 18275,
"device_internal_ip": "",
"device_name": "jalapeno-win10-pepper",
"device_os": "WINDOWS",
"device_timestamp": "2019-03-27T18:10:01.822Z",
"filemod_count": 2265,
"kinesis_partition_id": "BOSTON7:0",
"modload_count": 77,
"netconn_count": 578,
"org_id": "BOSTON7",
"org_size_perc": 1,
"parent_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
"parent_hash": [
"850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda",
"93417f0672ebc2b0f3fb8539e7cd1938"
],
"parent_name": "c:\\windows\\explorer.exe",
"parent_pid": 3740,
"partition_id": 0,
"process_cmdline": [
"\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" "
],
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d",
"process_hash": [
"5fc079f87ed93c7680e531efc4801ea6",
"fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
],
"process_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"process_pid": [
5840
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_terminated": false,
"process_username": [
"jalapeno-WIN10-\\bit9se"
],
"regmod_count": 120,
"scriptload_count": 0
},
"siblings": [
{
"_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169bc34d38e:12d68a:168ba",
"backend_timestamp": "2019-03-26T22:52:52.493Z",
"childproc_count": 1,
"crossproc_count": 5,
"device_external_ip": "98.122.36.116",
"device_id": 18275,
"device_internal_ip": "",
"device_name": "jalapeno-win10-pepper",
"device_os": "WINDOWS",
"device_timestamp": "2019-03-26T22:50:42.381Z",
"filemod_count": 43,
"kinesis_partition_id": "BOSTON7:0",
"modload_count": 46,
"netconn_count": 0,
"org_id": "BOSTON7",
"org_size_perc": 1,
"parent_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
"parent_hash": [
"850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda",
"93417f0672ebc2b0f3fb8539e7cd1938"
],
"parent_name": "c:\\windows\\explorer.exe",
"parent_pid": 3740,
"partition_id": 0,
"process_cmdline": [
"\"C:\\Windows\\System32\\ie4uinit.exe\" -UserConfig"
],
"process_effective_reputation": "LOCAL_WHITE",
"process_guid": "BOSTON7-00004763-00000eb0-00000000-1d4e42655dc64ef",
"process_hash": [
"cd5bb2bd300cc5bb9973c968b43fbefb",
"4ee7bf27fa8fc8f8ef16a2555403eefca227d6f173f0e6566a91e433e72df4e4"
],
"process_name": "c:\\windows\\system32\\ie4uinit.exe",
"process_pid": [
3760
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_terminated": true,
"process_username": [
"jalapeno-WIN10-\\bit9se"
],
"regmod_count": 207,
"scriptload_count": 0
}
],
"parent": {
"_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169c0594afd:20638:1c0b",
"backend_timestamp": "2019-03-27T18:11:11.228Z",
"childproc_count": 16,
"crossproc_count": 1238,
"device_external_ip": "98.122.36.116",
"device_id": 18275,
"device_internal_ip": "",
"device_name": "jalapeno-win10-pepper",
"device_os": "WINDOWS",
"device_timestamp": "2019-03-27T18:08:37.102Z",
"filemod_count": 181,
"kinesis_partition_id": "BOSTON7:0",
"modload_count": 816,
"netconn_count": 0,
"org_id": "BOSTON7",
"org_size_perc": 1,
"parent_guid": "BOSTON7-00004763-00000ed4-00000000-1d4e426504f4e5c",
"parent_hash": [
"46b72e05d0b9f489ca60dbd7361039b0",
"b5170d0e86b93d83c67636fe2c1207139cfcbc9114bbfd74d127cddcbd8fa114"
],
"parent_name": "c:\\windows\\system32\\userinit.exe",
"parent_pid": 3796,
"partition_id": 0,
"process_cmdline": [
"C:\\Windows\\Explorer.EXE"
],
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
"process_hash": [
"93417f0672ebc2b0f3fb8539e7cd1938",
"850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda"
],
"process_name": "c:\\windows\\explorer.exe",
"process_pid": [
3740
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_terminated": false,
"process_username": [
"jalapeno-WIN10-\\bit9se"
],
"regmod_count": 2492,
"scriptload_count": 0
},
"children": [
{
"_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169bc39878f:2252f5:6804",
"backend_timestamp": "2019-03-26T22:58:00.719Z",
"childproc_count": 0,
"crossproc_count": 6,
"device_external_ip": "98.122.36.116",
"device_id": 18275,
"device_internal_ip": "",
"device_name": "jalapeno-win10-pepper",
"device_os": "WINDOWS",
"device_timestamp": "2019-03-26T22:52:02.328Z",
"filemod_count": 0,
"kinesis_partition_id": "BOSTON7:0",
"modload_count": 42,
"netconn_count": 0,
"org_id": "BOSTON7",
"org_size_perc": 1,
"parent_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d",
"parent_hash": [
"5fc079f87ed93c7680e531efc4801ea6",
"fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
],
"parent_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"parent_pid": 5840,
"partition_id": 0,
"process_cmdline": [
"\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=gpu-process --field-trial-handle=1540,7846969548857954607,7659868123879754097,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1531183726095469925 --mojo-platform-channel-handle=4716 /prefetch:2"
],
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_guid": "BOSTON7-00004763-000012ac-00000000-1d4e42686ba0a84",
"process_hash": [
"5fc079f87ed93c7680e531efc4801ea6",
"fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
],
"process_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"process_pid": [
4780
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_terminated": true,
"process_username": [
"jalapeno-WIN10-\\bit9se"
],
"regmod_count": 5,
"scriptload_count": 0
}
]
}
Retrieve a process tree for a given process_guid
.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/tree?process_guid=BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d
