Facet Alerts - Grouped

POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/grouped_alerts/_facet

Find facets for alerts that are grouped by Threat Id.

RBAC Permissions Required

Permission (.notation name)Operation(s)
org.alertsREAD

See complete Alerts API documentation here

Body Schema

{
  "group_by": {
    "field": "THREAT_ID"
  },
  "terms": {
    "fields": [
      "CHILDPROC_EFFECTIVE_REPUTATION",
      "SLO_TIME_RANGE"
    ],
    "rows": "<integer>"
  },
  "query": "<string>",
  "time_range": {
    "start": "<dateTime>",
    "end": "<dateTime>",
    "range": "<string>"
  },
  "criteria": {
    "org_key": [
      "<string>"
    ],
    "id": [
      "<string>"
    ],
    "type": [
      "HOST_BASED_FIREWALL",
      "DEVICE_CONTROL"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "MONITORED"
    ],
    "minimum_severity": "<integer>",
    "reason_code": [
      "<string>"
    ],
    "threat_id": [
      "<string>"
    ],
    "primary_event_id": [
      "<string>"
    ],
    "policy_applied": [
      "NOT_APPLIED"
    ],
    "run_state": [
      "UNKNOWN"
    ],
    "sensor_action": [
      "ALLOW",
      "TERMINATE"
    ],
    "workflow_status": [
      "CLOSED",
      "OPEN"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "API"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>"
    ],
    "determination_value": [
      "FALSE_POSITIVE",
      "NONE"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "ML",
      "API"
    ],
    "tags": [
      "<string>"
    ],
    "alert_notes_present": "<boolean>",
    "threat_notes_present": "<boolean>",
    "device_id": [
      "<long>"
    ],
    "device_name": [
      "<string>"
    ],
    "device_uem_id": [
      "<string>"
    ],
    "device_policy": [
      "<string>"
    ],
    "device_policy_id": [
      "<long>"
    ],
    "device_target_value": [
      "MISSION_CRITICAL",
      "HIGH"
    ],
    "device_os": [
      "LINUX"
    ],
    "device_os_version": [
      "<string>"
    ],
    "device_username": [
      "<string>"
    ],
    "device_location": [
      "ONSITE",
      "OFFSITE"
    ],
    "device_external_ip": [
      "<string>"
    ],
    "device_internal_ip": [
      "<string>"
    ],
    "rule_config_type": [
      "<string>"
    ],
    "rule_config_name": [
      "<string>"
    ],
    "rule_config_id": [
      "<string>"
    ],
    "rule_category_id": [
      "<string>"
    ],
    "rule_id": [
      "<string>"
    ],
    "process_guid": [
      "<string>"
    ],
    "process_pid": [
      "<integer>"
    ],
    "process_name": [
      "<string>"
    ],
    "process_sha256": [
      "<string>"
    ],
    "process_md5": [
      "<string>"
    ],
    "process_effective_reputation": [
      "KNOWN_MALWARE",
      "RESOLVING"
    ],
    "process_reputation": [
      "NOT_LISTED",
      "PUP"
    ],
    "process_cmdline": [
      "<string>"
    ],
    "process_username": [
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>"
    ],
    "parent_guid": [
      "<string>"
    ],
    "parent_pid": [
      "<integer>"
    ],
    "parent_name": [
      "<string>"
    ],
    "parent_sha256": [
      "<string>"
    ],
    "parent_md5": [
      "<string>"
    ],
    "parent_effective_reputation": [
      "NOT_LISTED",
      "PUP"
    ],
    "parent_reputation": [
      "PUP",
      "GRAY_OBSOLETE"
    ],
    "parent_cmdline": [
      "<string>"
    ],
    "parent_username": [
      "<string>"
    ],
    "childproc_guid": [
      "<string>"
    ],
    "childproc_name": [
      "<string>"
    ],
    "childproc_sha256": [
      "<string>"
    ],
    "childproc_md5": [
      "<string>"
    ],
    "childproc_effective_reputation": [
      "DLP_OBSOLETE",
      "GRAY_OBSOLETE"
    ],
    "childproc_username": [
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>"
    ],
    "netconn_remote_port": [
      "<integer>"
    ],
    "netconn_local_port": [
      "<integer>"
    ],
    "netconn_protocol": [
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>"
    ],
    "threat_category": [
      "NON_MALWARE",
      "UNKNOWN"
    ],
    "ttps": [
      "<string>"
    ],
    "attack_tactic": [
      "<string>"
    ],
    "attack_technique": [
      "<string>"
    ],
    "report_id": [
      "<string>"
    ],
    "report_name": [
      "<string>"
    ],
    "report_link": [
      "<string>"
    ],
    "watchlists_id": [
      "<string>"
    ],
    "watchlists_name": [
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>"
    ],
    "k8s_policy": [
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>"
    ],
    "k8s_rule": [
      "<string>"
    ],
    "cluster_name": [
      "<string>"
    ],
    "namespace": [
      "<string>"
    ],
    "workload_kind": [
      "<string>"
    ],
    "workload_name": [
      "<string>"
    ],
    "replica_id": [
      "<string>"
    ],
    "connection_type": [
      "INTERNAL_INBOUND",
      "INGRESS"
    ],
    "egress_group_id": [
      "<string>"
    ],
    "egress_group_name": [
      "<string>"
    ],
    "ip_reputation": [
      "<integer>"
    ],
    "remote_is_private": "<boolean>",
    "remote_namespace": [
      "<string>"
    ],
    "remote_replica_id": [
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>"
    ],
    "remote_workload_name": [
      "<string>"
    ],
    "tms_rule_id": [
      "<string>"
    ],
    "threat_name": [
      "<string>"
    ],
    "vendor_name": [
      "<string>"
    ],
    "vendor_id": [
      "<string>"
    ],
    "product_name": [
      "<string>"
    ],
    "product_id": [
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>"
    ],
    "serial_number": [
      "<string>"
    ],
    "blocked_name": [
      "<string>"
    ],
    "blocked_sha256": [
      "<string>"
    ],
    "blocked_md5": [
      "<string>"
    ],
    "blocked_effective_reputation": [
      "HEURISTIC",
      "NOT_LISTED"
    ],
    "ml_classification_final_verdict": [
      "NOT_CLASSIFIED"
    ],
    "ml_classification_global_prevalence": [
      "HIGH",
      "LOW"
    ],
    "ml_classification_org_prevalence": [
      "LOW",
      "LOW"
    ],
    "mdr_alert": "<boolean>",
    "mdr_workflow_status": [
      "RESPONSE_RECEIVED",
      "IN_PROGRESS"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": "<boolean>",
