Get Threat Hunt Information
GET {{cb_url}}/mdr/threathuntingview/v1/orgs/{{cb_org_key}}/threathunts/{{cb_threat_hunt_id}}
Use this API to get descriptive information about a threat hunt - targeted investigation - conducted by the MDR team.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.mdr.threathunts | READ |
See Documentation about the APIs
RESPONSES
status: OK
{"num_found":1,"num_available":1,"results":[{"org_key":"ABCD1234","alert_url":"defense-dev01.cbdtest.io/alerts?s[c][query_string]=id:afd82593-1388-42dd-aeec-368a3573e91a\u0026orgKey=ABCD1234","id":"afd82593-1388-42dd-aeec-368a3573e91a","type":"WATCHLIST","backend_timestamp":"2023-09-20T03:06:07.545Z","user_update_timestamp":"2023-09-22T21:02:38.233Z","backend_update_timestamp":"2023-09-20T03:06:07.545Z","detection_timestamp":"2023-09-20T03:03:22.069Z","first_event_timestamp":"2023-09-11T17:10:39.569Z","last_event_timestamp":"2023-09-11T17:10:39.569Z","severity":5,"reason":"Process powershell.exe was detected by the report \"Execution - Powershell Executing with Invoke-Expression\" in watchlist \"Managed Detection and Response Intelligence\"","reason_code":"025d2c1e-2335-3511-87b8-d6d33d4e387c:5d9af405-d0c6-3f66-9361-c2aa0f9b70f8","threat_id":"025D2C1E23358511C7B8D6D33D4E387C","primary_event_id":"rQkv9WCbSQO8uTLcWFabnw-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-09-20T03:06:07.545Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON","status":"OPEN"},"determination":{"change_timestamp":"2023-09-20T03:06:07.545Z","value":"NONE","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION"},"tags":null,"alert_notes_present":true,"threat_notes_present":false,"asset_id":null,"is_updated":false,"device_id":12345678,"device_name":"demodevice","device_uem_id":"","device_target_value":"MEDIUM","device_policy":"demopolicy","device_policy_id":123123,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_location":"UNKNOWN","device_external_ip":"1.2.3.4","device_internal_ip":"5.6.7.8","mdr_alert":true,"mdr_workflow":{"change_timestamp":"2023-09-22T21:02:38.233Z","status":"TRIAGE_COMPLETE","is_assigned":true},"mdr_determination":{"change_timestamp":"2023-09-22T21:02:38.233Z","value":"LIKELY_THREAT"},"mdr_alert_notes_present":true,"mdr_threat_notes_present":false,"report_id":"Hf02hPgRSODd1tiEbUnw-FF392B02-C879-4BF5-B21E-7D6F2889BAE6","report_name":"Execution - Powershell Executing with Invoke-Expression","report_description":"Powershell can be given commands to download arbitrary content from the Internet and execute it. This could be used for persistence or for large-scale attacks.","report_tags":["powershell","script","t1059","iex","attackframework","attack","windows"],"report_link":"https://attack.mitre.org/techniques/T1059/001/","ioc_id":"FF392B02-C879-4BF5-B21E-7D6F2889BAE6","ioc_hit":"(((process_name:powershell.exe AND process_cmdline:iex) NOT process_cmdline:*choco* NOT fileless_scriptload_cmdline:*choco* NOT scriptload_content:*choco*)) -enriched:true","watchlists":[{"id":"5A93z6EISzSY8M8AUhzBjg","name":"Managed Detection and Response Intelligence"}],"threat_hunt_id":"0ff0725d-22c0-4b8f-95ea-a798e544e408","threat_hunt_name":"GroutLoader Test","process_guid":"ABCD1234-0120b1e3-00000df0-00000000-1d9e4d2e2e021e8","process_pid":3568,"process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","process_sha256":"b4e7bc24bf3f5c3da2eb6e9ec5ec10f90099defa91b820f2f3fc70dd9e4785c4","process_md5":"bcf01e61144d6d6325650134823198b8","process_effective_reputation":"LOCAL_WHITE","process_reputation":"NOT_LISTED","process_cmdline":"powershell.exe -c \"iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/demouser/HelloWorld/master/HelloWorld.ps1'))\"","process_username":"DO-NOT-UPGRADE-\\DEMO","process_issuer":["Microsoft Windows Production PCA 2011"],"process_publisher":["Microsoft Windows"],"parent_guid":"ABCD1234-0120b1e3-0000147c-00000000-1d9caea30fd5ae7","parent_pid":5244,"parent_name":"c:\\windows\\system32\\cmd.exe","parent_sha256":"b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450","parent_md5":"8a2122e8162dbef04694b9c3e0b6cdee","parent_effective_reputation":"TRUSTED_WHITE_LIST","parent_reputation":"TRUSTED_WHITE_LIST","parent_cmdline":"\"C:\\WINDOWS\\system32\\cmd.exe\" ","parent_username":"DO-NOT-UPGRADE-\\DEMO","childproc_guid":"","childproc_username":"","childproc_cmdline":""}]}