Parameters
process_guid
: Required. Process GUID that should represent the main node of the treeparent_guid
: Parent process for the main node processResponse
{
"incomplete_results": false,
"nodes": {
"_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169c0594afd:20638:1c0b",
"backend_timestamp": "2019-03-27T18:11:11.228Z",
"childproc_count": 16,
"children": [{
"_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169bc34d38e:12d68a:168ba",
"backend_timestamp": "2019-03-26T22:52:52.493Z",
"childproc_count": 1,
"crossproc_count": 5,
"device_external_ip": "98.122.36.116",
"device_id": 18275,
"device_internal_ip": "",
"device_name": "jalapeno-win10-pepper",
"device_os": "WINDOWS",
"device_timestamp": "2019-03-26T22:50:42.381Z",
"filemod_count": 43,
"kinesis_partition_id": "BOSTON7:0",
"modload_count": 46,
"netconn_count": 0,
"org_id": "BOSTON7",
"org_size_perc": 1,
"parent_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
"parent_hash": [
"850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda",
"93417f0672ebc2b0f3fb8539e7cd1938"
],
"parent_name": "c:\\windows\\explorer.exe",
"parent_pid": 3740,
"partition_id": 0,
"process_cmdline": [
"\"C:\\Windows\\System32\\ie4uinit.exe\" -UserConfig"
],
"process_effective_reputation": "LOCAL_WHITE",
"process_guid": "BOSTON7-00004763-00000eb0-00000000-1d4e42655dc64ef",
"process_hash": [
"cd5bb2bd300cc5bb9973c968b43fbefb",
"4ee7bf27fa8fc8f8ef16a2555403eefca227d6f173f0e6566a91e433e72df4e4"
],
"process_name": "c:\\windows\\system32\\ie4uinit.exe",
"process_pid": [
3760
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_terminated": true,
"process_username": [
"jalapeno-WIN10-\\bit9se"
],
"regmod_count": 207,
"scriptload_count": 0
},
{
"_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169c0594afd:1e94d:1204",
"backend_timestamp": "2019-03-27T18:11:11.228Z",
"childproc_count": 91,
"children": [{
"_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169bc39878f:2252f5:6804",
"backend_timestamp": "2019-03-26T22:58:00.719Z",
"childproc_count": 0,
"crossproc_count": 6,
"device_external_ip": "98.122.36.116",
"device_id": 18275,
"device_internal_ip": "",
"device_name": "jalapeno-win10-pepper",
"device_os": "WINDOWS",
"device_timestamp": "2019-03-26T22:52:02.328Z",
"filemod_count": 0,
"kinesis_partition_id": "BOSTON7:0",
"modload_count": 42,
"netconn_count": 0,
"org_id": "BOSTON7",
"org_size_perc": 1,
"parent_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d",
"parent_hash": [
"5fc079f87ed93c7680e531efc4801ea6",
"fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
],
"parent_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"parent_pid": 5840,
"partition_id": 0,
"process_cmdline": [
"\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=gpu-process --field-trial-handle=1540,7846969548857954607,7659868123879754097,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1531183726095469925 --mojo-platform-channel-handle=4716 /prefetch:2"
],
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_guid": "BOSTON7-00004763-000012ac-00000000-1d4e42686ba0a84",
"process_hash": [
"5fc079f87ed93c7680e531efc4801ea6",
"fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
],
"process_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"process_pid": [
4780
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_terminated": true,
"process_username": [
"jalapeno-WIN10-\\bit9se"
],
"regmod_count": 5,
"scriptload_count": 0
}],
"crossproc_count": 1238,
"device_external_ip": "98.122.36.116",
"device_id": 18275,
"device_internal_ip": "",
"device_name": "jalapeno-win10-pepper",
"device_os": "WINDOWS",
"device_timestamp": "2019-03-27T18:08:37.102Z",
"filemod_count": 181,
"kinesis_partition_id": "BOSTON7:0",
"modload_count": 816,
"netconn_count": 0,
"org_id": "BOSTON7",
"org_size_perc": 1,
"parent_guid": "BOSTON7-00004763-00000ed4-00000000-1d4e426504f4e5c",
"parent_hash": [
"46b72e05d0b9f489ca60dbd7361039b0",
"b5170d0e86b93d83c67636fe2c1207139cfcbc9114bbfd74d127cddcbd8fa114"
],
"parent_name": "c:\\windows\\system32\\userinit.exe",
"parent_pid": 3796,
"partition_id": 0,
"process_cmdline": [
"C:\\Windows\\Explorer.EXE"
],
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
"process_hash": [
"93417f0672ebc2b0f3fb8539e7cd1938",
"850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda"
],
"process_name": "c:\\windows\\explorer.exe",
"process_pid": [
3740
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_terminated": false,
"process_username": [
"jalapeno-WIN10-\\bit9se"
],
"regmod_count": 2492,
"scriptload_count": 0
}
]
}
}
Evaluate and tag processes for the given watchlist, report, and IOC.
Request
POST <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/watchlist_evaluation
Body Parameters
watchlist_id
: Watchlist IDreport_id
: Report IDioc_id
: ID of an IOCcb.max_backend_timestamp
: Optional - latest backend timestamp to include.cb.min_backend_timestamp
: Optional - earliest backend timestamp to include.Body
{
"watchlist_id": "b5LGY1CCTtyogVBUwTWLA",
"report_id": "1"
}
Response
Get report hits associated with a process.
Request
GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/report_hits?process_guid=BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d
Parameters
process_guid
: Required. Process GUID for which to get report hits.rows
: Number of report hits to get.Response
{
"report_hits": {}
}