Get alert histogram for grouped alerts
POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/grouped_alerts/_histogram
Get statistics about the Alerts when grouped by Threat Id. This is designed for use by the widget in the Carbon Black Cloud console.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.alerts | READ |
Request Schema
{
"bucket_size": "<string>",
"group_by": {
"field": "THREAT_ID"
},
"query": "<string>",
"time_range": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"criteria": {
"org_key": [
"<string>",
"<string>"
],
"id": [
"<string>",
"<string>"
],
"type": [
"HOST_BASED_FIREWALL",
"DEVICE_CONTROL"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"category": [
"MONITORED",
"MONITORED"
],
"minimum_severity": "<integer>",
"reason_code": [
"<string>",
"<string>"
],
"threat_id": [
"<string>",
"<string>"
],
"primary_event_id": [
"<string>",
"<string>"
],
"policy_applied": [
"NOT_APPLIED",
"NOT_APPLIED"
],
"run_state": [
"UNKNOWN",
"DID_NOT_RUN"
],
"sensor_action": [
"ALLOW",
"DENY"
],
"workflow_status": [
"IN_PROGRESS",
"OPEN"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"USER",
"ML"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>",
"<string>"
],
"workflow_closure_reason": [
"<string>",
"<string>"
],
"determination_value": [
"FALSE_POSITIVE",
"FALSE_POSITIVE"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"OPERATOR_UNKNOWN",
"USER"
],
"tags": [
"<string>",
"<string>"
],
"alert_notes_present": "<boolean>",
"threat_notes_present": "<boolean>",
"device_id": [
"<long>",
"<long>"
],
"device_name": [
"<string>",
"<string>"
],
"device_uem_id": [
"<string>",
"<string>"
],
"device_policy": [
"<string>",
"<string>"
],
"device_policy_id": [
"<long>",
"<long>"
],
"device_target_value": [
"LOW",
"MISSION_CRITICAL"
],
"device_os": [
"MAC",
"OTHER"
],
"device_os_version": [
"<string>",
"<string>"
],
"device_username": [
"<string>",
"<string>"
],
"device_location": [
"UNKNOWN",
"ONSITE"
],
"device_external_ip": [
"<string>",
"<string>"
],
"device_internal_ip": [
"<string>",
"<string>"
],
"rule_config_type": [
"<string>",
"<string>"
],
"rule_config_name": [
"<string>",
"<string>"
],
"rule_config_id": [
"<string>",
"<string>"
],
"rule_category_id": [
"<string>",
"<string>"
],
"rule_id": [
"<string>",
"<string>"
],
"process_guid": [
"<string>",
"<string>"
],
"process_pid": [
"<integer>",
"<integer>"
],
"process_name": [
"<string>",
"<string>"
],
"process_sha256": [
"<string>",
"<string>"
],
"process_md5": [
"<string>",
"<string>"
],
"process_effective_reputation": [
"NOT_SUPPORTED",
"TRUSTED_WHITE_LIST"
],
"process_reputation": [
"ADMIN_RESTRICT_OBSOLETE",
"NOT_LISTED"
],
"process_cmdline": [
"<string>",
"<string>"
],
"process_username": [
"<string>",
"<string>"
],
"process_signatures_certificate_authority": [
"<string>",
"<string>"
],
"process_signatures_publisher": [
"<string>",
"<string>"
],
"parent_guid": [
"<string>",
"<string>"
],
"parent_pid": [
"<integer>",
"<integer>"
],
"parent_name": [
"<string>",
"<string>"
],
"parent_sha256": [
"<string>",
"<string>"
],
"parent_md5": [
"<string>",
"<string>"
],
"parent_effective_reputation": [
"RESOLVING",
"NOT_SUPPORTED"
],
"parent_reputation": [
"HEURISTIC",
"HEURISTIC"
],
"parent_cmdline": [
"<string>",
"<string>"
],
"parent_username": [
