Get alert histogram for grouped alerts

POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/grouped_alerts/_histogram

Get statistics about the Alerts when grouped by Threat Id. This is designed for use by the widget in the Carbon Black Cloud console.

RBAC Permissions Required

Permission (.notation name)Operation(s)
org.alertsREAD

See Documentation

Request Schema

{
  "bucket_size": "<string>",
  "group_by": {
    "field": "THREAT_ID"
  },
  "query": "<string>",
  "time_range": {
    "start": "<dateTime>",
    "end": "<dateTime>",
    "range": "<string>"
  },
  "criteria": {
    "org_key": [
      "<string>",
      "<string>"
    ],
    "id": [
      "<string>",
      "<string>"
    ],
    "type": [
      "HOST_BASED_FIREWALL",
      "DEVICE_CONTROL"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "MONITORED",
      "MONITORED"
    ],
    "minimum_severity": "<integer>",
    "reason_code": [
      "<string>",
      "<string>"
    ],
    "threat_id": [
      "<string>",
      "<string>"
    ],
    "primary_event_id": [
      "<string>",
      "<string>"
    ],
    "policy_applied": [
      "NOT_APPLIED",
      "NOT_APPLIED"
    ],
    "run_state": [
      "UNKNOWN",
      "DID_NOT_RUN"
    ],
    "sensor_action": [
      "ALLOW",
      "DENY"
    ],
    "workflow_status": [
      "IN_PROGRESS",
      "OPEN"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "USER",
      "ML"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>",
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>",
      "<string>"
    ],
    "determination_value": [
      "FALSE_POSITIVE",
      "FALSE_POSITIVE"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "OPERATOR_UNKNOWN",
      "USER"
    ],
    "tags": [
      "<string>",
      "<string>"
    ],
    "alert_notes_present": "<boolean>",
    "threat_notes_present": "<boolean>",
    "device_id": [
      "<long>",
      "<long>"
    ],
    "device_name": [
      "<string>",
      "<string>"
    ],
    "device_uem_id": [
      "<string>",
      "<string>"
    ],
    "device_policy": [
      "<string>",
      "<string>"
    ],
    "device_policy_id": [
      "<long>",
      "<long>"
    ],
    "device_target_value": [
      "LOW",
      "MISSION_CRITICAL"
    ],
    "device_os": [
      "MAC",
      "OTHER"
    ],
    "device_os_version": [
      "<string>",
      "<string>"
    ],
    "device_username": [
      "<string>",
      "<string>"
    ],
    "device_location": [
      "UNKNOWN",
      "ONSITE"
    ],
    "device_external_ip": [
      "<string>",
      "<string>"
    ],
    "device_internal_ip": [
      "<string>",
      "<string>"
    ],
    "rule_config_type": [
      "<string>",
      "<string>"
    ],
    "rule_config_name": [
      "<string>",
      "<string>"
    ],
    "rule_config_id": [
      "<string>",
      "<string>"
    ],
    "rule_category_id": [
      "<string>",
      "<string>"
    ],
    "rule_id": [
      "<string>",
      "<string>"
    ],
    "process_guid": [
      "<string>",
      "<string>"
    ],
    "process_pid": [
      "<integer>",
      "<integer>"
    ],
    "process_name": [
      "<string>",
      "<string>"
    ],
    "process_sha256": [
      "<string>",
      "<string>"
    ],
    "process_md5": [
      "<string>",
      "<string>"
    ],
    "process_effective_reputation": [
      "NOT_SUPPORTED",
      "TRUSTED_WHITE_LIST"
    ],
    "process_reputation": [
      "ADMIN_RESTRICT_OBSOLETE",
      "NOT_LISTED"
    ],
    "process_cmdline": [
      "<string>",
      "<string>"
    ],
    "process_username": [
      "<string>",
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>",
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>",
      "<string>"
    ],
    "parent_guid": [
      "<string>",
      "<string>"
    ],
    "parent_pid": [
      "<integer>",
      "<integer>"
    ],
    "parent_name": [
      "<string>",
      "<string>"
    ],
    "parent_sha256": [
      "<string>",
      "<string>"
    ],
    "parent_md5": [
      "<string>",
      "<string>"
    ],
    "parent_effective_reputation": [
      "RESOLVING",
      "NOT_SUPPORTED"
    ],
    "parent_reputation": [
      "HEURISTIC",
      "HEURISTIC"
    ],
    "parent_cmdline": [
