Facet Alerts - Grouped
POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/grouped_alerts/_facet
Find facets for alerts that are grouped by Threat Id.
RBAC Permissions Required
| Permission (.notation name) | Operation(s) |
|---|---|
| org.alerts | READ |
See complete Alerts API documentation here
Body Schema
{
"group_by": {
"field": "THREAT_ID"
},
"terms": {
"fields": [
"CHILDPROC_EFFECTIVE_REPUTATION",
"SLO_TIME_RANGE"
],
"rows": "<integer>"
},
"query": "<string>",
"time_range": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"criteria": {
"org_key": [
"<string>"
],
"id": [
"<string>"
],
"type": [
"HOST_BASED_FIREWALL",
"DEVICE_CONTROL"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"category": [
"MONITORED"
],
"minimum_severity": "<integer>",
"reason_code": [
"<string>"
],
"threat_id": [
"<string>"
],
"primary_event_id": [
"<string>"
],
"policy_applied": [
"NOT_APPLIED"
],
"run_state": [
"UNKNOWN"
],
"sensor_action": [
"ALLOW",
"TERMINATE"
],
"workflow_status": [
"CLOSED",
"OPEN"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"API"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>"
],
"workflow_closure_reason": [
"<string>"
],
"determination_value": [
"FALSE_POSITIVE",
"NONE"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"ML",
"API"
],
"tags": [
"<string>"
],
"alert_notes_present": "<boolean>",
"threat_notes_present": "<boolean>",
"device_id": [
"<long>"
],
"device_name": [
"<string>"
],
"device_uem_id": [
"<string>"
],
"device_policy": [
"<string>"
],
"device_policy_id": [
"<long>"
],
"device_target_value": [
"MISSION_CRITICAL",
"HIGH"
],
"device_os": [
"LINUX"
],
"device_os_version": [
"<string>"
],
"device_username": [
"<string>"
],
"device_location": [
"ONSITE",
"OFFSITE"
],
"device_external_ip": [
"<string>"
],
"device_internal_ip": [
"<string>"
],
"rule_config_type": [
"<string>"
],
"rule_config_name": [
"<string>"
],
"rule_config_id": [
"<string>"
],
"rule_category_id": [
"<string>"
],
"rule_id": [
"<string>"
],
"process_guid": [
"<string>"
],
"process_pid": [
"<integer>"
],
"process_name": [
"<string>"
],
"process_sha256": [
"<string>"
],
"process_md5": [
"<string>"
],
"process_effective_reputation": [
"KNOWN_MALWARE",
"RESOLVING"
],
"process_reputation": [
"NOT_LISTED",
"PUP"
],
"process_cmdline": [
"<string>"
],
"process_username": [
"<string>"
],
"process_signatures_certificate_authority": [
"<string>"
],
"process_signatures_publisher": [
"<string>"
],
"parent_guid": [
"<string>"
],
"parent_pid": [
"<integer>"
],
"parent_name": [
"<string>"
],
"parent_sha256": [
"<string>"
],
"parent_md5": [
"<string>"
],
"parent_effective_reputation": [
"NOT_LISTED",
"PUP"
],
"parent_reputation": [
"PUP",
"GRAY_OBSOLETE"
],
"parent_cmdline": [
"<string>"
],
"parent_username": [
"<string>"
],
"childproc_guid": [
"<string>"
],
"childproc_name": [
"<string>"
],
"childproc_sha256": [
"<string>"
],
"childproc_md5": [
"<string>"
],
"childproc_effective_reputation": [
"DLP_OBSOLETE",
"GRAY_OBSOLETE"
],
"childproc_username": [
"<string>"
],
"childproc_cmdline": [
"<string>"
],
"netconn_remote_port": [
"<integer>"
],
"netconn_local_port": [
"<integer>"
],
"netconn_protocol": [
"<string>"
],
"netconn_remote_domain": [
"<string>"
],
"netconn_remote_ip": [
"<string>"
],
"netconn_local_ip": [
"<string>"
],
"netconn_remote_ipv4": [
"<string>"
],
"netconn_local_ipv4": [
"<string>"
],
"netconn_remote_ipv6": [
"<string>"
],
"netconn_local_ipv6": [
"<string>"
],
"threat_category": [
"NON_MALWARE",
"UNKNOWN"
],
"ttps": [
"<string>"
],
"attack_tactic": [
"<string>"
],
"attack_technique": [
"<string>"
],
"report_id": [
"<string>"
],
"report_name": [
"<string>"
],
"report_link": [
"<string>"
],
"watchlists_id": [
"<string>"
],