"<string>",
"<string>"
],
"childproc_guid": [
"<string>",
"<string>"
],
"childproc_name": [
"<string>",
"<string>"
],
"childproc_sha256": [
"<string>",
"<string>"
],
"childproc_md5": [
"<string>",
"<string>"
],
"childproc_effective_reputation": [
"COMPANY_WHITE_LIST",
"KNOWN_MALWARE"
],
"childproc_username": [
"<string>",
"<string>"
],
"childproc_cmdline": [
"<string>",
"<string>"
],
"netconn_remote_port": [
"<integer>",
"<integer>"
],
"netconn_local_port": [
"<integer>",
"<integer>"
],
"netconn_protocol": [
"<string>",
"<string>"
],
"netconn_remote_domain": [
"<string>",
"<string>"
],
"netconn_remote_ip": [
"<string>",
"<string>"
],
"netconn_local_ip": [
"<string>",
"<string>"
],
"netconn_remote_ipv4": [
"<string>",
"<string>"
],
"netconn_local_ipv4": [
"<string>",
"<string>"
],
"netconn_remote_ipv6": [
"<string>",
"<string>"
],
"netconn_local_ipv6": [
"<string>",
"<string>"
],
"threat_category": [
"UNKNOWN",
"RISKY_PROGRAM"
],
"ttps": [
"<string>",
"<string>"
],
"attack_tactic": [
"<string>",
"<string>"
],
"attack_technique": [
"<string>",
"<string>"
],
"report_id": [
"<string>",
"<string>"
],
"report_name": [
"<string>",
"<string>"
],
"report_link": [
"<string>",
"<string>"
],
"watchlists_id": [
"<string>",
"<string>"
],
"watchlists_name": [
"<string>",
"<string>"
],
"k8s_policy_id": [
"<string>",
"<string>"
],
"k8s_policy": [
"<string>",
"<string>"
],
"k8s_rule_id": [
"<string>",
"<string>"
],
"k8s_rule": [
"<string>",
"<string>"
],
"cluster_name": [
"<string>",
"<string>"
],
"namespace": [
"<string>",
"<string>"
],
"workload_kind": [
"<string>",
"<string>"
],
"workload_name": [
"<string>",
"<string>"
],
"replica_id": [
"<string>",
"<string>"
],
"connection_type": [
"INTERNAL_OUTBOUND",
"INTERNAL_OUTBOUND"
],
"egress_group_id": [
"<string>",
"<string>"
],
"egress_group_name": [
"<string>",
"<string>"
],
"ip_reputation": [
"<integer>",
"<integer>"
],
"remote_is_private": "<boolean>",
"remote_namespace": [
"<string>",
"<string>"
],
"remote_replica_id": [
"<string>",
"<string>"
],
"remote_workload_kind": [
"<string>",
"<string>"
],
"remote_workload_name": [
"<string>",
"<string>"
],
"tms_rule_id": [
"<string>",
"<string>"
],
"threat_name": [
"<string>",
"<string>"
],
"vendor_name": [
"<string>",
"<string>"
],
"vendor_id": [
"<string>",
"<string>"
],
"product_name": [
"<string>",
"<string>"
],
"product_id": [
"<string>",
"<string>"
],
"external_device_friendly_name": [
"<string>",
"<string>"
],
"serial_number": [
"<string>",
"<string>"
],
"blocked_name": [
"<string>",
"<string>"
],
"blocked_sha256": [
"<string>",
"<string>"
],
"blocked_md5": [
"<string>",
"<string>"
],
"blocked_effective_reputation": [
"GRAY_OBSOLETE",
"COMPROMISED_OBSOLETE"
],
"ml_classification_final_verdict": [
"NOT_ANOMALOUS",
"NOT_CLASSIFIED"
],
"ml_classification_global_prevalence": [
"MEDIUM",
"MEDIUM"
],
"ml_classification_org_prevalence": [
"LOW",
"MEDIUM"
],
"mdr_alert": "<boolean>",
"mdr_workflow_status": [
"TRIAGE_COMPLETE",
"TRIAGE_COMPLETE"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": "<boolean>",
"mdr_determination_value": [
"NOT_ENOUGH_INFO",
"UNLIKELY_THREAT"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_alert_notes_present": "<boolean>",
"mdr_threat_notes_present": "<boolean>"
},
"exclusions": {
"org_key": [