      "<string>",
      "<string>"
    ],
    "parent_username": [
      "<string>",
      "<string>"
    ],
    "childproc_guid": [
      "<string>",
      "<string>"
    ],
    "childproc_name": [
      "<string>",
      "<string>"
    ],
    "childproc_sha256": [
      "<string>",
      "<string>"
    ],
    "childproc_md5": [
      "<string>",
      "<string>"
    ],
    "childproc_effective_reputation": [
      "COMPANY_WHITE_LIST",
      "KNOWN_MALWARE"
    ],
    "childproc_username": [
      "<string>",
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_port": [
      "<integer>",
      "<integer>"
    ],
    "netconn_local_port": [
      "<integer>",
      "<integer>"
    ],
    "netconn_protocol": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>",
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>",
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>",
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>",
      "<string>"
    ],
    "threat_category": [
      "UNKNOWN",
      "RISKY_PROGRAM"
    ],
    "ttps": [
      "<string>",
      "<string>"
    ],
    "attack_tactic": [
      "<string>",
      "<string>"
    ],
    "attack_technique": [
      "<string>",
      "<string>"
    ],
    "report_id": [
      "<string>",
      "<string>"
    ],
    "report_name": [
      "<string>",
      "<string>"
    ],
    "report_link": [
      "<string>",
      "<string>"
    ],
    "watchlists_id": [
      "<string>",
      "<string>"
    ],
    "watchlists_name": [
      "<string>",
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>",
      "<string>"
    ],
    "k8s_policy": [
      "<string>",
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>",
      "<string>"
    ],
    "k8s_rule": [
      "<string>",
      "<string>"
    ],
    "cluster_name": [
      "<string>",
      "<string>"
    ],
    "namespace": [
      "<string>",
      "<string>"
    ],
    "workload_kind": [
      "<string>",
      "<string>"
    ],
    "workload_name": [
      "<string>",
      "<string>"
    ],
    "replica_id": [
      "<string>",
      "<string>"
    ],
    "connection_type": [
      "INTERNAL_OUTBOUND",
      "INTERNAL_OUTBOUND"
    ],
    "egress_group_id": [
      "<string>",
      "<string>"
    ],
    "egress_group_name": [
      "<string>",
      "<string>"
    ],
    "ip_reputation": [
      "<integer>",
      "<integer>"
    ],
    "remote_is_private": "<boolean>",
    "remote_namespace": [
      "<string>",
      "<string>"
    ],
    "remote_replica_id": [
      "<string>",
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>",
      "<string>"
    ],
    "remote_workload_name": [
      "<string>",
      "<string>"
    ],
    "tms_rule_id": [
      "<string>",
      "<string>"
    ],
    "threat_name": [
      "<string>",
      "<string>"
    ],
    "vendor_name": [
      "<string>",
      "<string>"
    ],
    "vendor_id": [
      "<string>",
      "<string>"
    ],
    "product_name": [
      "<string>",
      "<string>"
    ],
    "product_id": [
      "<string>",
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>",
      "<string>"
    ],
    "serial_number": [
      "<string>",
      "<string>"
    ],
    "blocked_name": [
      "<string>",
      "<string>"
    ],
    "blocked_sha256": [
      "<string>",
      "<string>"
    ],
    "blocked_md5": [
      "<string>",
      "<string>"
    ],
    "blocked_effective_reputation": [
      "GRAY_OBSOLETE",
      "COMPROMISED_OBSOLETE"
    ],
    "ml_classification_final_verdict": [
      "NOT_ANOMALOUS",
      "NOT_CLASSIFIED"
    ],
    "ml_classification_global_prevalence": [
      "MEDIUM",
      "MEDIUM"
    ],
    "ml_classification_org_prevalence": [
      "LOW",
      "MEDIUM"
    ],
    "mdr_alert": "<boolean>",
    "mdr_workflow_status": [
      "TRIAGE_COMPLETE",
      "TRIAGE_COMPLETE"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": "<boolean>",
    "mdr_determination_value": [
      "NOT_ENOUGH_INFO",
      "UNLIKELY_THREAT"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_alert_notes_present": "<boolean>",
    "mdr_threat_notes_present": "<boolean>"
  },
  "exclusions": {
    "org_key": [
      "<string>",
      "<string>"
    ],
    "id": [
