Start Auth Events Facet Job

POST {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/auth_events/facet_jobs

Creates an Auth Events Facet job. The results for the facet job may be requested using the job_id returned. This route will not request processes.

RBAC Permissions Required

Permission (.notation name)Operation(s)
org.search.eventsREAD, CREATE

Request Body Schema

{
  "criteria": {
    "": [ { "": "" } ]
  },
  "exclusions": {
    "": [ { "": "" } ]
  },
  "query": "",
  "ranges": [
    {
      "bucket_size": { "": "" },
      "end": { "": "" },
      "field": "",
      "start": { "": "" }
    }
  ],
  "terms": {
    "fields": [ "" ],
    "rows": 
  },
  "time_range": {
    "end": "",
    "start": "",
    "window": ""
  }
}

See Documentation about the APIs

Information on Fields

Request Body

{"criteria"=>{}, "exclusions"=>{}, "query"=>"(auth_username:Administrator) AND (device_name:test_name)", "terms"=>{"fields"=>["windows_event_id", "auth_username", "auth_user_id", "auth_logon_type", "auth_logon_id", "auth_domain_name", "auth_remote_device", "auth_remote_ipv4", "auth_remote_port", "auth_privileges", "auth_interactive_logon", "auth_remote_logon", "parent_guid", "process_name", "device_name"], "rows"=>1}, "time_range"=>{"start"=>"2023-01-10T16:20:40.471Z", "end"=>"2023-01-20T16:20:40.471Z"}}

RESPONSES

status: OK

{"job_id":"cdae1f8a-d5dc-4f2f-aec0-d924a973b026"}