Find Alerts - Grouped

POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/grouped_alerts/_search

Search for Alerts and group the results by Threat Id.

RBAC Permissions Required

Permission (.notation name)Operation(s)
org.alertsREAD

Request Schema

{
  "group_by": {
    "field": "<string>"
  },
  "query": "<string>",
  "time_range": {
    "start": "<dateTime>",
    "end": "<dateTime>",
    "range": "<string>"
  },
  "criteria": {
    "org_key": [
      "<string>"
    ],
    "id": [
      "<string>"
    ],
    "type": [
      "<string>"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "<string>"
    ],
    "minimum_severity": <integer>,
    "reason_code": [
      "<string>"
    ],
    "threat_id": [
      "<string>"
    ],
    "primary_event_id": [
      "<string>"
    ],
    "policy_applied": [
      "<string>"
    ],
    "run_state": [
      "<string>"
    ],
    "sensor_action": [
      "<string>"
    ],
    "workflow_status": [
      "<string>"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "<string>"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>"
    ],
    "determination_value": [
      "<string>"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "<string>"
    ],
    "tags": [
      "<string>"
    ],
    "alert_notes_present": <boolean>,
    "threat_notes_present": <boolean>,
    "device_id": [
      <long>
    ],
    "device_name": [
      "<string>"
    ],
    "device_uem_id": [
      "<string>"
    ],
    "device_policy": [
      "<string>"
    ],
    "device_policy_id": [
      <long>
    ],
    "device_target_value": [
      "<string>"
    ],
    "device_os": [
      "<string>"
    ],
    "device_os_version": [
      "<string>"
    ],
    "device_username": [
      "<string>"
    ],
    "device_location": [
      "<string>"
    ],
    "device_external_ip": [
      "<string>"
    ],
    "device_internal_ip": [
      "<string>"
    ],
    "rule_config_type": [
      "<string>"
    ],
    "rule_config_name": [
      "<string>"
    ],
    "rule_config_id": [
      "<string>"
    ],
    "rule_category_id": [
      "<string>"
    ],
    "rule_id": [
      "<string>"
    ],
    "process_guid": [
      "<string>"
    ],
    "process_pid": [
      <integer>
    ],
    "process_name": [
      "<string>"
    ],
    "process_sha256": [
      "<string>"
    ],
    "process_md5": [
      "<string>"
    ],
    "process_effective_reputation": [
      "<string>"
    ],
    "process_reputation": [
      "<string>"
    ],
    "process_cmdline": [
      "<string>"
    ],
    "process_username": [
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>"
    ],
    "parent_guid": [
      "<string>"
    ],
    "parent_pid": [
      <integer>
    ],
    "parent_name": [
      "<string>"
    ],
    "parent_sha256": [
      "<string>"
    ],
    "parent_md5": [
      "<string>"
    ],
    "parent_effective_reputation": [
      "<string>"
    ],
    "parent_reputation": [
      "ADWARE",
      "NOT_SUPPORTED"
    ],
    "parent_cmdline": [
      "<string>"
    ],
    "parent_username": [
      "<string>"
    ],
    "childproc_guid": [
      "<string>"
    ],
    "childproc_name": [
      "<string>"
    ],
    "childproc_sha256": [
      "<string>"
    ],
    "childproc_md5": [
      "<string>"
    ],
    "childproc_effective_reputation": [
      "<string>"
    ],
    "childproc_username": [
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>"
    ],
    "netconn_remote_port": [
      <integer>
    ],
    "netconn_local_port": [
      <integer>
    ],
    "netconn_protocol": [
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>"
    ],
    "threat_category": [
      "<string>"
    ],
    "ttps": [
      "<string>"
    ],
    "attack_tactic": [
      "<string>"
    ],
    "attack_technique": [
      "<string>"
    ],
    "report_id": [
