⚠️ Find Processes
GET {{cb_url}}/integrationServices/v3/process
⚠️ This enpoint is being deprecated. Please use ThreatHunter > Process Search v2 as that will eventually become a Platform Search API covering both NGAV and EDR.
Queries all events using input search criteria and returns a list of processes. Response is a list of processes in JSON format.
Query parameters can be used to filter the list of processes:
- hostName: filter on the hostname. For example,
hostName=WIN-IA9NQ1GN8OI
will return devices with case insensitive (partial match) hostname such asWIN-IA9NQ1GN8OI
orwin-IA9NQ1GN8OI
- hostNameExact: filter on the exact hostname. For example
hostName=WIN-IA9NQ1GN8OI
will only return devices with the exact hostnameWIN-IA9NQ1GN8OI
but not a host namedwin-IA9NQ1GN8OI
- ownerName: filter on owner name case insensitive (partial match).
- ownerNameExact: same as
ownerName
but with case sensitivity - ipAddress: filter on events generated by a device with a given external or internal IP address
- sha256Hash: filter on process's sha256 hash
- applicationName: filter on process's application name
- rows: limits the result to a specified number of rows (default=100 max=5000)
- searchWindow: filter on events generated within a given relative time frame. Note that the default is one day if a
searchWindow
is not specified. Note that events may not be available past 30 days due to retention policies. Maximum search window is two weeks. Example values are:3h
for the past four days1d
for the past two weeks
- startTime / endTime: Using a combination of
startTime
andendTime
filters events for the given absolute timeframe.startTime
andendTime
must be used together- The timestamps are in RFC3339 format. For example,
startTime=2017-11-15
,endTime=2017-11-16
endTime
- startTime must be <= 1d- Events may not be available past 30 days due to retention policies.
Note: at least one or more of the following filters are required:
ownerName
,ownerNameExact
,hostName
,hostNameExact
,ipAddress
,sha256Hash
, orapplicationName
Request Params
Key | Datatype | Required | Description |
---|---|---|---|
hostName | null | filter on the hostname | |
hostNameExact | null | filter on the exact hostname | |
ownerName | null | filter on owner name case insensitive (partial match) | |
ownerNameExact | null | same as ownerName but with case sensitivity | |
ipAddress | null | filter on events generated by a device with a given external or internal IP address | |
sha256Hash | null | filter on process's sha256 hash | |
applicationName | null | filter on process's application name | |
rows | null | limits the result to a specified number of rows | |
searchWindow | string | filter on events generated within a given relative time frame | |
startTime | null | filter events for the given absolute timeframe | |
endTime | null | filter events for the given absolute timeframe |