Find Alerts - Grouped

POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/grouped_alerts/_search

Search for Alerts and group the results by Threat Id.

RBAC Permissions Required

Request Schema

{
  "group_by": {
    "field": "<string>"
  },
  "query": "<string>",
  "time_range": {
    "start": "<dateTime>",
    "end": "<dateTime>",
    "range": "<string>"
  },
  "criteria": {
    "org_key": [
      "<string>"
    ],
    "id": [
      "<string>"
    ],
    "type": [
      "<string>"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "<string>"
    ],
    "minimum_severity": <integer>,
    "reason_code": [
      "<string>"
    ],
    "threat_id": [
      "<string>"
    ],
    "primary_event_id": [
      "<string>"
    ],
    "policy_applied": [
      "<string>"
    ],
    "run_state": [
      "<string>"
    ],
    "sensor_action": [
      "<string>"
    ],
    "workflow_status": [
      "<string>"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "<string>"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>"
    ],
    "determination_value": [
      "<string>"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "<string>"
    ],
    "tags": [
      "<string>"
    ],
    "alert_notes_present": <boolean>,
    "threat_notes_present": <boolean>,
    "device_id": [
      <long>
    ],
    "device_name": [
      "<string>"
    ],
    "device_uem_id": [
      "<string>"
    ],
    "device_policy": [
      "<string>"
    ],
    "device_policy_id": [
      <long>
    ],
    "device_target_value": [
      "<string>"
    ],
    "device_os": [
      "<string>"
    ],
    "device_os_version": [
      "<string>"
    ],
    "device_username": [
      "<string>"
    ],
    "device_location": [
      "<string>"
    ],
    "device_external_ip": [
      "<string>"
    ],
    "device_internal_ip": [
      "<string>"
    ],
    "rule_config_type": [
      "<string>"
    ],
    "rule_config_name": [
      "<string>"
    ],
    "rule_config_id": [
      "<string>"
    ],
    "rule_category_id": [
      "<string>"
    ],
    "rule_id": [
      "<string>"
    ],
    "process_guid": [
      "<string>"
    ],
    "process_pid": [
      <integer>
    ],
    "process_name": [
      "<string>"
    ],
    "process_sha256": [
      "<string>"
    ],
    "process_md5": [
      "<string>"
    ],
    "process_effective_reputation": [
      "<string>"
    ],
    "process_reputation": [
      "<string>"
    ],
    "process_cmdline": [
      "<string>"
    ],
    "process_username": [
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>"
    ],
    "parent_guid": [
      "<string>"
    ],
    "parent_pid": [
      <integer>
    ],
    "parent_name": [
      "<string>"
    ],
    "parent_sha256": [
      "<string>"
    ],
    "parent_md5": [
      "<string>"
    ],
    "parent_effective_reputation": [
      "<string>"
    ],
    "parent_reputation": [
      "ADWARE",
      "NOT_SUPPORTED"
    ],
    "parent_cmdline": [
      "<string>"
    ],
    "parent_username": [
      "<string>"
    ],
    "childproc_guid": [
      "<string>"
    ],
    "childproc_name": [
      "<string>"
    ],
    "childproc_sha256": [
      "<string>"
    ],
    "childproc_md5": [
      "<string>"
    ],
    "childproc_effective_reputation": [
      "<string>"
    ],
    "childproc_username": [
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>"
    ],
    "netconn_remote_port": [
      <integer>
    ],
    "netconn_local_port": [
      <integer>
    ],
    "netconn_protocol": [
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>"
    ],
    "threat_category": [
      "<string>"
    ],
    "ttps": [
      "<string>"
    ],
    "attack_tactic": [
      "<string>"
    ],
    "attack_technique": [
      "<string>"
    ],
    "report_id": [
      "<string>"
    ],
    "report_name": [
      "<string>"
    ],
    "report_link": [
      "<string>"
    ],
    "watchlists_id": [
      "<string>"
    ],
    "watchlists_name": [
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>"
    ],
    "k8s_policy": [
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>"
    ],
    "k8s_rule": [
      "<string>"
    ],
    "cluster_name": [
      "<string>"
    ],
    "namespace": [
      "<string>"
    ],
    "workload_kind": [
      "<string>"
    ],
    "workload_name": [
      "<string>"
    ],
    "replica_id": [
      "<string>"
    ],
    "connection_type": [
      "<string>"
    ],
    "egress_group_id": [
      "<string>"
    ],
    "egress_group_name": [
      "<string>"
    ],
    "ip_reputation": [
      <integer>
    ],
    "remote_is_private": <boolean>,
    "remote_namespace": [
      "<string>"
    ],
    "remote_replica_id": [
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>"
    ],
    "remote_workload_name": [
      "<string>"
    ],
    "tms_rule_id": [
      "<string>"
    ],
    "threat_name": [
      "<string>"
    ],
    "vendor_name": [
      "<string>"
    ],
    "vendor_id": [
      "<string>"
    ],
    "product_name": [
      "<string>"
    ],
    "product_id": [
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>"
    ],
    "serial_number": [
      "<string>"
    ],
    "blocked_name": [
      "<string>"
    ],
    "blocked_sha256": [
      "<string>"
    ],
    "blocked_md5": [
      "<string>"
    ],
    "blocked_effective_reputation": [
      "<string>"
    ],
    "ml_classification_final_verdict": [
      "<string>"
    ],
    "ml_classification_global_prevalence": [
      "<string>"
    ],
    "ml_classification_org_prevalence": [
      "<string>"
    ],
    "mdr_alert": <boolean>,
    "mdr_workflow_status": [
      "<string>"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": <boolean>,
