Get Grouped Results

POST {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/observations/search_jobs/{{cb_job_id}}/group_results

Retrieves the observations search group results for a given query ID. Results will be grouped based on the fields provided and/or by timestamp field duration.

There are 2 different methods of grouping available when timestamp field is specified:

  • interval (default) groups the documents when the timestamp difference between two consecutive sorted documents is less than the duration requested.
    e.g. input {doc1 = 10:00:00, doc2 = 10:07:00, doc3 = 10:13:00, doc4 = 10:27:00, duration = 10m}, doc1, doc2 and doc3 will be grouped into one since the time difference between sorted consecutive documents is less than duration.
  • bucket which groups the documents in buckets of duration length meaning the max time difference between the min and max within a group can be up to the duration.
    e.g. input {doc1 = 10:00:00, doc2 = 10:07:00, doc3 = 10:13:00, doc4 = 10:21:00, duration = 10m}, doc1 and doc2 will be grouped into first group since the time difference between them is less than duration, doc3 will not be added to the first group it exceeds max capacity of bucket.

RBAC Permissions Required

Permission (.notation name)Operation(s)
org.search.eventsREAD, CREATE

Request Schema

{
  "fields": ["string"],
  "max_events_per_group": integer,
  "range": {
    "duration": "string",
    "field": "string",
    "method": "string"
  },
  "rows": integer,
  "start": integer
}

API Documentation

Information on Fields

Request Body

{"fields"=>["device_name"], "rows"=>50, "range"=>{"duration"=>"10h", "field"=>"device_timestamp", "method"=>"interval"}}

RESPONSES

status: OK

{"approximate_unaggregated":442,"completed":7,"contacted":7,"group_results":[{"group_end_timestamp":"2023-02-16T13:10:10.249Z","group_key":"device_name,device_timestamp:10h","group_start_timestamp":"2023-02-16T13:10:10.249Z","group_value":"device-name-1","results":[{"backend_timestamp":"2023-02-16T20:10:00.913Z","childproc_count":0,"crossproc_count":1,"device_group_id":0,"device_id":123456,"device_name":"device-name-1","device_policy_id":123456,"device_timestamp":"2023-02-16T13:10:10.249Z","filemod_count":0,"ingress_time":1676578177580,"modload_count":37,"netconn_count":58,"observation_description":"HTTP traffic from ","observation_id":"9BC8401D-AE6F-11ED-A7AB-005056A5B601:9bc8401c-ae6f-11ed-a7ab-1234566","observation_type":"INTRUSION_DETECTION_SYSTEM","org_id":"VZMTP3M2P6","parent_guid":"VZMTP3M2P6-0243c0e7-000002b8-00000000-1d93a21111111","parent_pid":111,"process_guid":"VZMTP3M2P6-0243c0e7-000015b0-00000000-1111111","process_hash":["f586835082f632dc8d9404d83bc16316","643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6511111"],"process_name":"c:\\windows\\system32\\svchost.exe","process_pid":[5552],"process_username":["NT AUTHORITY\\SYSTEM"],"regmod_count":1,"scriptload_count":0}],"total_events":1}],"groups_num_available":0,"num_aggregated":0,"num_available":1,"num_found":1}