⚠️ Start an Enriched Events Search Job
POST {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/enriched_events/search_jobs
Creates an enriched events search job. The results for the search job may be requested using the job ID returned. This route will not request facets.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
| threathunter.events | CREATE |
Note: See the Event Search Fields for details on how to populate the search query.
🔸 Qodex examples provided
🔹 The variable cb_job_id is automatically updated with the value of job_id in the response.
Request Body
{"query"=>"process_name:cmd.exe", "sort"=>[{"field"=>"device_timestamp", "order"=>"asc"}], "fields"=>["event_time", "event_id", "event_type", "org_id", "ttp", "device_id", "device_internal_ip", "device_name", "alert_id", "process_id", "process_name", "process_user", "process_hash", "process_guid", "netconn_protocol", "netconn_remote_ipv4", "netconn_remote_ipv6", "netconn_remote_port", "netconn_local_ipv4", "netconn_local_ipv6", "netconn_local_port", "netconn_domain", "netconn_inbound", "netconn_location", "netconn_action"], "start"=>0, "time_range"=>{"end"=>"2020-04-21T00:00:00Z", "start"=>"2020-04-19T00:00:00Z"}}
RESPONSES
status: OK
{"job_id":"3dd488d2-6ae1-4ce5-bc69-f91cebaff0ee"}