Latest Updates: CB Predictive Security Cloud

Process Search API for CB ThreatHunter

Version: v1

Getting Started

CB ThreatHunter’s process searches are asynchronous. This means that in order to get results for some search, you must start a search by calling POST /start and then get results by calling POST /results with query_id as a parameter.

Common Headers

Most API routes require all three headers, however, there are exceptions.

  1. X-Auth-Token: required. This is your authentication token, it is api_key/connector_id.
  2. Content-Type: application/json
  3. accept: application/json

Note

  • <psc-hostname> is the parent URL for your PSC instance.
  • {{org_key}} or org_key refers to your organization key found in the PSC’s APIs page.

Health Check

This endpoint does a simple health check for the search service.

RBAC Permissions Required

Permission (.notation name) Operation(s)
No Permissions Required N/A

Request

GET <psc-hostname>/threathunter/search/health_check

Response

Code Description Content
200 Service is available None

Get Events Associated with a Given Process

Returns all events associated with the required parameter cb.process_guid.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

POST <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/events/_search

Parameters

These parameters are required in the request body:

  • cb.process_guid: Required. This is a process GUID, obtained from CB ThreatHunter.
  • q: Required. Keeping this parameter as *:* allows you to query everything.
{
    "search_params": {
        "q": "*:*",
        "cb.process_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d"
    }
}

Response

{
    "response_header": {
        "num_found": 1,
        "num_available": 1,
        "total_segments": 242,
        "processed_segments": 242
    },
    "docs": [
        {
            "backend_timestamp": "2019-04-01T19:35:40.185Z",
            "childproc_cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --field-trial-handle=1540,7846969548857954607,7659868123879754097,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=61023531599599 --mojo-platform-channel-handle=5000 --ignored=\" --type=renderer \" /prefetch:8",
            "childproc_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
            "childproc_process_guid": "BOSTON7-00004763-000015ac-00000000-1d4e4a516131954",
            "childproc_reputation": "REP_WHITE",
            "childproc_sha256": "fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad",
            "childproc_username": "WIN10-\\bit9",
            "created_timestamp": "2019-04-04T14:49:08.057Z",
            "event_guid": "bqQyVaZIQoGDeCpsgqrnew",
            "event_hash": "3c863a7610ce2142b2cc38a893ed68d4",
            "event_timestamp": "2019-03-27T13:57:59.168Z",
            "event_type": "childproc",
            "legacy": true,
            "legacy_description": "The application \"<share><link hash=\"fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\" invoked the application \"<share><link hash=\"fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad\">C:\\program files (x86)\\google\\chrome\\application\\chrome.exe</link></share>\". ",
            "process_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d"
        }
    ],
    "facet_counts": {
        "facet_fields": {},
        "facet_queries": {},
        "facet_ranges": {},
        "facet_intervals": {},
        "num_found": 0
    }
}

Get Validation for Event Search

Validates a event search query.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/events/search_validation?q="alert_id:ALBPZQR3"

Parameters

  • q: Required. Query to validate.
  • cb.min_backend_timestamp: start time for the query
  • cb.max_backend_timestamp: end time for the query

Response

{"valid":true}

Get Suggestions for Event Searching

Provides suggestions to complete an event search.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/events/search_suggestions?suggest.q=pro&suggest.count=10

Parameters

  • suggest.q: Required. Query to generate suggestions for.
  • suggest.count: Number of suggestions to return.