"<string>",
"<string>"
],
"id": [
"<string>",
"<string>"
],
"type": [
"WATCHLIST",
"HOST_BASED_FIREWALL"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"category": [
"MONITORED",
"MONITORED"
],
"minimum_severity": "<integer>",
"reason_code": [
"<string>",
"<string>"
],
"threat_id": [
"<string>",
"<string>"
],
"primary_event_id": [
"<string>",
"<string>"
],
"policy_applied": [
"NOT_APPLIED",
"APPLIED"
],
"run_state": [
"DID_NOT_RUN",
"UNKNOWN"
],
"sensor_action": [
"ALLOW",
"DENY"
],
"workflow_status": [
"OPEN",
"OPEN"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"MDR",
"ML"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>",
"<string>"
],
"workflow_closure_reason": [
"<string>",
"<string>"
],
"determination_value": [
"FALSE_POSITIVE",
"TRUE_POSITIVE"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"SUPPRESSION",
"SYSTEM"
],
"tags": [
"<string>",
"<string>"
],
"alert_notes_present": "<boolean>",
"threat_notes_present": "<boolean>",
"device_id": [
"<long>",
"<long>"
],
"device_name": [
"<string>",
"<string>"
],
"device_uem_id": [
"<string>",
"<string>"
],
"device_policy": [
"<string>",
"<string>"
],
"device_policy_id": [
"<long>",
"<long>"
],
"device_target_value": [
"HIGH",
"HIGH"
],
"device_os": [
"MAC",
"MAC"
],
"device_os_version": [
"<string>",
"<string>"
],
"device_username": [
"<string>",
"<string>"
],
"device_location": [
"ONSITE",
"UNKNOWN"
],
"device_external_ip": [
"<string>",
"<string>"
],
"device_internal_ip": [
"<string>",
"<string>"
],
"rule_config_type": [
"<string>",
"<string>"
],
"rule_config_name": [
"<string>",
"<string>"
],
"rule_config_id": [
"<string>",
"<string>"
],
"rule_category_id": [
"<string>",
"<string>"
],
"rule_id": [
"<string>",
"<string>"
],
"process_guid": [
"<string>",
"<string>"
],
"process_pid": [
"<integer>",
"<integer>"
],
"process_name": [
"<string>",
"<string>"
],
"process_sha256": [
"<string>",
"<string>"
],
"process_md5": [
"<string>",
"<string>"
],
"process_effective_reputation": [
"COMPROMISED_OBSOLETE",
"NOT_LISTED"
],
"process_reputation": [
"NOT_COMPANY_WHITE_OBSOLETE",
"ADMIN_RESTRICT_OBSOLETE"
],
"process_cmdline": [
"<string>",
"<string>"
],
"process_username": [
"<string>",
"<string>"
],
"process_signatures_certificate_authority": [
"<string>",
"<string>"
],
"process_signatures_publisher": [
"<string>",
"<string>"
],
"parent_guid": [
"<string>",
"<string>"
],
"parent_pid": [
"<integer>",
"<integer>"
],
"parent_name": [
"<string>",
"<string>"
],
"parent_sha256": [
"<string>",
"<string>"
],
"parent_md5": [
"<string>",
"<string>"
],
"parent_effective_reputation": [
"TRUSTED_WHITE_LIST",
"ADWARE"
],
"parent_reputation": [
"COMMON_WHITE_LIST",
"COMMON_WHITE_LIST"
],
"parent_cmdline": [
"<string>",
"<string>"
],
"parent_username": [
"<string>",
"<string>"
],
"childproc_guid": [
"<string>",
"<string>"
],
"childproc_name": [
"<string>",
"<string>"
],
"childproc_sha256": [
"<string>",
"<string>"
],
"childproc_md5": [
"<string>",
"<string>"
],
"childproc_effective_reputation": [
"ADWARE",
"NOT_SUPPORTED"
],
"childproc_username": [
"<string>",
"<string>"
],
"childproc_cmdline": [
"<string>",
"<string>"
],
"netconn_remote_port": [
"<integer>",
"<integer>"
],
"netconn_local_port": [
"<integer>",
"<integer>"
],
"netconn_protocol": [
"<string>",
"<string>"
],
