⚠️ Start an Enriched Events Search Job
POST {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/enriched_events/search_jobs
Creates an enriched events search job. The results for the search job may be requested using the job ID returned. This route will not request facets.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
threathunter.events | CREATE |
Note: See the Event Search Fields for details on how to populate the search query.
🔸 Qodex examples provided
🔹 The variable cb_job_id
is automatically updated with the value of job_id
in the response.
Request Body
{"query"=>"process_name:cmd.exe", "sort"=>[{"field"=>"device_timestamp", "order"=>"asc"}], "fields"=>["event_time", "event_id", "event_type", "org_id", "ttp", "device_id", "device_internal_ip", "device_name", "alert_id", "process_id", "process_name", "process_user", "process_hash", "process_guid", "netconn_protocol", "netconn_remote_ipv4", "netconn_remote_ipv6", "netconn_remote_port", "netconn_local_ipv4", "netconn_local_ipv6", "netconn_local_port", "netconn_domain", "netconn_inbound", "netconn_location", "netconn_action"], "start"=>0, "time_range"=>{"end"=>"2020-04-21T00:00:00Z", "start"=>"2020-04-19T00:00:00Z"}}
RESPONSES
status: OK
{"job_id":"3dd488d2-6ae1-4ce5-bc69-f91cebaff0ee"}