    "mdr_determination_value": [
      "<string>"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    }
  },
  "exclusions": {
    "org_key": [
      "<string>"
    ],
    "id": [
      "<string>"
    ],
    "type": [
      "<string>"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "<string>"
    ],
    "minimum_severity": <integer>,
    "reason_code": [
      "<string>"
    ],
    "threat_id": [
      "<string>"
    ],
    "primary_event_id": [
      "<string>"
    ],
    "policy_applied": [
      "<string>"
    ],
    "run_state": [
      "<string>"
    ],
    "sensor_action": [
      "<string>"
    ],
    "workflow_status": [
      "<string>"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "<string>"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>"
    ],
    "determination_value": [
      "NONE"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "<string>"
    ],
    "tags": [
      "<string>"
    ],
    "alert_notes_present": <boolean>,
    "threat_notes_present": <boolean>,
    "device_id": [
      <long>
    ],
    "device_name": [
      "<string>"
    ],
    "device_uem_id": [
      "<string>"
    ],
    "device_policy": [
      "<string>"
    ],
    "device_policy_id": [
      <long>
    ],
    "device_target_value": [
      "<string>"
    ],
    "device_os": [
      "<string>"
    ],
    "device_os_version": [
      "<string>"
    ],
    "device_username": [
      "<string>"
    ],
    "device_location": [
      "<string>"
    ],
    "device_external_ip": [
      "<string>"
    ],
    "device_internal_ip": [
      "<string>"
    ],
    "rule_config_type": [
      "<string>"
    ],
    "rule_config_name": [
      "<string>"
    ],
    "rule_config_id": [
      "<string>"
    ],
    "rule_category_id": [
      "<string>"
    ],
    "rule_id": [
      "<string>"
    ],
    "process_guid": [
      "<string>"
    ],
    "process_pid": [
      <integer>
    ],
    "process_name": [
      "<string>"
    ],
    "process_sha256": [
      "<string>"
    ],
    "process_md5": [
      "<string>"
    ],
    "process_effective_reputation": [
      "<string>"
    ],
    "process_reputation": [
      "<string>"
    ],
    "process_cmdline": [
      "<string>"
    ],
    "process_username": [
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>"
    ],
    "parent_guid": [
      "<string>"
    ],
    "parent_pid": [
      <integer>
    ],
    "parent_name": [
      "<string>"
    ],
    "parent_sha256": [
      "<string>"
    ],
    "parent_md5": [
      "<string>"
    ],
    "parent_effective_reputation": [
      "<string>"
    ],
    "parent_reputation": [
      "<string>"
    ],
    "parent_cmdline": [
      "<string>"
    ],
    "parent_username": [
      "<string>"
    ],
    "childproc_guid": [
      "<string>"
    ],
    "childproc_name": [
      "<string>"
    ],
    "childproc_sha256": [
      "<string>"
    ],
    "childproc_md5": [
      "<string>"
    ],
    "childproc_effective_reputation": [
      "<string>"
    ],
    "childproc_username": [
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>"
    ],
    "netconn_remote_port": [
      <integer>
    ],
    "netconn_local_port": [
      <integer>
    ],
    "netconn_protocol": [
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>"
    ],
    "threat_category": [
      "<string>"
    ],
    "ttps": [
      "<string>"
    ],
    "attack_tactic": [
      "<string>"
    ],
    "attack_technique": [
      "<string>"
    ],
    "report_id": [
      "<string>"
    ],
    "report_name": [
      "<string>"
    ],
    "report_link": [
      "<string>"
    ],
    "watchlists_id": [
      "<string>"
    ],
    "watchlists_name": [
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>"
    ],
    "k8s_policy": [
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>"
    ],
    "k8s_rule": [
      "<string>"
    ],
    "cluster_name": [
      "<string>"
    ],
    "namespace": [
      "<string>"
    ],
    "workload_kind": [
      "<string>"
    ],
    "workload_name": [
      "<string>"
    ],
    "replica_id": [
      "<string>"
    ],
    "connection_type": [
      "<string>"
    ],
    "egress_group_id": [
      "<string>"
    ],
    "egress_group_name": [
      "<string>"
    ],
    "ip_reputation": [
      <integer>
    ],
    "remote_is_private": <boolean>,
    "remote_namespace": [
      "<string>"
    ],
    "remote_replica_id": [
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>"
    ],
    "remote_workload_name": [
      "<string>"
    ],
    "tms_rule_id": [
      "<string>"
    ],
    "threat_name": [
      "<string>"
    ],
    "vendor_name": [
      "<string>"
    ],
    "vendor_id": [
      "<string>"
    ],
    "product_name": [
      "<string>"
    ],
    "product_id": [
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>"
    ],
    "serial_number": [
      "<string>"
    ],
    "blocked_name": [
      "<string>"
    ],
    "blocked_sha256": [
      "<string>"
    ],
    "blocked_md5": [
      "<string>"
    ],
    "blocked_effective_reputation": [
      "<string>"
    ],
    "ml_classification_final_verdict": [
      "<string>"
    ],
    "ml_classification_global_prevalence": [
      "<string>"
    ],
    "ml_classification_org_prevalence": [
      "<string>"
    ],
    "mdr_alert": <boolean>,
    "mdr_workflow_status": [
      "<string>"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": <boolean>,
    "mdr_determination_value": [
      "<string>"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    }
  },
  "start": <long>,
  "rows": <long>,
  "sort": [
    {
      "field": "<string>",
      "order": "DESC"
    },
    {
      "field": "<string>",
      "order": "DESC"
    }
  ]
}