    "mdr_determination_value": [
      "NONE",
      "NOT_REVIEWED"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_alert_notes_present": "<boolean>",
    "mdr_threat_notes_present": "<boolean>"
  },
  "exclusions": {
    "org_key": [
      "<string>"
    ],
    "id": [
      "<string>"
    ],
    "type": [
      "HOST_BASED_FIREWALL",
      "CONTAINER_RUNTIME"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "THREAT"
    ],
    "minimum_severity": "<integer>",
    "reason_code": [
      "<string>"
    ],
    "threat_id": [
      "<string>"
    ],
    "primary_event_id": [
      "<string>"
    ],
    "policy_applied": [
      "APPLIED"
    ],
    "run_state": [
      "UNKNOWN",
      "DID_NOT_RUN"
    ],
    "sensor_action": [
      "TERMINATE",
      "DENY"
    ],
    "workflow_status": [
      "OPEN",
      "CLOSED"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "SUPPRESSION",
      "MDR"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>"
    ],
    "determination_value": [
      "TRUE_POSITIVE",
      "FALSE_POSITIVE"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "OPERATOR_UNKNOWN"
    ],
    "tags": [
      "<string>"
    ],
    "alert_notes_present": "<boolean>",
    "threat_notes_present": "<boolean>",
    "device_id": [
      "<long>"
    ],
    "device_name": [
      "<string>"
    ],
    "device_uem_id": [
      "<string>"
    ],
    "device_policy": [
      "<string>"
    ],
    "device_policy_id": [
      "<long>",
      "<long>"
    ],
    "device_target_value": [
      "LOW",
      "MEDIUM"
    ],
    "device_os": [
      "LINUX",
      "MAC"
    ],
    "device_os_version": [
      "<string>"
    ],
    "device_username": [
      "<string>"
    ],
    "device_location": [
      "UNKNOWN",
      "ONSITE"
    ],
    "device_external_ip": [
      "<string>"
    ],
    "device_internal_ip": [
      "<string>"
    ],
    "rule_config_type": [
      "<string>"
    ],
    "rule_config_name": [
      "<string>"
    ],
    "rule_config_id": [
      "<string>"
    ],
    "rule_category_id": [
      "<string>"
    ],
    "rule_id": [
      "<string>"
    ],
    "process_guid": [
      "<string>"
    ],
    "process_pid": [
      "<integer>"
    ],
    "process_name": [
      "<string>"
    ],
    "process_sha256": [
      "<string>"
    ],
    "process_md5": [
      "<string>"
    ],
    "process_effective_reputation": [
      "HEURISTIC",
      "RESOLVING"
    ],
    "process_reputation": [
      "SUSPECT_MALWARE",
      "COMPANY_WHITE_LIST"
    ],
    "process_cmdline": [
      "<string>"
    ],
    "process_username": [
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>"
    ],
    "parent_guid": [
      "<string>"
    ],
    "parent_pid": [
      "<integer>"
    ],
    "parent_name": [
      "<string>"
    ],
    "parent_sha256": [
      "<string>"
    ],
    "parent_md5": [
      "<string>"
    ],
    "parent_effective_reputation": [
      "IGNORE",
      "HEURISTIC"
    ],
    "parent_reputation": [
      "ADMIN_RESTRICT_OBSOLETE",
      "LOCAL_WHITE"
    ],
    "parent_cmdline": [
      "<string>"
    ],
    "parent_username": [
      "<string>"
    ],
    "childproc_guid": [
      "<string>"
    ],
    "childproc_name": [
      "<string>"
    ],
    "childproc_sha256": [
      "<string>"
    ],
    "childproc_md5": [
      "<string>"
    ],
    "childproc_effective_reputation": [
      "SUSPECT_MALWARE",
      "ADWARE"
    ],
    "childproc_username": [
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>"
    ],
    "netconn_remote_port": [
      "<integer>"
    ],
    "netconn_local_port": [
      "<integer>"
    ],
    "netconn_protocol": [
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>"
    ],
    "threat_category": [
      "RISKY_PROGRAM",
      "NON_MALWARE"
    ],
    "ttps": [
      "<string>"
    ],
    "attack_tactic": [
      "<string>"
    ],
    "attack_technique": [
      "<string>"
    ],
    "report_id": [
      "<string>"
    ],
    "report_name": [
      "<string>"
    ],
    "report_link": [
      "<string>"
    ],
    "watchlists_id": [
      "<string>"
    ],
    "watchlists_name": [
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>"
    ],
    "k8s_policy": [
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>"
    ],
    "k8s_rule": [
      "<string>"
    ],
    "cluster_name": [
      "<string>"
    ],
    "namespace": [
      "<string>"
    ],
    "workload_kind": [
      "<string>"
    ],
    "workload_name": [
      "<string>"
    ],
    "replica_id": [
      "<string>"
    ],
    "connection_type": [
      "INTERNAL_OUTBOUND",
      "INTERNAL_INBOUND"
    ],
    "egress_group_id": [
      "<string>"
    ],
    "egress_group_name": [
      "<string>"
    ],
    "ip_reputation": [
      "<integer>"
    ],
    "remote_is_private": "<boolean>",
    "remote_namespace": [
      "<string>"
    ],
    "remote_replica_id": [
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>"
    ],
    "remote_workload_name": [
      "<string>"
    ],
    "tms_rule_id": [
      "<string>"
    ],
    "threat_name": [
      "<string>"
    ],
    "vendor_name": [
      "<string>"
    ],
    "vendor_id": [
      "<string>"
    ],
    "product_name": [
      "<string>"
    ],
    "product_id": [
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>"
    ],
    "serial_number": [
      "<string>"
    ],
    "blocked_name": [
      "<string>"
    ],
    "blocked_sha256": [
      "<string>"
    ],
    "blocked_md5": [
      "<string>"
    ],
    "blocked_effective_reputation": [
      "COMPANY_WHITE_LIST",
      "ADWARE"
    ],
    "ml_classification_final_verdict": [
      "NOT_CLASSIFIED",
      "ANOMALOUS"
    ],
    "ml_classification_global_prevalence": [
      "LOW",
      "MEDIUM"
    ],
    "ml_classification_org_prevalence": [
      "LOW",
      "HIGH"
    ],
    "mdr_alert": "<boolean>",
    "mdr_workflow_status": [
      "IN_PROGRESS",
      "RESPONSE_RECEIVED"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": "<boolean>",
    "mdr_determination_value": [
      "NONE",
      "NOT_REVIEWED"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_alert_notes_present": "<boolean>",
    "mdr_threat_notes_present": "<boolean>"
  },
  "filter_values": "<boolean>"
}