      "<string>"
    ],
    "report_name": [
      "<string>"
    ],
    "report_link": [
      "<string>"
    ],
    "watchlists_id": [
      "<string>"
    ],
    "watchlists_name": [
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>"
    ],
    "k8s_policy": [
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>"
    ],
    "k8s_rule": [
      "<string>"
    ],
    "cluster_name": [
      "<string>"
    ],
    "namespace": [
      "<string>"
    ],
    "workload_kind": [
      "<string>"
    ],
    "workload_name": [
      "<string>"
    ],
    "replica_id": [
      "<string>"
    ],
    "connection_type": [
      "<string>"
    ],
    "egress_group_id": [
      "<string>"
    ],
    "egress_group_name": [
      "<string>"
    ],
    "ip_reputation": [
      <integer>
    ],
    "remote_is_private": <boolean>,
    "remote_namespace": [
      "<string>"
    ],
    "remote_replica_id": [
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>"
    ],
    "remote_workload_name": [
      "<string>"
    ],
    "tms_rule_id": [
      "<string>"
    ],
    "threat_name": [
      "<string>"
    ],
    "vendor_name": [
      "<string>"
    ],
    "vendor_id": [
      "<string>"
    ],
    "product_name": [
      "<string>"
    ],
    "product_id": [
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>"
    ],
    "serial_number": [
      "<string>"
    ],
    "blocked_name": [
      "<string>"
    ],
    "blocked_sha256": [
      "<string>"
    ],
    "blocked_md5": [
      "<string>"
    ],
    "blocked_effective_reputation": [
      "<string>"
    ],
    "ml_classification_final_verdict": [
      "<string>"
    ],
    "ml_classification_global_prevalence": [
      "<string>"
    ],
    "ml_classification_org_prevalence": [
      "<string>"
    ],
    "mdr_alert": <boolean>,
    "mdr_workflow_status": [
      "<string>"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": <boolean>,
    "mdr_determination_value": [
      "<string>"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    }
  },
  "exclusions": {
    "org_key": [
      "<string>"
    ],
    "id": [
      "<string>"
    ],
    "type": [
      "<string>"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "<string>"
    ],
    "minimum_severity": <integer>,
    "reason_code": [
      "<string>"
    ],
    "threat_id": [
      "<string>"
    ],
    "primary_event_id": [
      "<string>"
    ],
    "policy_applied": [
      "<string>"
    ],
    "run_state": [
      "<string>"
    ],
    "sensor_action": [
      "<string>"
    ],
    "workflow_status": [
      "<string>"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "<string>"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>"
    ],
    "determination_value": [
      "NONE"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "<string>"
    ],
    "tags": [
      "<string>"
    ],
    "alert_notes_present": <boolean>,
    "threat_notes_present": <boolean>,
    "device_id": [
      <long>
    ],
    "device_name": [
      "<string>"
    ],
    "device_uem_id": [
      "<string>"
    ],
    "device_policy": [
      "<string>"
    ],
    "device_policy_id": [
      <long>
    ],
    "device_target_value": [
      "<string>"
    ],
    "device_os": [
      "<string>"
    ],
    "device_os_version": [
      "<string>"
    ],
    "device_username": [
      "<string>"
    ],
    "device_location": [
      "<string>"
    ],
    "device_external_ip": [
      "<string>"
    ],
    "device_internal_ip": [
      "<string>"
    ],
    "rule_config_type": [
      "<string>"
    ],
    "rule_config_name": [
      "<string>"
    ],
    "rule_config_id": [
      "<string>"
    ],
    "rule_category_id": [
      "<string>"
    ],
    "rule_id": [
      "<string>"
    ],
    "process_guid": [
      "<string>"
    ],
    "process_pid": [