Request Body

{"group_by"=>{"field"=>"THREAT_ID"}, "time_range"=>{"range"=>"-10d"}, "criteria"=>{"type"=>["WATCHLIST"], "minimum_severity"=>"1"}, "sort"=>[{"field"=>"count", "order"=>"DESC"}]}

HEADERS

RESPONSES

status: OK

{"num_found":8,"num_available":8,"results":[{"count":1158,"workflow_states":{"IN_PROGRESS":673,"OPEN":484,"CLOSED":1},"determination_values":{"NONE":674},"ml_classification_final_verdicts":{"NOT_ANOMALOUS":1026,"NOT_CLASSIFIED":132},"first_alert_timestamp":"2023-04-07T19:21:23.978Z","last_alert_timestamp":"2023-04-17T17:22:31.613Z","highest_severity":8,"policy_applied":true,"threat_notes_present":false,"tags":["demo_tag"],"device_count":9,"workload_count":0,"most_recent_alert":{"org_key":"ABCD1234","alert_url":"https://defense.conferdeploy.net/alerts?s[c][query_string]=id:df2b1916-4a62-4796-86af-88667c043d06\u0026orgKey=ABCD1234","id":"df2b1916-4a62-4796-86af-88667c043d06","type":"WATCHLIST","backend_timestamp":"2023-04-17T17:28:42.376Z","user_update_timestamp":null,"backend_update_timestamp":"2023-04-17T17:28:42.376Z","detection_timestamp":"2023-04-17T17:25:48.667Z","first_event_timestamp":"2023-04-17T17:22:31.613Z","last_event_timestamp":"2023-04-17T17:22:31.613Z","category":"THREAT","severity":8,"reason":"Process infdefaultinstall.exe was detected by the report \"Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall\" in 6 watchlists","reason_code":"05696200-88e6-3691-a1e3-8d9a64dbc24e:7828aec8-8502-3a43-ae68-41b5050dab5b","threat_id":"0569620088E6669121E38D9A64DBC24E","primary_event_id":"0uYYJLu3TpuhPPaL7qehKA-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-04-17T17:28:42.376Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON","status":"OPEN"},"determination":null,"tags":["demo_tag"],"alert_notes_present":false,"threat_notes_present":false,"is_updated":false,"device_id":12345678,"device_name":"DEMO_MACHINE","device_uem_id":"","device_target_value":"MEDIUM","device_policy":"Demo Policy","device_policy_id":98765432,"device_os":"WINDOWS","device_os_version":"Windows 10 x64 SP: 1","device_username":"demouser@demoorg.com","device_location":"UNKNOWN","device_external_ip":"1.2.3.4","mdr_alert":false,"report_id":"oJFtoawGS92fVMXlELC1Ow-b4ee93fc-ec58-436a-a940-b4d33a613513","report_name":"Defense Evasion - Signed Binary Proxy Execution - InfDefaultInstall","report_description":"\n\nThreat:\nThis behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.\n\nFalse Positives:\nSome environments may legitimate use this, but should be rare.\n\nScore:\n85","report_tags":["attack","attackframework","threathunting"],"report_link":"https://attack.mitre.org/wiki/Technique/T1218","ioc_id":"b4ee93fc-ec58-436a-a940-b4d33a613513-0","ioc_hit":"((process_name:InfDefaultInstall.exe)) -enriched:true","watchlists":[{"id":"9x0timurQkqP7FBKX4XrUw","name":"Carbon Black Advanced Threats"}],"process_guid":"ABCD1234-01147626-00011e57-00000000-19db1ded53e8000","process_pid":73303,"process_name":"infdefaultinstall.exe","process_sha256":"1a23456b7890c458f804e5d0fe925a9f55cf016733458c58c1980addc44cd774","process_md5":"12ab34567c49f13193513b0138f72a9","process_effective_reputation":"LOCAL_WHITE","process_reputation":"NOT_LISTED","process_cmdline":"InfDefaultInstall.exe