⚠️ Find Events

GET {{cb_url}}/integrationServices/v3/event?searchWindow=3h

⚠️ This enpoint is being deprecated. Please use ThreatHunter > Process Search v2 as that will eventually become a Platform Search API covering both NGAV and EDR.


Retrieves all events matching the input search criteria. Response is a list of events in JSON format. Resulting events are sorted in descending order of time.

Query parameters can be used to filter the list of events: - hostName: filter on hostnames case insensitive. For example hostName=win-IA9NQ1GN8OI will match the hostname WIN-IA9NQ1GN8OI - hostNameExact: filter on the exact hostname. For example hostName=WIN-IA9NQ1GN8OI will only return devices with the exact hostname WIN-IA9NQ1GN8OI but not a host named win-IA9NQ1GN8OI - ownerName: filter on owner name case insensitive. - ownerNameExact: same as ownerName but with case sensitivity - ipAddress: filter on events generated by a device with a given external or internal IP address - sha256Hash: filter on events generated by a process with the given SHA-256 hash. Note that this hash must be lowercase. - applicationName: filter on events generated by a process with the given application name (for example, googleupdate.exe. Note that this name must be lowercase) - eventType: filter on events with a given event type. Possible Event Types are: - NETWORK - FILECREATE - REGISTRYACCESS - SYSTEMAPICALL - CREATEPROCESS - DATAACCESS - INJECT_CODE - searchWindow: filter on events generated within a given relative time frame. Note that the default is one day if a searchWindow is not specified. Note that events may not be available past 30 days due to retention policies. Available options for using searchWindow: - 3h for the past three hours - 1d for the past one day - default - 1w for the past one week - 2w for the past two weeks - 1m for the past one month - all for all

  • startTime / endTime: Using a combination of startTime and endTime filters events for the given absolute timeframe.
    • startTime and endTime must be used together
    • The timestamps are in RFC3339 format. Example: https://api-url.conferdeploy.net/integrationServices/v3/event?startTime=2017-11-15&endTime=2017-11-20
    • endTime - startTime must be <= 2w

Note: There is an additional restriction for this API endpoint specifically – /event only supports up to 2w for the maximum to limit the volume of data returned.

Note: Events may not be available past 30 days due to retention policies.

Each event has a unique ID associated with it in the response payload. The event ID is stored as the value of the eventId key.

See the Documentation

Request Params

KeyDatatypeRequiredDescription
hostNamenullfilter on hostnames case insensitive
hostNameExactnullfilter on the exact hostname
ownerNamenullfilter on owner name case insensitive
ownerNameExactnullsame as ownerName but with case sensitivity
ipAddressnullfilter on events generated by a device with a given external or internal IP address
sha256Hashnullfilter on events generated by a process with the given SHA-256 hash
applicationNamenullfilter on events generated by a process with the given application name
eventTypenullfilter on events with a given event type
searchWindowstringfilter on events generated within a given relative time frame
startTimenullYYYY-MM-DD
endTimenullYYYY-MM-DD
rowsnumber
startnumber