      <integer>
    ],
    "process_name": [
      "<string>"
    ],
    "process_sha256": [
      "<string>"
    ],
    "process_md5": [
      "<string>"
    ],
    "process_effective_reputation": [
      "<string>"
    ],
    "process_reputation": [
      "<string>"
    ],
    "process_cmdline": [
      "<string>"
    ],
    "process_username": [
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>"
    ],
    "parent_guid": [
      "<string>"
    ],
    "parent_pid": [
      <integer>
    ],
    "parent_name": [
      "<string>"
    ],
    "parent_sha256": [
      "<string>"
    ],
    "parent_md5": [
      "<string>"
    ],
    "parent_effective_reputation": [
      "<string>"
    ],
    "parent_reputation": [
      "<string>"
    ],
    "parent_cmdline": [
      "<string>"
    ],
    "parent_username": [
      "<string>"
    ],
    "childproc_guid": [
      "<string>"
    ],
    "childproc_name": [
      "<string>"
    ],
    "childproc_sha256": [
      "<string>"
    ],
    "childproc_md5": [
      "<string>"
    ],
    "childproc_effective_reputation": [
      "<string>"
    ],
    "childproc_username": [
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>"
    ],
    "netconn_remote_port": [
      <integer>
    ],
    "netconn_local_port": [
      <integer>
    ],
    "netconn_protocol": [
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>"
    ],
    "threat_category": [
      "<string>"
    ],
    "ttps": [
      "<string>"
    ],
    "attack_tactic": [
      "<string>"
    ],
    "attack_technique": [
      "<string>"
    ],
    "report_id": [
      "<string>"
    ],
    "report_name": [
      "<string>"
    ],
    "report_link": [
      "<string>"
    ],
    "watchlists_id": [
      "<string>"
    ],
    "watchlists_name": [
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>"
    ],
    "k8s_policy": [
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>"
    ],
    "k8s_rule": [
      "<string>"
    ],
    "cluster_name": [
      "<string>"
    ],
    "namespace": [
      "<string>"
    ],
    "workload_kind": [
      "<string>"
    ],
    "workload_name": [
      "<string>"
    ],
    "replica_id": [
      "<string>"
    ],
    "connection_type": [
      "<string>"
    ],
    "egress_group_id": [
      "<string>"
    ],
    "egress_group_name": [
      "<string>"
    ],
    "ip_reputation": [
      <integer>
    ],
    "remote_is_private": <boolean>,
    "remote_namespace": [
      "<string>"
    ],
    "remote_replica_id": [
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>"
    ],
    "remote_workload_name": [
      "<string>"
    ],
    "tms_rule_id": [
      "<string>"
    ],
    "threat_name": [
      "<string>"
    ],
    "vendor_name": [
      "<string>"
    ],
    "vendor_id": [
      "<string>"
    ],
    "product_name": [
      "<string>"
    ],
    "product_id": [
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>"
    ],
    "serial_number": [
      "<string>"
    ],
    "blocked_name": [
      "<string>"
    ],
    "blocked_sha256": [
      "<string>"
    ],
    "blocked_md5": [
      "<string>"
    ],
    "blocked_effective_reputation": [
      "<string>"
    ],
    "ml_classification_final_verdict": [
      "<string>"
    ],
    "ml_classification_global_prevalence": [
      "<string>"
    ],
    "ml_classification_org_prevalence": [
      "<string>"
    ],
    "mdr_alert": <boolean>,
    "mdr_workflow_status": [
      "<string>"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": <boolean>,
    "mdr_determination_value": [
      "<string>"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    }
  },
  "start": <long>,
  "rows": <long>,
  "sort": [
    {
      "field": "<string>",
      "order": "DESC"
    },
    {
      "field": "<string>",
      "order": "DESC"
    }
  ]
}


