⚠️ Start an Enriched Events Search Job

POST {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/enriched_events/search_jobs

Creates an enriched events search job. The results for the search job may be requested using the job ID returned. This route will not request facets.

RBAC Permissions Required

Permission (.notation name)Operation(s)
threathunter.eventsCREATE

Note: See the Event Search Fields for details on how to populate the search query.

See the Documentation


🔸 Qodex examples provided
🔹 The variable cb_job_id is automatically updated with the value of job_id in the response.

Request Body

{"query"=>"process_name:cmd.exe", "sort"=>[{"field"=>"device_timestamp", "order"=>"asc"}], "fields"=>["event_time", "event_id", "event_type", "org_id", "ttp", "device_id", "device_internal_ip", "device_name", "alert_id", "process_id", "process_name", "process_user", "process_hash", "process_guid", "netconn_protocol", "netconn_remote_ipv4", "netconn_remote_ipv6", "netconn_remote_port", "netconn_local_ipv4", "netconn_local_ipv6", "netconn_local_port", "netconn_domain", "netconn_inbound", "netconn_location", "netconn_action"], "start"=>0, "time_range"=>{"end"=>"2020-04-21T00:00:00Z", "start"=>"2020-04-19T00:00:00Z"}}

RESPONSES

status: OK

{"job_id":"3dd488d2-6ae1-4ce5-bc69-f91cebaff0ee"}