⚠️ Find Processes

GET {{cb_url}}/integrationServices/v3/process

⚠️ This enpoint is being deprecated. Please use ThreatHunter > Process Search v2 as that will eventually become a Platform Search API covering both NGAV and EDR.


Queries all events using input search criteria and returns a list of processes. Response is a list of processes in JSON format.

Query parameters can be used to filter the list of processes:

  • hostName: filter on the hostname. For example, hostName=WIN-IA9NQ1GN8OI will return devices with case insensitive (partial match) hostname such as WIN-IA9NQ1GN8OI or win-IA9NQ1GN8OI
  • hostNameExact: filter on the exact hostname. For example hostName=WIN-IA9NQ1GN8OI will only return devices with the exact hostname WIN-IA9NQ1GN8OI but not a host named win-IA9NQ1GN8OI
  • ownerName: filter on owner name case insensitive (partial match).
  • ownerNameExact: same as ownerName but with case sensitivity
  • ipAddress: filter on events generated by a device with a given external or internal IP address
  • sha256Hash: filter on process's sha256 hash
  • applicationName: filter on process's application name
  • rows: limits the result to a specified number of rows (default=100 max=5000)
  • searchWindow: filter on events generated within a given relative time frame. Note that the default is one day if a searchWindow is not specified. Note that events may not be available past 30 days due to retention policies. Maximum search window is two weeks. Example values are:
    • 3h for the past four days
    • 1d for the past two weeks
  • startTime / endTime: Using a combination of startTime and endTime filters events for the given absolute timeframe.
    • startTime and endTime must be used together
    • The timestamps are in RFC3339 format. For example, startTime=2017-11-15, endTime=2017-11-16
    • endTime - startTime must be <= 1d
    • Events may not be available past 30 days due to retention policies.

Note: at least one or more of the following filters are required: ownerName, ownerNameExact, hostName, hostNameExact, ipAddress, sha256Hash, or applicationName

See the Documentation

Request Params

KeyDatatypeRequiredDescription
hostNamenullfilter on the hostname
hostNameExactnullfilter on the exact hostname
ownerNamenullfilter on owner name case insensitive (partial match)
ownerNameExactnullsame as ownerName but with case sensitivity
ipAddressnullfilter on events generated by a device with a given external or internal IP address
sha256Hashnullfilter on process's sha256 hash
applicationNamenullfilter on process's application name
rowsnulllimits the result to a specified number of rows
searchWindowstringfilter on events generated within a given relative time frame
startTimenullfilter events for the given absolute timeframe
endTimenullfilter events for the given absolute timeframe