Find Alerts - Grouped
POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/grouped_alerts/_search
Search for Alerts and group the results by Threat Id.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.alerts | READ |
Request Schema
{
"group_by": {
"field": "<string>"
},
"query": "<string>",
"time_range": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"criteria": {
"org_key": [
"<string>"
],
"id": [
"<string>"
],
"type": [
"<string>"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"category": [
"<string>"
],
"minimum_severity": <integer>,
"reason_code": [
"<string>"
],
"threat_id": [
"<string>"
],
"primary_event_id": [
"<string>"
],
"policy_applied": [
"<string>"
],
"run_state": [
"<string>"
],
"sensor_action": [
"<string>"
],
"workflow_status": [
"<string>"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"<string>"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>"
],
"workflow_closure_reason": [
"<string>"
],
"determination_value": [
"<string>"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"<string>"
],
"tags": [
"<string>"
],
"alert_notes_present": <boolean>,
"threat_notes_present": <boolean>,
"device_id": [
<long>
],
"device_name": [
"<string>"
],
"device_uem_id": [
"<string>"
],
"device_policy": [
"<string>"
],
"device_policy_id": [
<long>
],
"device_target_value": [
"<string>"
],
"device_os": [
"<string>"
],
"device_os_version": [
"<string>"
],
"device_username": [
"<string>"
],
"device_location": [
"<string>"
],
"device_external_ip": [
"<string>"
],
"device_internal_ip": [
"<string>"
],
"rule_config_type": [
"<string>"
],
"rule_config_name": [
"<string>"
],
"rule_config_id": [
"<string>"
],
"rule_category_id": [
"<string>"
],
"rule_id": [
"<string>"
],
"process_guid": [
"<string>"
],
"process_pid": [
<integer>
],
"process_name": [
"<string>"
],
"process_sha256": [
"<string>"
],
"process_md5": [
"<string>"
],
"process_effective_reputation": [
"<string>"
],
"process_reputation": [
"<string>"
],
"process_cmdline": [
"<string>"
],
"process_username": [
"<string>"
],
"process_signatures_certificate_authority": [
"<string>"
],
"process_signatures_publisher": [
"<string>"
],
"parent_guid": [
"<string>"
],
"parent_pid": [
<integer>
],
"parent_name": [
"<string>"
],
"parent_sha256": [
"<string>"
],
"parent_md5": [
"<string>"
],
"parent_effective_reputation": [
"<string>"
],
"parent_reputation": [
"ADWARE",
"NOT_SUPPORTED"
],
"parent_cmdline": [
"<string>"
],
"parent_username": [
"<string>"
],
"childproc_guid": [
"<string>"
],
"childproc_name": [
"<string>"
],
"childproc_sha256": [
"<string>"
],
"childproc_md5": [
"<string>"
],
"childproc_effective_reputation": [
"<string>"
],
"childproc_username": [
"<string>"
],
"childproc_cmdline": [
"<string>"
],
"netconn_remote_port": [
<integer>
],
"netconn_local_port": [
<integer>
],
"netconn_protocol": [
"<string>"
],
"netconn_remote_domain": [
"<string>"
],
"netconn_remote_ip": [
"<string>"
],
"netconn_local_ip": [
"<string>"
],
"netconn_remote_ipv4": [
"<string>"
],
"netconn_local_ipv4": [
"<string>"
],
"netconn_remote_ipv6": [
"<string>"
],
"netconn_local_ipv6": [
"<string>"
],
"threat_category": [
"<string>"
],
"ttps": [
"<string>"
],
"attack_tactic": [
"<string>"
],
"attack_technique": [
"<string>"
],
"report_id": [
"<string>"
],
"report_name": [
"<string>"
],
"report_link": [
"<string>"
],
"watchlists_id": [
"<string>"
],
"watchlists_name": [
"<string>"
],
"k8s_policy_id": [
"<string>"
],
"k8s_policy": [
"<string>"
],
"k8s_rule_id": [
"<string>"
],
"k8s_rule": [
"<string>"
],
"cluster_name": [
"<string>"
],
"namespace": [
"<string>"
],
"workload_kind": [
"<string>"
],
"workload_name": [
"<string>"
],
"replica_id": [
"<string>"
],
"connection_type": [
"<string>"
],
"egress_group_id": [
"<string>"
],
"egress_group_name": [
"<string>"
],
"ip_reputation": [
<integer>
],
"remote_is_private": <boolean>,
"remote_namespace": [
"<string>"
],
"remote_replica_id": [
"<string>"
],
"remote_workload_kind": [
"<string>"
