Start Auth Events Facet Job
POST {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/auth_events/facet_jobs
Creates an Auth Events Facet job. The results for the facet job may be requested using the job_id returned. This route will not request processes.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events | READ, CREATE |
Request Body Schema
{
"criteria": {
"": [ { "": "" } ]
},
"exclusions": {
"": [ { "": "" } ]
},
"query": "",
"ranges": [
{
"bucket_size": { "": "" },
"end": { "": "" },
"field": "",
"start": { "": "" }
}
],
"terms": {
"fields": [ "" ],
"rows":
},
"time_range": {
"end": "",
"start": "",
"window": ""
}
}
See Documentation about the APIs
Request Body
{"criteria"=>{}, "exclusions"=>{}, "query"=>"(auth_username:Administrator) AND (device_name:test_name)", "terms"=>{"fields"=>["windows_event_id", "auth_username", "auth_user_id", "auth_logon_type", "auth_logon_id", "auth_domain_name", "auth_remote_device", "auth_remote_ipv4", "auth_remote_port", "auth_privileges", "auth_interactive_logon", "auth_remote_logon", "parent_guid", "process_name", "device_name"], "rows"=>1}, "time_range"=>{"start"=>"2023-01-10T16:20:40.471Z", "end"=>"2023-01-20T16:20:40.471Z"}}
RESPONSES
status: OK
{"job_id":"cdae1f8a-d5dc-4f2f-aec0-d924a973b026"}