Request Body

{"group_by"=>{"field"=>"THREAT_ID"}, "time_range"=>{"range"=>"-10d"}, "criteria"=>{"type"=>["WATCHLIST"], "minimum_severity"=>"1"}, "sort"=>[{"field"=>"count", "order"=>"DESC"}]}

HEADERS

KeyDatatypeRequiredDescription
Content-Typestring
Acceptstring

RESPONSES

status: OK

{&quot;num_found&quot;:8,&quot;num_available&quot;:8,&quot;results&quot;:[{&quot;count&quot;:1158,&quot;workflow_states&quot;:{&quot;IN_PROGRESS&quot;:673,&quot;OPEN&quot;:484,&quot;CLOSED&quot;:1},&quot;determination_values&quot;:{&quot;NONE&quot;:674},&quot;ml_classification_final_verdicts&quot;:{&quot;NOT_ANOMALOUS&quot;:1026,&quot;NOT_CLASSIFIED&quot;:132},&quot;first_alert_timestamp&quot;:&quot;2023-04-07T19:21:23.978Z&quot;,&quot;last_alert_timestamp&quot;:&quot;2023-04-17T17:22:31.613Z&quot;,&quot;highest_severity&quot;:8,&quot;policy_applied&quot;:true,&quot;threat_notes_present&quot;:false,&quot;tags&quot;:[&quot;demo_tag&quot;],&quot;device_count&quot;:9,&quot;workload_count&quot;:0,&quot;most_recent_alert&quot;:{&quot;org_key&quot;:&quot;ABCD1234&quot;,&quot;alert_url&quot;:&quot;https://defense.conferdeploy.net/alerts?s[c][query_string]=id:df2b1916-4a62-4796-86af-88667c043d06\u0026orgKey=ABCD1234&quot;,&quot;id&quot;:&quot;df2b1916-4a62-4796-86af-88667c043d06&quot;,&quot;type&quot;:&quot;WATCHLIST&quot;,&quot;backend_timestamp&quot;:&quot;2023-04-17T17:28:42.376Z&quot;,&quot;user_update_timestamp&quot;:null,&quot;backend_update_timestamp&quot;:&quot;2023-04-17T17:28:42.376Z&quot;,&quot;detection_timestamp&quot;:&quot;2023-04-17T17:25:48.667Z&quot;,&quot;first_event_timestamp&quot;:&quot;2023-04-17T17:22:31.613Z&quot;,&quot;last_event_timestamp&quot;:&quot;2023-04-17T17:22:31.613Z&quot;,&quot;category&quot;:&quot;THREAT&quot;,&quot;severity&quot;:8,&quot;reason&quot;:&quot;Process infdefaultinstall.exe was detected by the report \&quot;Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall\&quot; in 6 watchlists&quot;,&quot;reason_code&quot;:&quot;05696200-88e6-3691-a1e3-8d9a64dbc24e:7828aec8-8502-3a43-ae68-41b5050dab5b&quot;,&quot;threat_id&quot;:&quot;0569620088E6669121E38D9A64DBC24E&quot;,&quot;primary_event_id&quot;:&quot;0uYYJLu3TpuhPPaL7qehKA-0&quot;,&quot;policy_applied&quot;:&quot;NOT_APPLIED&quot;,&quot;run_state&quot;:&quot;RAN&quot;,&quot;sensor_action&quot;:&quot;ALLOW&quot;,&quot;workflow&quot;:{&quot;change_timestamp&quot;:&quot;2023-04-17T17:28:42.376Z&quot;,&quot;changed_by_type&quot;:&quot;SYSTEM&quot;,&quot;changed_by&quot;:&quot;ALERT_CREATION&quot;,&quot;closure_reason&quot;:&quot;NO_REASON&quot;,&quot;status&quot;:&quot;OPEN&quot;},&quot;determination&quot;:null,&quot;tags&quot;:[&quot;demo_tag&quot;],&quot;alert_notes_present&quot;:false,&quot;threat_notes_present&quot;:false,&quot;is_updated&quot;:false,&quot;device_id&quot;:12345678,&quot;device_name&quot;:&quot;DEMO_MACHINE&quot;,&quot;device_uem_id&quot;:&quot;&quot;,&quot;device_target_value&quot;:&quot;MEDIUM&quot;,&quot;device_policy&quot;:&quot;Demo Policy&quot;,&quot;device_policy_id&quot;:98765432,&quot;device_os&quot;:&quot;WINDOWS&quot;,&quot;device_os_version&quot;:&quot;Windows 10 x64 SP: 1&quot;,&quot;device_username&quot;:&quot;demouser@demoorg.com&quot;,&quot;device_location&quot;:&quot;UNKNOWN&quot;,&quot;device_external_ip&quot;:&quot;1.2.3.4&quot;,&quot;mdr_alert&quot;:false,&quot;report_id&quot;:&quot;oJFtoawGS92fVMXlELC1Ow-b4ee93fc-ec58-436a-a940-b4d33a613513&quot;,&quot;report_name&quot;:&quot;Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall&quot;,&quot;report_description&quot;:&quot;\n\nThreat:\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.