"netconn_remote_domain": [
"<string>",
"<string>"
],
"netconn_remote_ip": [
"<string>",
"<string>"
],
"netconn_local_ip": [
"<string>",
"<string>"
],
"netconn_remote_ipv4": [
"<string>",
"<string>"
],
"netconn_local_ipv4": [
"<string>",
"<string>"
],
"netconn_remote_ipv6": [
"<string>",
"<string>"
],
"netconn_local_ipv6": [
"<string>",
"<string>"
],
"threat_category": [
"NON_MALWARE",
"UNKNOWN"
],
"ttps": [
"<string>",
"<string>"
],
"attack_tactic": [
"<string>",
"<string>"
],
"attack_technique": [
"<string>",
"<string>"
],
"report_id": [
"<string>",
"<string>"
],
"report_name": [
"<string>",
"<string>"
],
"report_link": [
"<string>",
"<string>"
],
"watchlists_id": [
"<string>",
"<string>"
],
"watchlists_name": [
"<string>",
"<string>"
],
"k8s_policy_id": [
"<string>",
"<string>"
],
"k8s_policy": [
"<string>",
"<string>"
],
"k8s_rule_id": [
"<string>",
"<string>"
],
"k8s_rule": [
"<string>",
"<string>"
],
"cluster_name": [
"<string>",
"<string>"
],
"namespace": [
"<string>",
"<string>"
],
"workload_kind": [
"<string>",
"<string>"
],
"workload_name": [
"<string>",
"<string>"
],
"replica_id": [
"<string>",
"<string>"
],
"connection_type": [
"INTERNAL_INBOUND",
"INTERNAL_OUTBOUND"
],
"egress_group_id": [
"<string>",
"<string>"
],
"egress_group_name": [
"<string>",
"<string>"
],
"ip_reputation": [
"<integer>",
"<integer>"
],
"remote_is_private": "<boolean>",
"remote_namespace": [
"<string>",
"<string>"
],
"remote_replica_id": [
"<string>",
"<string>"
],
"remote_workload_kind": [
"<string>",
"<string>"
],
"remote_workload_name": [
"<string>",
"<string>"
],
"tms_rule_id": [
"<string>",
"<string>"
],
"threat_name": [
"<string>",
"<string>"
],
"vendor_name": [
"<string>",
"<string>"
],
"vendor_id": [
"<string>",
"<string>"
],
"product_name": [
"<string>",
"<string>"
],
"product_id": [
"<string>",
"<string>"
],
"external_device_friendly_name": [
"<string>",
"<string>"
],
"serial_number": [
"<string>",
"<string>"
],
"blocked_name": [
"<string>",
"<string>"
],
"blocked_sha256": [
"<string>",
"<string>"
],
"blocked_md5": [
"<string>",
"<string>"
],
"blocked_effective_reputation": [
"IGNORE",
"ADAPTIVE_WHITE_LIST"
],
"ml_classification_final_verdict": [
"NOT_ANOMALOUS",
"NOT_CLASSIFIED"
],
"ml_classification_global_prevalence": [
"HIGH",
"HIGH"
],
"ml_classification_org_prevalence": [
"HIGH",
"MEDIUM"
],
"mdr_alert": "<boolean>",
"mdr_workflow_status": [
"ACTION_REQUESTED",
"PENDING_RESPONSE"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": "<boolean>",
"mdr_determination_value": [
"NONE",
"NOT_REVIEWED"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_alert_notes_present": "<boolean>",
"mdr_threat_notes_present": "<boolean>"
},
"field": "LAST_EVENT_TIMESTAMP",
"min_count": 0
}
Request Body
{"group_by"=>{"field"=>"THREAT_ID"}, "bucket_size"=>"+5DAY", "field"=>"LAST_EVENT_TIMESTAMP", "min_count"=>0}
HEADERS
Key | Datatype | Required | Description |
---|---|---|---|
Content-Type | string | ||
Accept | string |
RESPONSES
status: OK
{"start":"2023-04-03T00:00:00.000Z","end":"2023-04-18T00:00:00.000Z","results":[{"step_start":"2023-04-03T00:00:00.000Z","total":6},{"step_start":"2023-04-08T00:00:00.000Z","total":10},{"step_start":"2023-04-13T00:00:00.000Z","total":16},{"step_start":"2023-04-18T00:00:00.000Z","total":1}]}