"watchlists_name": [
"<string>"
],
"k8s_policy_id": [
"<string>"
],
"k8s_policy": [
"<string>"
],
"k8s_rule_id": [
"<string>"
],
"k8s_rule": [
"<string>"
],
"cluster_name": [
"<string>"
],
"namespace": [
"<string>"
],
"workload_kind": [
"<string>"
],
"workload_name": [
"<string>"
],
"replica_id": [
"<string>"
],
"connection_type": [
"INTERNAL_INBOUND",
"INGRESS"
],
"egress_group_id": [
"<string>"
],
"egress_group_name": [
"<string>"
],
"ip_reputation": [
"<integer>"
],
"remote_is_private": "<boolean>",
"remote_namespace": [
"<string>"
],
"remote_replica_id": [
"<string>"
],
"remote_workload_kind": [
"<string>"
],
"remote_workload_name": [
"<string>"
],
"tms_rule_id": [
"<string>"
],
"threat_name": [
"<string>"
],
"vendor_name": [
"<string>"
],
"vendor_id": [
"<string>"
],
"product_name": [
"<string>"
],
"product_id": [
"<string>"
],
"external_device_friendly_name": [
"<string>"
],
"serial_number": [
"<string>"
],
"blocked_name": [
"<string>"
],
"blocked_sha256": [
"<string>"
],
"blocked_md5": [
"<string>"
],
"blocked_effective_reputation": [
"HEURISTIC",
"NOT_LISTED"
],
"ml_classification_final_verdict": [
"NOT_CLASSIFIED"
],
"ml_classification_global_prevalence": [
"HIGH",
"LOW"
],
"ml_classification_org_prevalence": [
"LOW",
"LOW"
],
"mdr_alert": "<boolean>",
"mdr_workflow_status": [
"RESPONSE_RECEIVED",
"IN_PROGRESS"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": "<boolean>",
"mdr_determination_value": [
"NONE",
"NOT_REVIEWED"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_alert_notes_present": "<boolean>",
"mdr_threat_notes_present": "<boolean>"
},
"exclusions": {
"org_key": [
"<string>"
],
"id": [
"<string>"
],
"type": [
"HOST_BASED_FIREWALL",
"CONTAINER_RUNTIME"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"category": [
"THREAT"
],
"minimum_severity": "<integer>",
"reason_code": [
"<string>"
],
"threat_id": [
"<string>"
],
"primary_event_id": [
"<string>"
],
"policy_applied": [
"APPLIED"
],
"run_state": [
"UNKNOWN",
"DID_NOT_RUN"
],
"sensor_action": [
"TERMINATE",
"DENY"
],
"workflow_status": [
"OPEN",
"CLOSED"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"SUPPRESSION",
"MDR"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>"
],
"workflow_closure_reason": [
"<string>"
],
"determination_value": [
"TRUE_POSITIVE",
"FALSE_POSITIVE"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"OPERATOR_UNKNOWN"
],
"tags": [
"<string>"
],
"alert_notes_present": "<boolean>",
"threat_notes_present": "<boolean>",
"device_id": [
"<long>"
],
"device_name": [
"<string>"
],
"device_uem_id": [
"<string>"
],
"device_policy": [
"<string>"
],
"device_policy_id": [
"<long>",
"<long>"
],
"device_target_value": [
"LOW",
"MEDIUM"
],
"device_os": [
"LINUX",
"MAC"
],
"device_os_version": [
"<string>"
],
"device_username": [
"<string>"
],
"device_location": [
"UNKNOWN",
"ONSITE"
],
"device_external_ip": [
"<string>"
],
"device_internal_ip": [
"<string>"
],
"rule_config_type": [
"<string>"
],
"rule_config_name": [
"<string>"
],
"rule_config_id": [
"<string>"
],
"rule_category_id": [
"<string>"
],
"rule_id": [
"<string>"
],
"process_guid": [
"<string>"
],
"process_pid": [
"<integer>"
],
"process_name": [
"<string>"
],
"process_sha256": [
"<string>"
],
"process_md5": [
"<string>"
],
"process_effective_reputation": [
"HEURISTIC",
"RESOLVING"
],
"process_reputation": [
"SUSPECT_MALWARE",
"COMPANY_WHITE_LIST"
],
"process_cmdline": [
"<string>"
],
"process_username": [
"<string>"
],
"process_signatures_certificate_authority": [
"<string>"
],
"process_signatures_publisher": [
"<string>"
],
"parent_guid": [
"<string>"
],
"parent_pid": [
"<integer>"
],
"parent_name": [
"<string>"
],
"parent_sha256": [
"<string>"
],
"parent_md5": [
"<string>"
