⚠️ Find Events
GET {{cb_url}}/integrationServices/v3/event?searchWindow=3h
⚠️ This enpoint is being deprecated. Please use ThreatHunter > Process Search v2 as that will eventually become a Platform Search API covering both NGAV and EDR.
Retrieves all events matching the input search criteria. Response is a list of events in JSON format. Resulting events are sorted in descending order of time.
Query parameters can be used to filter the list of events:
- hostName: filter on hostnames case insensitive. For example hostName=win-IA9NQ1GN8OI
will match the hostname WIN-IA9NQ1GN8OI
- hostNameExact: filter on the exact hostname. For example hostName=WIN-IA9NQ1GN8OI
will only return devices with the exact hostname WIN-IA9NQ1GN8OI
but not a host named win-IA9NQ1GN8OI
- ownerName: filter on owner name case insensitive.
- ownerNameExact: same as ownerName
but with case sensitivity
- ipAddress: filter on events generated by a device with a given external or internal IP address
- sha256Hash: filter on events generated by a process with the given SHA-256 hash. Note that this hash must be lowercase.
- applicationName: filter on events generated by a process with the given application name (for example, googleupdate.exe
. Note that this name must be lowercase)
- eventType: filter on events with a given event type. Possible Event Types are:
- NETWORK
- FILECREATE
- REGISTRYACCESS
- SYSTEMAPICALL
- CREATEPROCESS
- DATAACCESS
- INJECT_CODE
- searchWindow: filter on events generated within a given relative time frame. Note that the default is one day if a searchWindow
is not specified. Note that events may not be available past 30 days due to retention policies. Available options for using searchWindow
:
- 3h
for the past three hours
- 1d
for the past one day - default
- 1w
for the past one week
- 2w
for the past two weeks
- 1m
for the past one month
- all
for all
- startTime / endTime: Using a combination of
startTime
andendTime
filters events for the given absolute timeframe.startTime
andendTime
must be used together- The timestamps are in RFC3339 format. Example:
https://api-url.conferdeploy.net/integrationServices/v3/event?startTime=2017-11-15&endTime=2017-11-20
endTime
-startTime
must be <= 2w
Note: There is an additional restriction for this API endpoint specifically – /event only supports up to 2w for the maximum to limit the volume of data returned.
Note: Events may not be available past 30 days due to retention policies.
Each event has a unique ID associated with it in the response payload. The event ID is stored as the value of the eventId
key.
Request Params
Key | Datatype | Required | Description |
---|---|---|---|
hostName | null | filter on hostnames case insensitive | |
hostNameExact | null | filter on the exact hostname | |
ownerName | null | filter on owner name case insensitive | |
ownerNameExact | null | same as ownerName but with case sensitivity | |
ipAddress | null | filter on events generated by a device with a given external or internal IP address | |
sha256Hash | null | filter on events generated by a process with the given SHA-256 hash | |
applicationName | null | filter on events generated by a process with the given application name | |
eventType | null | filter on events with a given event type | |
searchWindow | string | filter on events generated within a given relative time frame | |
startTime | null | YYYY-MM-DD | |
endTime | null | YYYY-MM-DD | |
rows | number | ||
start | number |