],
"remote_workload_name": [
"<string>"
],
"tms_rule_id": [
"<string>"
],
"threat_name": [
"<string>"
],
"vendor_name": [
"<string>"
],
"vendor_id": [
"<string>"
],
"product_name": [
"<string>"
],
"product_id": [
"<string>"
],
"external_device_friendly_name": [
"<string>"
],
"serial_number": [
"<string>"
],
"blocked_name": [
"<string>"
],
"blocked_sha256": [
"<string>"
],
"blocked_md5": [
"<string>"
],
"blocked_effective_reputation": [
"<string>"
],
"ml_classification_final_verdict": [
"<string>"
],
"ml_classification_global_prevalence": [
"<string>"
],
"ml_classification_org_prevalence": [
"<string>"
],
"mdr_alert": <boolean>,
"mdr_workflow_status": [
"<string>"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": <boolean>,
"mdr_determination_value": [
"<string>"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
}
},
"exclusions": {
"org_key": [
"<string>"
],
"id": [
"<string>"
],
"type": [
"<string>"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"category": [
"<string>"
],
"minimum_severity": <integer>,
"reason_code": [
"<string>"
],
"threat_id": [
"<string>"
],
"primary_event_id": [
"<string>"
],
"policy_applied": [
"<string>"
],
"run_state": [
"<string>"
],
"sensor_action": [
"<string>"
],
"workflow_status": [
"<string>"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"<string>"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>"
],
"workflow_closure_reason": [
"<string>"
],
"determination_value": [
"NONE"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"<string>"
],
"tags": [
"<string>"
],
"alert_notes_present": <boolean>,
"threat_notes_present": <boolean>,
"device_id": [
<long>
],
"device_name": [
"<string>"
],
"device_uem_id": [
"<string>"
],
"device_policy": [
"<string>"
],
"device_policy_id": [
<long>
],
"device_target_value": [
"<string>"
],
"device_os": [
"<string>"
],
"device_os_version": [
"<string>"
],
"device_username": [
"<string>"
],
"device_location": [
"<string>"
],
"device_external_ip": [
"<string>"
],
"device_internal_ip": [
"<string>"
],
"rule_config_type": [
"<string>"
],
"rule_config_name": [
"<string>"
],
"rule_config_id": [
"<string>"
],
"rule_category_id": [
"<string>"
],
"rule_id": [
"<string>"
],
"process_guid": [
"<string>"
],
"process_pid": [
<integer>
],
"process_name": [
"<string>"
],
"process_sha256": [
"<string>"
],
"process_md5": [
"<string>"
],
"process_effective_reputation": [
"<string>"
],
"process_reputation": [
"<string>"
],
"process_cmdline": [
"<string>"
],
"process_username": [
"<string>"
],
"process_signatures_certificate_authority": [
"<string>"
],
"process_signatures_publisher": [
"<string>"
],
"parent_guid": [
"<string>"
],
"parent_pid": [
<integer>
],
"parent_name": [
"<string>"
],
"parent_sha256": [
"<string>"
],
"parent_md5": [
"<string>"
],
"parent_effective_reputation": [
"<string>"
],
"parent_reputation": [
"<string>"
],
"parent_cmdline": [
"<string>"
],
"parent_username": [
"<string>"
],
"childproc_guid": [
"<string>"
],
"childproc_name": [
"<string>"
],
"childproc_sha256": [
"<string>"
],
"childproc_md5": [
"<string>"
],
"childproc_effective_reputation": [
"<string>"
],
"childproc_username": [
"<string>"
],
"childproc_cmdline": [
"<string>"
],
"netconn_remote_port": [
<integer>
],
"netconn_local_port": [
<integer>
],
"netconn_protocol": [
"<string>"
],
"netconn_remote_domain": [
"<string>"
],
"netconn_remote_ip": [
"<string>"
],
"netconn_local_ip": [
"<string>"
],
"netconn_remote_ipv4": [
"<string>"
],
"netconn_local_ipv4": [
"<string>"
],
"netconn_remote_ipv6": [
"<string>"
],
"netconn_local_ipv6": [
"<string>"
],
"threat_category": [
"<string>"
],
"ttps": [
"<string>"
],
"attack_tactic": [
"<string>"
],
"attack_technique": [
"<string>"
],
"report_id": [
"<string>"
],
"report_name": [
"<string>"
],
"report_link": [
"<string>"
],
"watchlists_id": [
"<string>"
],
"watchlists_name": [
"<string>"
],
"k8s_policy_id": [
"<string>"
],
"k8s_policy": [
"<string>"
],
"k8s_rule_id": [
"<string>"
],
"k8s_rule": [