\n\nFalse Positives:\nSome environments may legitimate use this, but should be rare.\n\nScore:\n85&quot;,&quot;report_tags&quot;:[&quot;attack&quot;,&quot;attackframework&quot;,&quot;threathunting&quot;],&quot;report_link&quot;:&quot;https://attack.mitre.org/wiki/Technique/T1218&quot;,&quot;ioc_id&quot;:&quot;b4ee93fc-ec58-436a-a940-b4d33a613513-0&quot;,&quot;ioc_hit&quot;:&quot;((process_name:InfDefaultInstall.exe)) -enriched:true&quot;,&quot;watchlists&quot;:[{&quot;id&quot;:&quot;9x0timurQkqP7FBKX4XrUw&quot;,&quot;name&quot;:&quot;Carbon Black Advanced Threats&quot;}],&quot;process_guid&quot;:&quot;ABCD1234-01147626-00011e57-00000000-19db1ded53e8000&quot;,&quot;process_pid&quot;:73303,&quot;process_name&quot;:&quot;infdefaultinstall.exe&quot;,&quot;process_sha256&quot;:&quot;1a23456b7890c458f804e5d0fe925a9f55cf016733458c58c1980addc44cd774&quot;,&quot;process_md5&quot;:&quot;12ab34567c49f13193513b0138f72a9&quot;,&quot;process_effective_reputation&quot;:&quot;LOCAL_WHITE&quot;,&quot;process_reputation&quot;:&quot;NOT_LISTED&quot;,&quot;process_cmdline&quot;:&quot;InfDefaultInstall.exe C:\\Users\\userdir\\Infdefaultinstall.inf&quot;,&quot;process_username&quot;:&quot;DEMO\\DEMOUSER&quot;,&quot;process_signatures&quot;:[{&quot;certificate_authority&quot;:&quot;Demo Code Signing CA&quot;,&quot;publisher&quot;:&quot;Demo Test Authority&quot;}],&quot;childproc_guid&quot;:&quot;&quot;,&quot;childproc_username&quot;:&quot;&quot;,&quot;childproc_cmdline&quot;:&quot;&quot;,&quot;ml_classification_final_verdict&quot;:&quot;NOT_ANOMALOUS&quot;,&quot;ml_classification_global_prevalence&quot;:&quot;LOW&quot;,&quot;ml_classification_org_prevalence&quot;:&quot;LOW&quot;}},{&quot;count&quot;:36,&quot;workflow_states&quot;:{&quot;IN_PROGRESS&quot;:36},&quot;determination_values&quot;:{&quot;NONE&quot;:36},&quot;ml_classification_final_verdicts&quot;:{},&quot;first_alert_timestamp&quot;:&quot;2023-04-07T19:12:45.170Z&quot;,&quot;last_alert_timestamp&quot;:&quot;2023-04-12T15:36:39.983Z&quot;,&quot;highest_severity&quot;:6,&quot;policy_applied&quot;:true,&quot;threat_notes_present&quot;:false,&quot;tags&quot;:[],&quot;device_count&quot;:3,&quot;workload_count&quot;:0,&quot;most_recent_alert&quot;:{&quot;org_key&quot;:&quot;EWRTY2PK&quot;,&quot;alert_url&quot;:&quot;https:///defense.conferdeploy.net/alerts?s[c][query_string]=id:90c0a086-0164-49aa-82a6-725aa3f04b930\u0026orgKey=ABCD1234&quot;,&quot;id&quot;:&quot;90c0a086-0164-49aa-82a6-725aa304b930&quot;,&quot;type&quot;:&quot;WATCHLIST&quot;,&quot;backend_timestamp&quot;:&quot;2023-04-12T15:41:22.556Z&quot;,&quot;user_update_timestamp&quot;:&quot;2023-04-13T11:55:24.624Z&quot;,&quot;backend_update_timestamp&quot;:&quot;2023-04-12T15:41:22.556Z&quot;,&quot;detection_timestamp&quot;:&quot;2023-04-12T15:39:50.963Z&quot;,&quot;first_event_timestamp&quot;:&quot;2023-04-12T15:36:39.983Z&quot;,&quot;last_event_timestamp&quot;:&quot;2023-04-12T15:36:39.983Z&quot;,&quot;category&quot;:&quot;THREAT&quot;,&quot;severity&quot;:6,&quot;reason&quot;:&quot;Process