C:\\Users\\userdir\\Infdefaultinstall.inf","process_username":"DEMO\\DEMOUSER","process_signatures":[{"certificate_authority":"Demo Code Signing CA","publisher":"Demo Test Authority"}],"childproc_guid":"","childproc_username":"","childproc_cmdline":"","ml_classification_final_verdict":"NOT_ANOMALOUS","ml_classification_global_prevalence":"LOW","ml_classification_org_prevalence":"LOW"}},{"count":36,"workflow_states":{"IN_PROGRESS":36},"determination_values":{"NONE":36},"ml_classification_final_verdicts":{},"first_alert_timestamp":"2023-04-07T19:12:45.170Z","last_alert_timestamp":"2023-04-12T15:36:39.983Z","highest_severity":6,"policy_applied":true,"threat_notes_present":false,"tags":[],"device_count":3,"workload_count":0,"most_recent_alert":{"org_key":"EWRTY2PK","alert_url":"https:///defense.conferdeploy.net/alerts?s[c][query_string]=id:90c0a086-0164-49aa-82a6-725aa3f04b930\u0026orgKey=ABCD1234","id":"90c0a086-0164-49aa-82a6-725aa304b930","type":"WATCHLIST","backend_timestamp":"2023-04-12T15:41:22.556Z","user_update_timestamp":"2023-04-13T11:55:24.624Z","backend_update_timestamp":"2023-04-12T15:41:22.556Z","detection_timestamp":"2023-04-12T15:39:50.963Z","first_event_timestamp":"2023-04-12T15:36:39.983Z","last_event_timestamp":"2023-04-12T15:36:39.983Z","category":"THREAT","severity":6,"reason":"Process SYSTEM was detected by the report \"Abnormally Large DNS Exchanges (exfil or zone transfer)\" in watchlist \"zzz_XDR Sample IOCs\"","reason_code":"19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d","threat_id":"19261158DBBF00775959F8AA7F7551A1","primary_event_id":"nPnYST6MS6ON4IvF5FkWSQ-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-04-13T11:55:24.624Z","changed_by_type":"USER","changed_by":"demouser@demoorg.com","closure_reason":"NO_REASON","status":"IN_PROGRESS"},"determination":{"change_timestamp":"1970-01-01T00:00:00.000Z","value":"NONE","changed_by_type":"OPERATOR_UNKNOWN","changed_by":null},"tags":null,"alert_notes_present":false,"threat_notes_present":false,"is_updated":false,"device_id":18078555,"device_name":"DEMO\\DEMO_MACHINE","device_uem_id":"","device_target_value":"MEDIUM","device_policy":"Other Demo Policy","device_policy_id":2468013,"device_os":"WINDOWS","device_os_version":"Windows 10 x64","device_username":"DEMO\\DEMO_USER","device_location":"UNKNOWN","device_external_ip":"1.2.3.4","device_internal_ip":"5.6.7.8","mdr_alert":false,"report_id":"Fm0YsPDyQ1Kp1Pdd6Lnd8w-dns_exfil_1","report_name":"Abnormally Large DNS Exchanges (exfil or zone transfer)","report_description":"IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.","report_tags":[],"ioc_id":"dns_exfil_1","ioc_hit":"netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]","watchlists":[{"id":"lgaClyOmQ86ZwZttq3ZDxg","name":"Demo Watchlist"}],"process_guid":"ABCD1234-0113db5b-00000004-00000000-1d94225edd70bfd","process_pid":4,"process_name":"SYSTEM","process_sha256":"","process_md5":"","process_effective_reputation":"RESOLVING","process_reputation":"RESOLVING","process_cmdline":"","process_username":"DEMO\\DEMOUSER","process_signatures":[],"childproc_guid":"","childproc_username":"","childproc_cmdline":""}}],"group_by_total_count":1224}