Response

{
    "suggestions": [
        {
            "term": "process_guid",
            "weight": 100
        },
        {
            "term": "childproc_childproc_count",
            "weight": 90
        },
        {
            "term": "childproc_cmdline",
            "weight": 90
        },
        {
            "term": "childproc_crossproc_actor_count",
            "weight": 90
        },
        {
            "term": "childproc_crossproc_target_count",
            "weight": 90
        },
        {
            "term": "childproc_filemod_count",
            "weight": 90
        },
        {
            "term": "childproc_md5",
            "weight": 90
        },
        {
            "term": "childproc_modload_count",
            "weight": 90
        },
        {
            "term": "childproc_name",
            "weight": 90
        },
        {
            "term": "childproc_netconn_count",
            "weight": 90
        }
    ]
}

Get Time Limits for Available Data

Retrieves the lower and upper time limits for data available in the given org_key.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/limits

Response

{
    "time_bounds": {
        "lower": 1553529591856,
        "upper": 1554147375527
    }
}

Get a List of All Available Process Result Sets

Retrieve a list of all available process result sets from the API.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs

Response

The response body combines org_key/query_id.

{
    "query_ids": [
        "BOSTON7/027937f5-a5d9-40f1-86b9-4dcd165d5dfe",
        "BOSTON7/02a21556-6eef-4d78-9479-c3ba618362a1",
        "BOSTON7/02dc0d0d-5559-4e20-9b16-6f514a04de51",
        "BOSTON7/032b1204-6cc6-46ec-a18e-28cedf4caea8",
        "BOSTON7/040fddfc-ee23-4ef0-9761-ae114dac9867",
        "BOSTON7/043ab29e-01f3-497c-93ff-d1f43b849336",
        "BOSTON7/04a8ecd7-cfe5-41f5-a6e7-7052916c04ce",
        "BOSTON7/0d23b67c-3f6e-42e5-9619-237e675fa575",
        "BOSTON7/0dce30c5-115b-4c28-a38b-79a603db0fca",
        "BOSTON7/0dfc64ea-ca6f-4f93-976c-ed98b97abc06",
        "BOSTON7/0e2402cd-07b5-468e-a2f2-aa1bd779f929"
    ]
}

Start an Asynchronous Process Search

Initiate an asynchronous process search. This request will respond with a query_id, which can be used to fetch the results of this search.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events CREATE

Request

POST <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs
Body:
{"search_params": {"q": "*:*"}}

Response

{
    "query_id": "5e7a401f-21a3-4675-9a55-24508cc5f3a1",
    "query": {
        "cb.max_backend_timestamp": 1554429214000,
        "cb.max_device_timestamp": 1554429214000,
        "cb.min_backend_timestamp": 0,
        "cb.min_device_timestamp": 0,
        "q": "*:*",
        "rows": 500,
        "start": 0
    }
}

Get Process Results

Retrieve results for a process search for a given query_id after you start a search.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs/{{query_id}}/results