"<string>"
],
"cluster_name": [
"<string>"
],
"namespace": [
"<string>"
],
"workload_kind": [
"<string>"
],
"workload_name": [
"<string>"
],
"replica_id": [
"<string>"
],
"connection_type": [
"<string>"
],
"egress_group_id": [
"<string>"
],
"egress_group_name": [
"<string>"
],
"ip_reputation": [
<integer>
],
"remote_is_private": <boolean>,
"remote_namespace": [
"<string>"
],
"remote_replica_id": [
"<string>"
],
"remote_workload_kind": [
"<string>"
],
"remote_workload_name": [
"<string>"
],
"tms_rule_id": [
"<string>"
],
"threat_name": [
"<string>"
],
"vendor_name": [
"<string>"
],
"vendor_id": [
"<string>"
],
"product_name": [
"<string>"
],
"product_id": [
"<string>"
],
"external_device_friendly_name": [
"<string>"
],
"serial_number": [
"<string>"
],
"blocked_name": [
"<string>"
],
"blocked_sha256": [
"<string>"
],
"blocked_md5": [
"<string>"
],
"blocked_effective_reputation": [
"<string>"
],
"ml_classification_final_verdict": [
"<string>"
],
"ml_classification_global_prevalence": [
"<string>"
],
"ml_classification_org_prevalence": [
"<string>"
],
"mdr_alert": <boolean>,
"mdr_workflow_status": [
"<string>"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": <boolean>,
"mdr_determination_value": [
"<string>"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
}
},
"start": <long>,
"rows": <long>,
"sort": [
{
"field": "<string>",
"order": "DESC"
},
{
"field": "<string>",
"order": "DESC"
}
]
}
Request Body
{"group_by"=>{"field"=>"THREAT_ID"}, "time_range"=>{"range"=>"-10d"}, "criteria"=>{"type"=>["WATCHLIST"], "minimum_severity"=>"1"}, "sort"=>[{"field"=>"count", "order"=>"DESC"}]}
HEADERS
Key | Datatype | Required | Description |
---|---|---|---|
Content-Type | string | ||
Accept | string |
RESPONSES
status: OK
{"num_found":8,"num_available":8,"results":[{"count":1158,"workflow_states":{"IN_PROGRESS":673,"OPEN":484,"CLOSED":1},"determination_values":{"NONE":674},"ml_classification_final_verdicts":{"NOT_ANOMALOUS":1026,"NOT_CLASSIFIED":132},"first_alert_timestamp":"2023-04-07T19:21:23.978Z","last_alert_timestamp":"2023-04-17T17:22:31.613Z","highest_severity":8,"policy_applied":true,"threat_notes_present":false,"tags":["demo_tag"],"device_count":9,"workload_count":0,"most_recent_alert":{"org_key":"ABCD1234","alert_url":"https://defense.conferdeploy.net/alerts?s[c][query_string]=id:df2b1916-4a62-4796-86af-88667c043d06\u0026orgKey=ABCD1234","id":"df2b1916-4a62-4796-86af-88667c043d06","type":"WATCHLIST","backend_timestamp":"2023-04-17T17:28:42.376Z","user_update_timestamp":null,"backend_update_timestamp":"2023-04-17T17:28:42.376Z","detection_timestamp":"2023-04-17T17:25:48.667Z","first_event_timestamp":"2023-04-17T17:22:31.613Z","last_event_timestamp":"2023-04-17T17:22:31.613Z","category":"THREAT","severity":8,"reason":"Process infdefaultinstall.exe was detected by the report \"Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall\" in 6 watchlists","reason_code":"05696200-88e6-3691-a1e3-8d9a64dbc24e:7828aec8-8502-3a43-ae68-41b5050dab5b","threat_id":"0569620088E6669121E38D9A64DBC24E","primary_event_id":"0uYYJLu3TpuhPPaL7qehKA-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-04-17T17:28:42.376Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON","status":"OPEN"},"determination":null,"tags":["demo_tag"],"alert_notes_present":false,"threat_notes_present":false,"is_updated":false,"device_id":12345678,"device_name":"DEMO_MACHINE","device_uem_id":"","device_target_value":"MEDIUM","device_policy":"Demo Policy","device_policy_id":98765432,"device_os":"WINDOWS","device_os_version":"Windows 10 x64 SP: 1","device_username":"demouser@demoorg.com","device_location":"UNKNOWN","device_external_ip":"1.2.3.4","mdr_alert":false,"report_id":"oJFtoawGS92fVMXlELC1Ow-b4ee93fc-ec58-436a-a940-b4d33a613513","report_name":"Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall","report_description":"\n\nThreat:\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.