Get Auth Events Search Group Results
POST {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/auth_events/search_jobs/{{cb_job_id}}/group_results
Retrieves the auth events search group results for a given job_id. Results will be grouped based on the fields provided and/or by timestamp field duration.
Results may be available immediately but will be complete once the job finishes, as this call is asynchronous. The job will be complete when contacted == completed in the response.
Grouping with timestamp field
There are two different methods of grouping available when timestamp field is specified:
Interval (default) - groups the events when the timestamp difference between two consecutive sorted events is less than the duration requested.
Example:
{ event1 = 10:00:00, event2 = 10:07:00, event3 = 10:21:00, event4 = 10:09:00, duration = 10m }
event1, event2, and event4 will be grouped into one since the time difference between sorted consecutive events is less than duration.
Bucket - groups the documents in buckets of duration length, meaning the max time difference between the min and max within a group can be up to the duration.
Example:
{ event1 = 10:00:00, event2 = 10:07:00, event3 = 10:13:00, event4 = 10:21:00, duration = 10m }
event1 and event2 will be grouped into the first group since the time difference between them is less than duration, event3 will not be added to the first group it exceeds the max capacity of Bucket.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
| org.search.events | READ |
Request Body Schema
{
"fields": [
""
],
"max_events_per_group": ,
"range": {
"duration": "",
"field": "",
"method": ""
},
"rows": ,
"start":
}
See Documentation about the APIs
Request Body
{"fields"=>["auth_username"], "range"=>{"duration"=>"-1w"}, "rows"=>1}
RESPONSES
status: OK
{"group_results":[{"group_key":"auth_username","group_value":"SYSTEM","group_start_timestamp":"2023-01-13T17:17:45.322Z","group_end_timestamp":"2023-01-13T17:17:45.322Z","results":[{"auth_cleartext_credentials_logon":false,"auth_daemon_logon":true,"auth_domain_name":"NT AUTHORITY","auth_elevated_token_logon":true,"auth_event_action":"LOGON_SUCCESS","auth_failed_logon_count":0,"auth_impersonation_level":"IMPERSONATION_LOCAL_ONLY","auth_interactive_logon":false,"auth_key_length":0,"auth_logon_id":"00000000-000003E7","auth_logon_type":5,"auth_package":"Negotiate","auth_remote_device":"-","auth_remote_logon":false,"auth_remote_port":0,"auth_restricted_admin_logon":false,"auth_user_id":"S-1-5-18","auth_username":"SYSTEM","auth_virtual_account_logon":false,"backend_timestamp":"2023-01-13T17:18:36.195Z","childproc_count":0,"crossproc_count":48,"device_external_ip":"52.116.18.136","device_group_id":0,"device_id":17686136,"device_installed_by":"CBAWTD\\Administrator","device_internal_ip":"192.168.231.164","device_location":"UNKNOWN","device_name":"test_name","device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_policy":"test-monitor","device_policy_id":20622246,"device_sensor_version":"3.9.0.2352","device_target_priority":"MEDIUM","device_timestamp":"2023-01-13T17:17:45.322Z","document_guid":"e0Huct8dQRyYfOEHImpfkA","event_id":"DA9E269E-421D-469D-A212-9062888A02F4","event_report_code":"SUB_RPT_NONE","filemod_count":3,"ingress_time":1673630293265,"modload_count":1,"netconn_count":35,"org_id":"ABCD1234","parent_cmdline":"wininit.exe","parent_cmdline_length":11,"parent_effective_reputation":"TRUSTED_WHITE_LIST","parent_effective_reputation_source":"IGNORE","parent_guid":"ABCD1234-010dde78-00000260-00000000-1d9275de5e5b262","parent_hash":["9ef51c8ad595c5e2a123c06ad39fccd7","268ca325c8f12e68b6728ff24d6536030aab6e05603d0179033b1e51d8476d86"],"parent_name":"c:\\windows\\system32\\wininit.exe","parent_pid":608,"parent_publisher":["Microsoft Windows Publisher"],"parent_publisher_state":["FILE_SIGNATURE_STATE_VERIFIED","FILE_SIGNATURE_STATE_OS","FILE_SIGNATURE_STATE_TRUSTED","FILE_SIGNATURE_STATE_SIGNED"],"parent_reputation":"TRUSTED_WHITE_LIST","process_cmdline":["C:\\Windows\\system32\\lsass.exe"],"process_cmdline_length":[29],"process_company_name":"Microsoft Corporation","process_effective_reputation":"TRUSTED_WHITE_LIST","process_effective_reputation_source":"IGNORE","process_elevated":true,"process_file_description":"Local Security Authority Process","process_guid":"ABCD1234-010dde78-00000308-00000000-1d9275de6169dd7","process_hash":["15a556def233f112d127025ab51ac2d3","362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427"],"process_integrity_level":"SYSTEM","process_internal_name":"lsass.exe","process_issuer":["Microsoft Windows Production PCA 2011"],"process_name":"c:\\windows\\system32\\lsass.exe","process_original_filename":"lsass.exe","process_pid":[776],"process_privileges":["SeIncreaseBasePriorityPrivilege","SeCreateGlobalPrivilege","SeChangeNotifyPrivilege","SeCreateSymbolicLinkPrivilege","SeDelegateSessionUserImpersonatePrivilege","SeSystemProfilePrivilege","SeDebugPrivilege","SeProfileSingleProcessPrivilege","SeLockMemoryPrivilege","SeCreatePagefilePrivilege","SeTimeZonePrivilege","SeTcbPrivilege","SeIncreaseWorkingSetPrivilege","SeImpersonatePrivilege","SeCreatePermanentPrivilege","SeAuditPrivilege"],"process_product_name":"Microsoftยฎ Windowsยฎ Operating System","process_product_version":"10.0.19041.906","process_publisher":["Microsoft Windows Publisher"],"process_publisher_state":["FILE_SIGNATURE_STATE_VERIFIED","FILE_SIGNATURE_STATE_OS","FILE_SIGNATURE_STATE_TRUSTED","FILE_SIGNATURE_STATE_SIGNED"],"process_reputation":"TRUSTED_WHITE_LIST","process_sha256":"362ab9743ff5d0f95831306a780fc3e418990f535013c80212dd85cb88ef7427","process_start_time":"2023-01-13T14:47:02.982Z","process_username":["NT AUTHORITY\\SYSTEM"],"regmod_count":11,"scriptload_count":0,"windows_event_id":4624}],"total_events":1}],"num_found":1,"num_available":1,"groups_num_available":1,"approximate_unaggregated":1,"num_aggregated":1,"contacted":11,"completed":11}