Response

{
    "query_id": "5e7a401f-21a3-4675-9a55-24508cc5f3a1",
    "response_header": {
        "num_found": 18621,
        "num_available": 1000,
        "searchers_meta": {
            "contacted": 2,
            "completed": 2
        },
        "start_time": 0,
        "end_time": 1554429214000
    },
    "data": [
        {
            "backend_timestamp": "2019-04-01T19:35:20.461Z",
            "childproc_count": 0,
            "crossproc_count": 0,
            "device_id": 18275,
            "device_name": "jalapeno-win10-pepper",
            "device_timestamp": "2019-03-25T17:16:33.804Z",
            "event_description": "The file \"<share><link hash=\"01dc1266c53b75f38656512a7a03dd5e3958e1bedb5f67fb64e2a3f79bc67d78\">C:\\$windows.~bt\\newos\\windows\\winsxs\\amd64_dual_mdmnis1u.inf_31bf3856ad364e35_10.0.17134.1_none_78bb5023c53f482a\\mdmnis1u.inf</link></share>\" was first detected on a local disk. The device was off the corporate network using the public address 98.122.36.116 (located in Blythewood SC, United States). The file is not signed.  The file was created by the application \"<share><link hash=\"be04cbe6a367123fc36f675359683b9713f7ff354987ecf28540a780faaa7f03\">C:\\$windows.~bt\\sources\\setuphost.exe</link></share>\".",
            "filemod_count": 0,
            "kinesis_partition_id": "BOSTON7:0",
            "legacy": true,
            "modload_count": 0,
            "netconn_count": 0,
            "org_id": "BOSTON7",
            "org_size_perc": 1,
            "parent_guid": "BOSTON7-00004763-00000dd0-00000000-1d4e32b25021b75",
            "parent_pid": 3536,
            "partition_id": 0,
            "process_guid": "BOSTON7-00004763-00000298-00000000-1d4e32b26631de4",
            "process_hash": [
                "5d96ae8615d5411f1a3d4d17e97bed3b",
                "be04cbe6a367123fc36f675359683b9713f7ff354987ecf28540a780faaa7f03"
            ],
            "process_name": "c:\\$windows.~bt\\sources\\setuphost.exe",
            "process_pid": [
                664
            ],
            "process_terminated": false,
            "process_username": [
                "NT AUTHORITY\\SYSTEM"
            ],
            "regmod_count": 0,
            "scriptload_count": 0
        },
        {
            "backend_timestamp": "2019-04-01T19:35:20.461Z",
            "childproc_count": 0,
            "crossproc_count": 0,
            "device_id": 18275,
            "device_name": "jalapeno-win10-pepper",
            "device_timestamp": "2019-03-25T17:23:45.230Z",
            "event_description": "The file \"<share><link hash=\"9bef963b0030921f70c3ddf46eff6e315b2d6fb0d7cc2fc47551983657e94402\">C:\\$windows.~bt\\newos\\windows\\winsxs\\amd64_microsoft-windows-timezone-sync_31bf3856ad364e35_10.0.17134.1_none_74b17c3b897f3ad9\\tzsync.exe</link></share>\" was first detected on a local disk. The device was off the corporate network using the public address 98.122.36.116 (located in Blythewood SC, United States). The file is not signed.  The file was created by the application \"<share><link hash=\"be04cbe6a367123fc36f675359683b9713f7ff354987ecf28540a780faaa7f03\">C:\\$windows.~bt\\sources\\setuphost.exe</link></share>\".",
            "filemod_count": 0,
            "kinesis_partition_id": "BOSTON7:0",
            "legacy": true,
            "modload_count": 0,
            "netconn_count": 0,
            "org_id": "BOSTON7",
            "org_size_perc": 1,
            "parent_guid": "BOSTON7-00004763-00000dd0-00000000-1d4e32b25021b75",
            "parent_pid": 3536,
            "partition_id": 0,
            "process_guid": "BOSTON7-00004763-00000298-00000000-1d4e32b26631de4",
            "process_hash": [
                "1c46a81ea1ea413a4fbde1fdbf71becc",
                "be04cbe6a367123fc36f675359683b9713f7ff354987ecf28540a780faaa7f03"
            ],
            "process_name": "c:\\$windows.~bt\\sources\\setuphost.exe",
            "process_pid": [
                664
            ],
            "process_terminated": false,
            "process_username": [
                "NT AUTHORITY\\SYSTEM"
            ],
            "regmod_count": 0,
            "scriptload_count": 0
        }
    ],
    "facets": {
        "facet_fields": {},
        "facet_queries": {},
        "facet_ranges": {},
        "facet_intervals": {},
        "num_found": 0
    }
}

Cancel Process Search

Cancel the process search for a given query_id. This is useful if a long running query needs to be modified and restarted.

Example query_id: 0e2402cd-07b5-468e-a2f2-aa1bd779f929

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events DELETE

Request

DELETE <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs/{{query_id}}

Response

Process result deleted

Get the Status of a Query

Get the status of a process search request with the given queryID.

Example query_id: 0e2402cd-07b5-468e-a2f2-aa1bd779f929

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_jobs/{{query_id}}

Response

{
    "contacted": 2,
    "completed": 2
}

Process Search Suggestions

Get suggestions for a given process search.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_suggestions?suggest.q=pro&suggest.count=10

Parameters

  • suggest.q: Required. Query to generate suggestions for.
  • suggest.count: Number of suggestions to return.