\n\nFalse Positives:\nSome environments may legitimate use this, but should be rare.\n\nScore:\n85","report_tags":["attack","attackframework","threathunting"],"report_link":"https://attack.mitre.org/wiki/Technique/T1218","ioc_id":"b4ee93fc-ec58-436a-a940-b4d33a613513-0","ioc_hit":"((process_name:InfDefaultInstall.exe)) -enriched:true","watchlists":[{"id":"9x0timurQkqP7FBKX4XrUw","name":"Carbon Black Advanced Threats"}],"process_guid":"ABCD1234-01147626-00011e57-00000000-19db1ded53e8000","process_pid":73303,"process_name":"infdefaultinstall.exe","process_sha256":"1a23456b7890c458f804e5d0fe925a9f55cf016733458c58c1980addc44cd774","process_md5":"12ab34567c49f13193513b0138f72a9","process_effective_reputation":"LOCAL_WHITE","process_reputation":"NOT_LISTED","process_cmdline":"InfDefaultInstall.exe C:\\Users\\userdir\\Infdefaultinstall.inf","process_username":"DEMO\\DEMOUSER","process_signatures":[{"certificate_authority":"Demo Code Signing CA","publisher":"Demo Test Authority"}],"childproc_guid":"","childproc_username":"","childproc_cmdline":"","ml_classification_final_verdict":"NOT_ANOMALOUS","ml_classification_global_prevalence":"LOW","ml_classification_org_prevalence":"LOW"}},{"count":36,"workflow_states":{"IN_PROGRESS":36},"determination_values":{"NONE":36},"ml_classification_final_verdicts":{},"first_alert_timestamp":"2023-04-07T19:12:45.170Z","last_alert_timestamp":"2023-04-12T15:36:39.983Z","highest_severity":6,"policy_applied":true,"threat_notes_present":false,"tags":[],"device_count":3,"workload_count":0,"most_recent_alert":{"org_key":"EWRTY2PK","alert_url":"https:///defense.conferdeploy.net/alerts?s[c][query_string]=id:90c0a086-0164-49aa-82a6-725aa3f04b930\u0026orgKey=ABCD1234","id":"90c0a086-0164-49aa-82a6-725aa304b930","type":"WATCHLIST","backend_timestamp":"2023-04-12T15:41:22.556Z","user_update_timestamp":"2023-04-13T11:55:24.624Z","backend_update_timestamp":"2023-04-12T15:41:22.556Z","detection_timestamp":"2023-04-12T15:39:50.963Z","first_event_timestamp":"2023-04-12T15:36:39.983Z","last_event_timestamp":"2023-04-12T15:36:39.983Z","category":"THREAT","severity":6,"reason":"Process SYSTEM was detected by the report \"Abnormally Large DNS Exchanges (exfil or zone transfer)\" in watchlist \"zzz_XDR Sample IOCs\"","reason_code":"19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d","threat_id":"19261158DBBF00775959F8AA7F7551A1","primary_event_id":"nPnYST6MS6ON4IvF5FkWSQ-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-04-13T11:55:24.624Z","changed_by_type":"USER","changed_by":"demouser@demoorg.com","closure_reason":"NO_REASON","status":"IN_PROGRESS"},"determination":{"change_timestamp":"1970-01-01T00:00:00.000Z","value":"NONE","changed_by_type":"OPERATOR_UNKNOWN","changed_by":null},"tags":null,"alert_notes_present":false,"threat_notes_present":false,"is_updated":false,"device_id":18078555,"device_name":"DEMO\\DEMO_MACHINE","device_uem_id":"","device_target_value":"MEDIUM","device_policy":"Other Demo Policy","device_policy_id":2468013,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_username":"DEMO\\DEMO_USER","device_location":"UNKNOWN","device_external_ip":"1.2.3.4","device_internal_ip":"5.6.7.8","mdr_alert":false,"report_id":"Fm0YsPDyQ1Kp1Pdd6Lnd8w-dns_exfil_1","report_name":"Abnormally Large DNS Exchanges (exfil or zone transfer)","report_description":"IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.","report_tags":[],"ioc_id":"dns_exfil_1","ioc_hit":"netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]","watchlists":[{"id":"lgaClyOmQ86ZwZttq3ZDxg","name":"Demo Watchlist"}],"process_guid":"ABCD1234-0113db5b-00000004-00000000-1d94225edd70bfd","process_pid":4,"process_name":"SYSTEM","process_sha256":"","process_md5":"","process_effective_reputation":"RESOLVING","process_reputation":"RESOLVING","process_cmdline":"","process_username":"DEMO\\DEMOUSER","process_signatures":[],"childproc_guid":"","childproc_username":"","childproc_cmdline":""}}],"group_by_total_count":1224}