Get Auth Events Detail Job Results
GET {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/auth_events/detail_jobs/{{cb_job_id}}/results
Retrieves the Auth Events Detail Job results for a given job ID.
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events | READ |
See Documentation about the APIs
RESPONSES
status: OK
{"results":[{"auth_cleartext_credentials_logon":false,"auth_daemon_logon":true,"auth_domain_name":"NT AUTHORITY","auth_elevated_token_logon":true,"auth_event_action":"LOGON_SUCCESS","auth_failed_logon_count":0,"auth_impersonation_level":"IMPERSONATION_LOCAL_ONLY","auth_interactive_logon":false,"auth_key_length":0,"auth_logon_id":"00000000-000003E7","auth_logon_type":5,"auth_package":"Negotiate","auth_remote_device":"-","auth_remote_logon":false,"auth_remote_port":0,"auth_restricted_admin_logon":false,"auth_user_id":"S-1-5-18","auth_username":"SYSTEM","auth_virtual_account_logon":false,"backend_timestamp":"2023-01-13T17:18:36.195Z","childproc_count":0,"crossproc_count":48,"device_external_ip":"52.116.18.136","device_group_id":0,"device_id":12345678,"device_installed_by":"CBAWTD\\Administrator","device_internal_ip":"192.168.231.164","device_location":"UNKNOWN","device_name":"test_name","device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_policy":"test-monitor","device_policy_id":20622246,"device_sensor_version":"3.9.0.2352","device_target_priority":"MEDIUM","device_timestamp":"2023-01-13T17:17:45.322Z","document_guid":"e0Huct8dQRyYfOEHImpfkA","event_id":"DA9E269E-421D-469D-A212-9062888A02F4","event_report_code":"SUB_RPT_NONE","filemod_count":3,"ingress_time":1673630293265,"modload_count":1,"netconn_count":35,"org_id":"ABCD1234","parent_cmdline":"wininit.exe","parent_cmdline_length":11,"parent_effective_reputation":"TRUSTED_WHITE_LIST","parent_effective_reputation_source":"IGNORE","parent_guid":"ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262","parent_hash":["9ef51c8ad595c5e2a123c06ad39fccd7","268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"],"parent_name":"c:\\windows\\system32\\wininit.exe","parent_pid":608,"parent_publisher":["Microsoft Windows Publisher"],"parent_publisher_state":["FILE_SIGNATURE_STATE_VERIFIED","FILE_SIGNATURE_STATE_OS","FILE_SIGNATURE_STATE_TRUSTED","FILE_SIGNATURE_STATE_SIGNED"],"parent_reputation":"TRUSTED_WHITE_LIST","process_cmdline":["C:\\Windows\\system32\\lsass.exe"],"process_cmdline_length":[29],"process_company_name":"Microsoft Corporation","process_effective_reputation":"TRUSTED_WHITE_LIST","process_effective_reputation_source":"IGNORE","process_elevated":true,"process_file_description":"Local Security Authority Process","process_guid":"ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7","process_hash":["15a556def233f112d127025ab51ac2d3","362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"],"process_integrity_level":"SYSTEM","process_internal_name":"lsass.exe","process_name":"c:\\windows\\system32\\lsass.exe","process_original_filename":"lsass.exe","process_pid":[776],"process_privileges":["SeIncreaseBasePriorityPrivilege","SeCreateGlobalPrivilege","SeChangeNotifyPrivilege","SeCreateSymbolicLinkPrivilege","SeDelegateSessionUserImpersonatePrivilege","SeSystemProfilePrivilege","SeDebugPrivilege","SeProfileSingleProcessPrivilege","SeLockMemoryPrivilege","SeCreatePagefilePrivilege","SeTimeZonePrivilege","SeTcbPrivilege","SeIncreaseWorkingSetPrivilege","SeImpersonatePrivilege","SeCreatePermanentPrivilege","SeAuditPrivilege"],"process_product_name":"Microsoftยฎ Windowsยฎ Operating System","process_product_version":"10.0.19041.906","process_publisher":["Microsoft Windows Publisher"],"process_publisher_state":["FILE_SIGNATURE_STATE_VERIFIED","FILE_SIGNATURE_STATE_OS","FILE_SIGNATURE_STATE_TRUSTED","FILE_SIGNATURE_STATE_SIGNED"],"process_reputation":"TRUSTED_WHITE_LIST","process_sha256":"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427","process_start_time":"2023-01-13T14:47:02.982Z","process_username":["NT AUTHORITY\\SYSTEM"],"regmod_count":11,"scriptload_count":0,"windows_event_id":4624}],"num_found":1,"num_available":1,"approximate_unaggregated":1,"num_aggregated":1,"contacted":11,"completed":11}