Response

{
    "suggestions": [
        {
            "term": "process_name",
            "weight": 200
        },
        {
            "term": "process_cmdline",
            "weight": 100
        },
        {
            "term": "process_duration",
            "weight": 100
        },
        {
            "term": "process_effective_reputation",
            "weight": 100
        },
        {
            "term": "process_file_description",
            "weight": 100
        },
        {
            "term": "process_guid",
            "weight": 100
        },
        {
            "term": "process_hash",
            "weight": 100
        },
        {
            "term": "process_original_filename",
            "weight": 100
        },
        {
            "term": "process_pid",
            "weight": 100
        },
        {
            "term": "process_product_name",
            "weight": 100
        }
    ]
}

Process Search Validation

Validate a process search query.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/search_validation?q=process_name:chrome.exe

Parameters

  • q: Required. Query to validate.
  • cb.min_backend_timestamp: start time for the query
  • cb.max_backend_timestamp: end time for the query

Response

{
    "valid": true,
    "value_search_query": false
}

Process Summary

Retrieve a process summary for a given process_guid.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/summary?process_guid=BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d

Parameters

  • process_guid: Required. Process GUID that should represent the main node of the tree
  • parent_guid: Parent process for the main node process

Response

{
    "incomplete_results": false,
    "process": {
        "_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169c0594afd:1e94d:1204",
        "backend_timestamp": "2019-03-27T18:11:11.228Z",
        "childproc_count": 91,
        "crossproc_count": 22,
        "device_external_ip": "98.122.36.116",
        "device_id": 18275,
        "device_internal_ip": "",
        "device_name": "jalapeno-win10-pepper",
        "device_os": "WINDOWS",
        "device_timestamp": "2019-03-27T18:10:01.822Z",
        "filemod_count": 2265,
        "kinesis_partition_id": "BOSTON7:0",
        "modload_count": 77,
        "netconn_count": 578,
        "org_id": "BOSTON7",
        "org_size_perc": 1,
        "parent_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
        "parent_hash": [
            "850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda",
            "93417f0672ebc2b0f3fb8539e7cd1938"
        ],
        "parent_name": "c:\\windows\\explorer.exe",
        "parent_pid": 3740,
        "partition_id": 0,
        "process_cmdline": [
            "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" "
        ],
        "process_effective_reputation": "TRUSTED_WHITE_LIST",
        "process_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d",
        "process_hash": [
            "5fc079f87ed93c7680e531efc4801ea6",
            "fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
        ],
        "process_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
        "process_pid": [
            5840
        ],
        "process_reputation": "TRUSTED_WHITE_LIST",
        "process_terminated": false,
        "process_username": [
            "jalapeno-WIN10-\\bit9se"
        ],
        "regmod_count": 120,
        "scriptload_count": 0
    },
    "siblings": [
        {
            "_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169bc34d38e:12d68a:168ba",
            "backend_timestamp": "2019-03-26T22:52:52.493Z",
            "childproc_count": 1,
            "crossproc_count": 5,
            "device_external_ip": "98.122.36.116",
            "device_id": 18275,
            "device_internal_ip": "",
            "device_name": "jalapeno-win10-pepper",
            "device_os": "WINDOWS",
            "device_timestamp": "2019-03-26T22:50:42.381Z",
            "filemod_count": 43,
            "kinesis_partition_id": "BOSTON7:0",
            "modload_count": 46,
            "netconn_count": 0,
            "org_id": "BOSTON7",
            "org_size_perc": 1,
            "parent_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
            "parent_hash": [
                "850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda",
                "93417f0672ebc2b0f3fb8539e7cd1938"
            ],
            "parent_name": "c:\\windows\\explorer.exe",
            "parent_pid": 3740,
            "partition_id": 0,
            "process_cmdline": [
                "\"C:\\Windows\\System32\\ie4uinit.exe\" -UserConfig"