SYSTEM was detected by the report \&quot;Abnormally Large DNS Exchanges (exfil or zone transfer)\&quot; in watchlist \&quot;zzz_XDR Sample IOCs\&quot;&quot;,&quot;reason_code&quot;:&quot;19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d&quot;,&quot;threat_id&quot;:&quot;19261158DBBF00775959F8AA7F7551A1&quot;,&quot;primary_event_id&quot;:&quot;nPnYST6MS6ON4IvF5FkWSQ-0&quot;,&quot;policy_applied&quot;:&quot;NOT_APPLIED&quot;,&quot;run_state&quot;:&quot;RAN&quot;,&quot;sensor_action&quot;:&quot;ALLOW&quot;,&quot;workflow&quot;:{&quot;change_timestamp&quot;:&quot;2023-04-13T11:55:24.624Z&quot;,&quot;changed_by_type&quot;:&quot;USER&quot;,&quot;changed_by&quot;:&quot;demouser@demoorg.com&quot;,&quot;closure_reason&quot;:&quot;NO_REASON&quot;,&quot;status&quot;:&quot;IN_PROGRESS&quot;},&quot;determination&quot;:{&quot;change_timestamp&quot;:&quot;1970-01-01T00:00:00.000Z&quot;,&quot;value&quot;:&quot;NONE&quot;,&quot;changed_by_type&quot;:&quot;OPERATOR_UNKNOWN&quot;,&quot;changed_by&quot;:null},&quot;tags&quot;:null,&quot;alert_notes_present&quot;:false,&quot;threat_notes_present&quot;:false,&quot;is_updated&quot;:false,&quot;device_id&quot;:18078555,&quot;device_name&quot;:&quot;DEMO\\DEMO_MACHINE&quot;,&quot;device_uem_id&quot;:&quot;&quot;,&quot;device_target_value&quot;:&quot;MEDIUM&quot;,&quot;device_policy&quot;:&quot;Other Demo Policy&quot;,&quot;device_policy_id&quot;:2468013,&quot;device_os&quot;:&quot;WINDOWS&quot;,&quot;device_os_version&quot;:&quot;Windows 10 x64&quot;,&quot;device_username&quot;:&quot;DEMO\\DEMO_USER&quot;,&quot;device_location&quot;:&quot;UNKNOWN&quot;,&quot;device_external_ip&quot;:&quot;1.2.3.4&quot;,&quot;device_internal_ip&quot;:&quot;5.6.7.8&quot;,&quot;mdr_alert&quot;:false,&quot;report_id&quot;:&quot;Fm0YsPDyQ1Kp1Pdd6Lnd8w-dns_exfil_1&quot;,&quot;report_name&quot;:&quot;Abnormally Large DNS Exchanges (exfil or zone transfer)&quot;,&quot;report_description&quot;:&quot;IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.&quot;,&quot;report_tags&quot;:[],&quot;ioc_id&quot;:&quot;dns_exfil_1&quot;,&quot;ioc_hit&quot;:&quot;netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]&quot;,&quot;watchlists&quot;:[{&quot;id&quot;:&quot;lgaClyOmQ86ZwZttq3ZDxg&quot;,&quot;name&quot;:&quot;Demo Watchlist&quot;}],&quot;process_guid&quot;:&quot;ABCD1234-0113db5b-00000004-00000000-1d94225edd70bfd&quot;,&quot;process_pid&quot;:4,&quot;process_name&quot;:&quot;SYSTEM&quot;,&quot;process_sha256&quot;:&quot;&quot;,&quot;process_md5&quot;:&quot;&quot;,&quot;process_effective_reputation&quot;:&quot;RESOLVING&quot;,&quot;process_reputation&quot;:&quot;RESOLVING&quot;,&quot;process_cmdline&quot;:&quot;&quot;,&quot;process_username&quot;:&quot;DEMO\\DEMOUSER&quot;,&quot;process_signatures&quot;:[],&quot;childproc_guid&quot;:&quot;&quot;,&quot;childproc_username&quot;:&quot;&quot;,&quot;childproc_cmdline&quot;:&quot;&quot;}}],&quot;group_by_total_count&quot;:1224}