      "<string>",
      "<string>"
    ],
    "type": [
      "WATCHLIST",
      "HOST_BASED_FIREWALL"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "MONITORED",
      "MONITORED"
    ],
    "minimum_severity": "<integer>",
    "reason_code": [
      "<string>",
      "<string>"
    ],
    "threat_id": [
      "<string>",
      "<string>"
    ],
    "primary_event_id": [
      "<string>",
      "<string>"
    ],
    "policy_applied": [
      "NOT_APPLIED",
      "APPLIED"
    ],
    "run_state": [
      "DID_NOT_RUN",
      "UNKNOWN"
    ],
    "sensor_action": [
      "ALLOW",
      "DENY"
    ],
    "workflow_status": [
      "OPEN",
      "OPEN"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "MDR",
      "ML"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>",
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>",
      "<string>"
    ],
    "determination_value": [
      "FALSE_POSITIVE",
      "TRUE_POSITIVE"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "SUPPRESSION",
      "SYSTEM"
    ],
    "tags": [
      "<string>",
      "<string>"
    ],
    "alert_notes_present": "<boolean>",
    "threat_notes_present": "<boolean>",
    "device_id": [
      "<long>",
      "<long>"
    ],
    "device_name": [
      "<string>",
      "<string>"
    ],
    "device_uem_id": [
      "<string>",
      "<string>"
    ],
    "device_policy": [
      "<string>",
      "<string>"
    ],
    "device_policy_id": [
      "<long>",
      "<long>"
    ],
    "device_target_value": [
      "HIGH",
      "HIGH"
    ],
    "device_os": [
      "MAC",
      "MAC"
    ],
    "device_os_version": [
      "<string>",
      "<string>"
    ],
    "device_username": [
      "<string>",
      "<string>"
    ],
    "device_location": [
      "ONSITE",
      "UNKNOWN"
    ],
    "device_external_ip": [
      "<string>",
      "<string>"
    ],
    "device_internal_ip": [
      "<string>",
      "<string>"
    ],
    "rule_config_type": [
      "<string>",
      "<string>"
    ],
    "rule_config_name": [
      "<string>",
      "<string>"
    ],
    "rule_config_id": [
      "<string>",
      "<string>"
    ],
    "rule_category_id": [
      "<string>",
      "<string>"
    ],
    "rule_id": [
      "<string>",
      "<string>"
    ],
    "process_guid": [
      "<string>",
      "<string>"
    ],
    "process_pid": [
      "<integer>",
      "<integer>"
    ],
    "process_name": [
      "<string>",
      "<string>"
    ],
    "process_sha256": [
      "<string>",
      "<string>"
    ],
    "process_md5": [
      "<string>",
      "<string>"
    ],
    "process_effective_reputation": [
      "COMPROMISED_OBSOLETE",
      "NOT_LISTED"
    ],
    "process_reputation": [
      "NOT_COMPANY_WHITE_OBSOLETE",
      "ADMIN_RESTRICT_OBSOLETE"
    ],
    "process_cmdline": [
      "<string>",
      "<string>"
    ],
    "process_username": [
      "<string>",
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>",
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>",
      "<string>"
    ],
    "parent_guid": [
      "<string>",
      "<string>"
    ],
    "parent_pid": [
      "<integer>",
      "<integer>"
    ],
    "parent_name": [
      "<string>",
      "<string>"
    ],
    "parent_sha256": [
      "<string>",
      "<string>"
    ],
    "parent_md5": [
      "<string>",
      "<string>"
    ],
    "parent_effective_reputation": [
      "TRUSTED_WHITE_LIST",
      "ADWARE"
    ],
    "parent_reputation": [
      "COMMON_WHITE_LIST",
      "COMMON_WHITE_LIST"
    ],
    "parent_cmdline": [
      "<string>",
      "<string>"
    ],
    "parent_username": [
      "<string>",
      "<string>"
    ],
    "childproc_guid": [
      "<string>",
      "<string>"
    ],
    "childproc_name": [
      "<string>",
      "<string>"
    ],
    "childproc_sha256": [
      "<string>",
      "<string>"
    ],
    "childproc_md5": [
      "<string>",
      "<string>"
    ],
    "childproc_effective_reputation": [
      "ADWARE",
      "NOT_SUPPORTED"
    ],
    "childproc_username": [
      "<string>",
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_port": [
      "<integer>",
      "<integer>"
    ],
    "netconn_local_port": [
      "<integer>",
      "<integer>"