            ],
            "process_effective_reputation": "LOCAL_WHITE",
            "process_guid": "BOSTON7-00004763-00000eb0-00000000-1d4e42655dc64ef",
            "process_hash": [
                "cd5bb2bd300cc5bb9973c968b43fbefb",
                "4ee7bf27fa8fc8f8ef16a2555403eefca227d6f173f0e6566a91e433e72df4e4"
            ],
            "process_name": "c:\\windows\\system32\\ie4uinit.exe",
            "process_pid": [
                3760
            ],
            "process_reputation": "TRUSTED_WHITE_LIST",
            "process_terminated": true,
            "process_username": [
                "jalapeno-WIN10-\\bit9se"
            ],
            "regmod_count": 207,
            "scriptload_count": 0
        }
    ],
    "parent": {
        "_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169c0594afd:20638:1c0b",
        "backend_timestamp": "2019-03-27T18:11:11.228Z",
        "childproc_count": 16,
        "crossproc_count": 1238,
        "device_external_ip": "98.122.36.116",
        "device_id": 18275,
        "device_internal_ip": "",
        "device_name": "jalapeno-win10-pepper",
        "device_os": "WINDOWS",
        "device_timestamp": "2019-03-27T18:08:37.102Z",
        "filemod_count": 181,
        "kinesis_partition_id": "BOSTON7:0",
        "modload_count": 816,
        "netconn_count": 0,
        "org_id": "BOSTON7",
        "org_size_perc": 1,
        "parent_guid": "BOSTON7-00004763-00000ed4-00000000-1d4e426504f4e5c",
        "parent_hash": [
            "46b72e05d0b9f489ca60dbd7361039b0",
            "b5170d0e86b93d83c67636fe2c1207139cfcbc9114bbfd74d127cddcbd8fa114"
        ],
        "parent_name": "c:\\windows\\system32\\userinit.exe",
        "parent_pid": 3796,
        "partition_id": 0,
        "process_cmdline": [
            "C:\\Windows\\Explorer.EXE"
        ],
        "process_effective_reputation": "TRUSTED_WHITE_LIST",
        "process_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
        "process_hash": [
            "93417f0672ebc2b0f3fb8539e7cd1938",
            "850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda"
        ],
        "process_name": "c:\\windows\\explorer.exe",
        "process_pid": [
            3740
        ],
        "process_reputation": "TRUSTED_WHITE_LIST",
        "process_terminated": false,
        "process_username": [
            "jalapeno-WIN10-\\bit9se"
        ],
        "regmod_count": 2492,
        "scriptload_count": 0
    },
    "children": [
        {
            "_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169bc39878f:2252f5:6804",
            "backend_timestamp": "2019-03-26T22:58:00.719Z",
            "childproc_count": 0,
            "crossproc_count": 6,
            "device_external_ip": "98.122.36.116",
            "device_id": 18275,
            "device_internal_ip": "",
            "device_name": "jalapeno-win10-pepper",
            "device_os": "WINDOWS",
            "device_timestamp": "2019-03-26T22:52:02.328Z",
            "filemod_count": 0,
            "kinesis_partition_id": "BOSTON7:0",
            "modload_count": 42,
            "netconn_count": 0,
            "org_id": "BOSTON7",
            "org_size_perc": 1,
            "parent_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d",
            "parent_hash": [
                "5fc079f87ed93c7680e531efc4801ea6",
                "fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
            ],
            "parent_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
            "parent_pid": 5840,
            "partition_id": 0,
            "process_cmdline": [
                "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=gpu-process --field-trial-handle=1540,7846969548857954607,7659868123879754097,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1531183726095469925 --mojo-platform-channel-handle=4716 /prefetch:2"
            ],
            "process_effective_reputation": "TRUSTED_WHITE_LIST",
            "process_guid": "BOSTON7-00004763-000012ac-00000000-1d4e42686ba0a84",
            "process_hash": [
                "5fc079f87ed93c7680e531efc4801ea6",
                "fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
            ],
            "process_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
            "process_pid": [
                4780
            ],
            "process_reputation": "TRUSTED_WHITE_LIST",
            "process_terminated": true,
            "process_username": [
                "jalapeno-WIN10-\\bit9se"
            ],
            "regmod_count": 5,
            "scriptload_count": 0
        }
    ]
}