Request Body

{"group_by"=>{"field"=>"THREAT_ID"}, "terms"=>{"fields"=>["type", "THREAT_ID"], "rows"=>3}, "criteria"=>{"minimum_severity"=>"3"}, "exclusions"=>{"type"=>["HOST_BASED_FIREWALL", "CONTAINER_RUNTIME"]}, "filter_values"=>true}

HEADERS

KeyDatatypeRequiredDescription
Content-Typestring
Acceptstring

RESPONSES

status: OK

{&quot;results&quot;:[{&quot;field&quot;:&quot;threat_id&quot;,&quot;values&quot;:[{&quot;total&quot;:1,&quot;id&quot;:&quot;0569620088E6669121E38D9A64DBC24E&quot;,&quot;name&quot;:&quot;0569620088E6669121E38D9A64DBC24E&quot;},{&quot;total&quot;:1,&quot;id&quot;:&quot;09c6f8b90b423b31ec17b29f6b714af5&quot;,&quot;name&quot;:&quot;09c6f8b90b423b31ec17b29f6b714af5&quot;},{&quot;total&quot;:1,&quot;id&quot;:&quot;0cf248835fc0f330c8e8176ec69aa3d9&quot;,&quot;name&quot;:&quot;0cf248835fc0f330c8e8176ec69aa3d9&quot;}]},{&quot;field&quot;:&quot;type&quot;,&quot;values&quot;:[{&quot;total&quot;:7,&quot;id&quot;:&quot;NETWORK_TRAFFIC_ANALYSIS&quot;,&quot;name&quot;:&quot;NETWORK_TRAFFIC_ANALYSIS&quot;},{&quot;total&quot;:5,&quot;id&quot;:&quot;WATCHLIST&quot;,&quot;name&quot;:&quot;WATCHLIST&quot;},{&quot;total&quot;:5,&quot;id&quot;:&quot;CB_ANALYTICS&quot;,&quot;name&quot;:&quot;CB_ANALYTICS&quot;}]}]}