    ],
    "netconn_protocol": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>",
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>",
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>",
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>",
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>",
      "<string>"
    ],
    "threat_category": [
      "NON_MALWARE",
      "UNKNOWN"
    ],
    "ttps": [
      "<string>",
      "<string>"
    ],
    "attack_tactic": [
      "<string>",
      "<string>"
    ],
    "attack_technique": [
      "<string>",
      "<string>"
    ],
    "report_id": [
      "<string>",
      "<string>"
    ],
    "report_name": [
      "<string>",
      "<string>"
    ],
    "report_link": [
      "<string>",
      "<string>"
    ],
    "watchlists_id": [
      "<string>",
      "<string>"
    ],
    "watchlists_name": [
      "<string>",
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>",
      "<string>"
    ],
    "k8s_policy": [
      "<string>",
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>",
      "<string>"
    ],
    "k8s_rule": [
      "<string>",
      "<string>"
    ],
    "cluster_name": [
      "<string>",
      "<string>"
    ],
    "namespace": [
      "<string>",
      "<string>"
    ],
    "workload_kind": [
      "<string>",
      "<string>"
    ],
    "workload_name": [
      "<string>",
      "<string>"
    ],
    "replica_id": [
      "<string>",
      "<string>"
    ],
    "connection_type": [
      "INTERNAL_INBOUND",
      "INTERNAL_OUTBOUND"
    ],
    "egress_group_id": [
      "<string>",
      "<string>"
    ],
    "egress_group_name": [
      "<string>",
      "<string>"
    ],
    "ip_reputation": [
      "<integer>",
      "<integer>"
    ],
    "remote_is_private": "<boolean>",
    "remote_namespace": [
      "<string>",
      "<string>"
    ],
    "remote_replica_id": [
      "<string>",
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>",
      "<string>"
    ],
    "remote_workload_name": [
      "<string>",
      "<string>"
    ],
    "tms_rule_id": [
      "<string>",
      "<string>"
    ],
    "threat_name": [
      "<string>",
      "<string>"
    ],
    "vendor_name": [
      "<string>",
      "<string>"
    ],
    "vendor_id": [
      "<string>",
      "<string>"
    ],
    "product_name": [
      "<string>",
      "<string>"
    ],
    "product_id": [
      "<string>",
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>",
      "<string>"
    ],
    "serial_number": [
      "<string>",
      "<string>"
    ],
    "blocked_name": [
      "<string>",
      "<string>"
    ],
    "blocked_sha256": [
      "<string>",
      "<string>"
    ],
    "blocked_md5": [
      "<string>",
      "<string>"
    ],
    "blocked_effective_reputation": [
      "IGNORE",
      "ADAPTIVE_WHITE_LIST"
    ],
    "ml_classification_final_verdict": [
      "NOT_ANOMALOUS",
      "NOT_CLASSIFIED"
    ],
    "ml_classification_global_prevalence": [
      "HIGH",
      "HIGH"
    ],
    "ml_classification_org_prevalence": [
      "HIGH",
      "MEDIUM"
    ],
    "mdr_alert": "<boolean>",
    "mdr_workflow_status": [
      "ACTION_REQUESTED",
      "PENDING_RESPONSE"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": "<boolean>",
    "mdr_determination_value": [
      "NONE",
      "NOT_REVIEWED"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_alert_notes_present": "<boolean>",
    "mdr_threat_notes_present": "<boolean>"
  },
  "field": "LAST_EVENT_TIMESTAMP",
  "min_count": 0
}

Request Body

{"group_by"=>{"field"=>"THREAT_ID"}, "bucket_size"=>"+5DAY", "field"=>"LAST_EVENT_TIMESTAMP", "min_count"=>0}

HEADERS

KeyDatatypeRequiredDescription
Content-Typestring
Acceptstring

RESPONSES

status: OK

{&quot;start&quot;:&quot;2023-04-03T00:00:00.000Z&quot;,&quot;end&quot;:&quot;2023-04-18T00:00:00.000Z&quot;,&quot;results&quot;:[{&quot;step_start&quot;:&quot;2023-04-03T00:00:00.000Z&quot;,&quot;total&quot;:6},{&quot;step_start&quot;:&quot;2023-04-08T00:00:00.000Z&quot;,&quot;total&quot;:10},{&quot;step_start&quot;:&quot;2023-04-13T00:00:00.000Z&quot;,&quot;total&quot;:16},{&quot;step_start&quot;:&quot;2023-04-18T00:00:00.000Z&quot;,&quot;total&quot;:1}]}