Process Tree

Retrieve a process tree for a given process_guid.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events READ

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/tree?process_guid=BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d

Parameters

  • process_guid: Required. Process GUID that should represent the main node of the tree
  • parent_guid: Parent process for the main node process

Response

{
    "incomplete_results": false,
    "nodes": {
        "_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169c0594afd:20638:1c0b",
        "backend_timestamp": "2019-03-27T18:11:11.228Z",
        "childproc_count": 16,
        "children": [{
                "_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169bc34d38e:12d68a:168ba",
                "backend_timestamp": "2019-03-26T22:52:52.493Z",
                "childproc_count": 1,
                "crossproc_count": 5,
                "device_external_ip": "98.122.36.116",
                "device_id": 18275,
                "device_internal_ip": "",
                "device_name": "jalapeno-win10-pepper",
                "device_os": "WINDOWS",
                "device_timestamp": "2019-03-26T22:50:42.381Z",
                "filemod_count": 43,
                "kinesis_partition_id": "BOSTON7:0",
                "modload_count": 46,
                "netconn_count": 0,
                "org_id": "BOSTON7",
                "org_size_perc": 1,
                "parent_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
                "parent_hash": [
                    "850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda",
                    "93417f0672ebc2b0f3fb8539e7cd1938"
                ],
                "parent_name": "c:\\windows\\explorer.exe",
                "parent_pid": 3740,
                "partition_id": 0,
                "process_cmdline": [
                    "\"C:\\Windows\\System32\\ie4uinit.exe\" -UserConfig"
                ],
                "process_effective_reputation": "LOCAL_WHITE",
                "process_guid": "BOSTON7-00004763-00000eb0-00000000-1d4e42655dc64ef",
                "process_hash": [
                    "cd5bb2bd300cc5bb9973c968b43fbefb",
                    "4ee7bf27fa8fc8f8ef16a2555403eefca227d6f173f0e6566a91e433e72df4e4"
                ],
                "process_name": "c:\\windows\\system32\\ie4uinit.exe",
                "process_pid": [
                    3760
                ],
                "process_reputation": "TRUSTED_WHITE_LIST",
                "process_terminated": true,
                "process_username": [
                    "jalapeno-WIN10-\\bit9se"
                ],
                "regmod_count": 207,
                "scriptload_count": 0
            },
            {
                "_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169c0594afd:1e94d:1204",
                "backend_timestamp": "2019-03-27T18:11:11.228Z",
                "childproc_count": 91,
                "children": [{
                    "_s3_location": "j1uOUr64RtikdhgZ5ZMACw:169bc39878f:2252f5:6804",
                    "backend_timestamp": "2019-03-26T22:58:00.719Z",
                    "childproc_count": 0,
                    "crossproc_count": 6,
                    "device_external_ip": "98.122.36.116",
                    "device_id": 18275,
                    "device_internal_ip": "",
                    "device_name": "jalapeno-win10-pepper",
                    "device_os": "WINDOWS",
                    "device_timestamp": "2019-03-26T22:52:02.328Z",
                    "filemod_count": 0,
                    "kinesis_partition_id": "BOSTON7:0",
                    "modload_count": 42,
                    "netconn_count": 0,
                    "org_id": "BOSTON7",
                    "org_size_perc": 1,
                    "parent_guid": "BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d",
                    "parent_hash": [
                        "5fc079f87ed93c7680e531efc4801ea6",
                        "fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
                    ],
                    "parent_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
                    "parent_pid": 5840,