],
"parent_effective_reputation": [
"IGNORE",
"HEURISTIC"
],
"parent_reputation": [
"ADMIN_RESTRICT_OBSOLETE",
"LOCAL_WHITE"
],
"parent_cmdline": [
"<string>"
],
"parent_username": [
"<string>"
],
"childproc_guid": [
"<string>"
],
"childproc_name": [
"<string>"
],
"childproc_sha256": [
"<string>"
],
"childproc_md5": [
"<string>"
],
"childproc_effective_reputation": [
"SUSPECT_MALWARE",
"ADWARE"
],
"childproc_username": [
"<string>"
],
"childproc_cmdline": [
"<string>"
],
"netconn_remote_port": [
"<integer>"
],
"netconn_local_port": [
"<integer>"
],
"netconn_protocol": [
"<string>"
],
"netconn_remote_domain": [
"<string>"
],
"netconn_remote_ip": [
"<string>"
],
"netconn_local_ip": [
"<string>"
],
"netconn_remote_ipv4": [
"<string>"
],
"netconn_local_ipv4": [
"<string>"
],
"netconn_remote_ipv6": [
"<string>"
],
"netconn_local_ipv6": [
"<string>"
],
"threat_category": [
"RISKY_PROGRAM",
"NON_MALWARE"
],
"ttps": [
"<string>"
],
"attack_tactic": [
"<string>"
],
"attack_technique": [
"<string>"
],
"report_id": [
"<string>"
],
"report_name": [
"<string>"
],
"report_link": [
"<string>"
],
"watchlists_id": [
"<string>"
],
"watchlists_name": [
"<string>"
],
"k8s_policy_id": [
"<string>"
],
"k8s_policy": [
"<string>"
],
"k8s_rule_id": [
"<string>"
],
"k8s_rule": [
"<string>"
],
"cluster_name": [
"<string>"
],
"namespace": [
"<string>"
],
"workload_kind": [
"<string>"
],
"workload_name": [
"<string>"
],
"replica_id": [
"<string>"
],
"connection_type": [
"INTERNAL_OUTBOUND",
"INTERNAL_INBOUND"
],
"egress_group_id": [
"<string>"
],
"egress_group_name": [
"<string>"
],
"ip_reputation": [
"<integer>"
],
"remote_is_private": "<boolean>",
"remote_namespace": [
"<string>"
],
"remote_replica_id": [
"<string>"
],
"remote_workload_kind": [
"<string>"
],
"remote_workload_name": [
"<string>"
],
"tms_rule_id": [
"<string>"
],
"threat_name": [
"<string>"
],
"vendor_name": [
"<string>"
],
"vendor_id": [
"<string>"
],
"product_name": [
"<string>"
],
"product_id": [
"<string>"
],
"external_device_friendly_name": [
"<string>"
],
"serial_number": [
"<string>"
],
"blocked_name": [
"<string>"
],
"blocked_sha256": [
"<string>"
],
"blocked_md5": [
"<string>"
],
"blocked_effective_reputation": [
"COMPANY_WHITE_LIST",
"ADWARE"
],
"ml_classification_final_verdict": [
"NOT_CLASSIFIED",
"ANOMALOUS"
],
"ml_classification_global_prevalence": [
"LOW",
"MEDIUM"
],
"ml_classification_org_prevalence": [
"LOW",
"HIGH"
],
"mdr_alert": "<boolean>",
"mdr_workflow_status": [
"IN_PROGRESS",
"RESPONSE_RECEIVED"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": "<boolean>",
"mdr_determination_value": [
"NONE",
"NOT_REVIEWED"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_alert_notes_present": "<boolean>",
"mdr_threat_notes_present": "<boolean>"
},
"filter_values": "<boolean>"
}
Request Body
{"group_by"=>{"field"=>"THREAT_ID"}, "terms"=>{"fields"=>["type", "THREAT_ID"], "rows"=>3}, "criteria"=>{"minimum_severity"=>"3"}, "exclusions"=>{"type"=>["HOST_BASED_FIREWALL", "CONTAINER_RUNTIME"]}, "filter_values"=>true}
HEADERS
| Key | Datatype | Required | Description |
|---|---|---|---|
Content-Type | string | ||
Accept | string |
RESPONSES
status: OK
{"results":[{"field":"threat_id","values":[{"total":1,"id":"0569620088E6669121E38D9A64DBC24E","name":"0569620088E6669121E38D9A64DBC24E"},{"total":1,"id":"09c6f8b90b423b31ec17b29f6b714af5","name":"09c6f8b90b423b31ec17b29f6b714af5"},{"total":1,"id":"0cf248835fc0f330c8e8176ec69aa3d9","name":"0cf248835fc0f330c8e8176ec69aa3d9"}]},{"field":"type","values":[{"total":7,"id":"NETWORK_TRAFFIC_ANALYSIS","name":"NETWORK_TRAFFIC_ANALYSIS"},{"total":5,"id":"WATCHLIST","name":"WATCHLIST"},{"total":5,"id":"CB_ANALYTICS","name":"CB_ANALYTICS"}]}]}