Create Detail Job

POST {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/observations/detail_jobs

Creates an Observations details job. The details will include information about the given event that’s not normally accessible during a search. The results for the search job may be requested using the job ID returned.
Note: Either **observationids_ or _alertid** is required however only one can be specified.

Note: Four new search payloads have been introduced: "**processhash,deviceid**,**countuniquedevices**, and**maxrows**_." The various combinations of these payloads yield distinct search outcomes:

process_hash
- Finds the oldest event with this process hash.
process_hash + device_id
- Finds the oldest event with this process hash on the given device_id.
process_hash + countuniquedevices
- Returns how many unique devices have executed this process hash. It is recommended to set max_rows to 10,000 to ensure valid results from the endpoint.
max_rows
- An optional parameter that can only be combined with process_hash. It filters the number of results the endpoint returns, with a maximum value of 10,000. Therefore, the following cases are valid:
  - processhash + maxrows
  - processhash + countuniquedevices + maxrows (recommended to be 10,000)
  - processhash + deviceid + maxrows - Returns the top maxrows events, sorted from the oldest to the newest.

RBAC Permissions Required

Permission (.notation name)	Operation(s)
org.search.events	READ, CREATE

Request Schema

Note: Either observationids or alertid is required however only one can be specified.

{
  "alert_id": "<string>",
  "observation_ids": [
    "<string>"
  ],
  "process_hash": "<string>",
  "device_id": <integer>,
  "count_unique_devices": <boolean>,
  "max_rows": <integer>
}

API Documentation

Information on Fields

Request Body

{"process_hash"=>"038894832709076d63111e99466f73575fcf3ca", "count_unique_devices"=>true, "max_rows"=>3}

RESPONSES

status: OK

{&quot;job_id&quot;:&quot;c31126dd-74df-4233-aee8-8573664daa29-sqs&quot;}