                    "partition_id": 0,
                    "process_cmdline": [
                        "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=gpu-process --field-trial-handle=1540,7846969548857954607,7659868123879754097,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1531183726095469925 --mojo-platform-channel-handle=4716 /prefetch:2"
                    ],
                    "process_effective_reputation": "TRUSTED_WHITE_LIST",
                    "process_guid": "BOSTON7-00004763-000012ac-00000000-1d4e42686ba0a84",
                    "process_hash": [
                        "5fc079f87ed93c7680e531efc4801ea6",
                        "fbabdb68ba095638602aeabf903599db281452040e2bbd3a1ba6491e23dae2ad"
                    ],
                    "process_name": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
                    "process_pid": [
                        4780
                    ],
                    "process_reputation": "TRUSTED_WHITE_LIST",
                    "process_terminated": true,
                    "process_username": [
                        "jalapeno-WIN10-\\bit9se"
                    ],
                    "regmod_count": 5,
                    "scriptload_count": 0
                }],
                "crossproc_count": 1238,
                "device_external_ip": "98.122.36.116",
                "device_id": 18275,
                "device_internal_ip": "",
                "device_name": "jalapeno-win10-pepper",
                "device_os": "WINDOWS",
                "device_timestamp": "2019-03-27T18:08:37.102Z",
                "filemod_count": 181,
                "kinesis_partition_id": "BOSTON7:0",
                "modload_count": 816,
                "netconn_count": 0,
                "org_id": "BOSTON7",
                "org_size_perc": 1,
                "parent_guid": "BOSTON7-00004763-00000ed4-00000000-1d4e426504f4e5c",
                "parent_hash": [
                    "46b72e05d0b9f489ca60dbd7361039b0",
                    "b5170d0e86b93d83c67636fe2c1207139cfcbc9114bbfd74d127cddcbd8fa114"
                ],
                "parent_name": "c:\\windows\\system32\\userinit.exe",
                "parent_pid": 3796,
                "partition_id": 0,
                "process_cmdline": [
                    "C:\\Windows\\Explorer.EXE"
                ],
                "process_effective_reputation": "TRUSTED_WHITE_LIST",
                "process_guid": "BOSTON7-00004763-00000e9c-00000000-1d4e426506df1de",
                "process_hash": [
                    "93417f0672ebc2b0f3fb8539e7cd1938",
                    "850b6af15c5a918bb9fa89cc30c24bdd72024332885114a86d8decaab0477fda"
                ],
                "process_name": "c:\\windows\\explorer.exe",
                "process_pid": [
                    3740
                ],
                "process_reputation": "TRUSTED_WHITE_LIST",
                "process_terminated": false,
                "process_username": [
                    "jalapeno-WIN10-\\bit9se"
                ],
                "regmod_count": 2492,
                "scriptload_count": 0
            }
        ]
    }
}

Evaluate Processes for a Watchlist

Evaluate and tag processes for the given watchlist, report, and IOC.

RBAC Permissions Required

Permission (.notation name) Operation(s)
threathunter.events UPDATE

Request

POST <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/processes/watchlist_evaluation

Body Parameters

  • watchlist_id: Watchlist ID
  • report_id: Report ID
  • ioc_id: ID of an IOC
  • cb.max_backend_timestamp: Optional - latest backend timestamp to include.
  • cb.min_backend_timestamp: Optional - earliest backend timestamp to include.

Body

{
  "watchlist_id": "b5LGY1CCTtyogVBUwTWLA",
  "report_id": "1"
}

Response


Get Report Hits

Get report hits associated with a process.

Request

GET <psc-hostname>/threathunter/search/v1/orgs/{{org_key}}/report_hits?process_guid=BOSTON7-00004763-000016d0-00000000-1d4e4267b947f6d

Parameters

  • process_guid: Required. Process GUID for which to get report hits.
  • rows: Number of report hits to get.

Response

{
    "report_hits": {}
}
Last modified on April 1, 2019