Get Grouped Results
POST {{cb_url}}/api/investigate/v2/orgs/{{cb_org_key}}/observations/search_jobs/{{cb_job_id}}/group_results
Retrieves the observations search group results for a given query ID. Results will be grouped based on the fields provided and/or by timestamp field duration.
There are 2 different methods of grouping available when timestamp field is specified:
- interval (default) groups the documents when the timestamp difference between two consecutive sorted documents is less than the duration requested.
e.g. input {doc1 = 10:00:00, doc2 = 10:07:00, doc3 = 10:13:00, doc4 = 10:27:00, duration = 10m}, doc1, doc2 and doc3 will be grouped into one since the time difference between sorted consecutive documents is less than duration. - bucket which groups the documents in buckets of duration length meaning the max time difference between the min and max within a group can be up to the duration.
e.g. input {doc1 = 10:00:00, doc2 = 10:07:00, doc3 = 10:13:00, doc4 = 10:21:00, duration = 10m}, doc1 and doc2 will be grouped into first group since the time difference between them is less than duration, doc3 will not be added to the first group it exceeds max capacity of bucket.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.search.events | READ, CREATE |
Request Schema
{
"fields": ["string"],
"max_events_per_group": integer,
"range": {
"duration": "string",
"field": "string",
"method": "string"
},
"rows": integer,
"start": integer
}
Request Body
{"fields"=>["device_name"], "rows"=>50, "range"=>{"duration"=>"10h", "field"=>"device_timestamp", "method"=>"interval"}}
RESPONSES
status: OK
{"approximate_unaggregated":442,"completed":7,"contacted":7,"group_results":[{"group_end_timestamp":"2023-02-16T13:10:10.249Z","group_key":"device_name,device_timestamp:10h","group_start_timestamp":"2023-02-16T13:10:10.249Z","group_value":"device-name-1","results":[{"backend_timestamp":"2023-02-16T20:10:00.913Z","childproc_count":0,"crossproc_count":1,"device_group_id":0,"device_id":123456,"device_name":"device-name-1","device_policy_id":123456,"device_timestamp":"2023-02-16T13:10:10.249Z","filemod_count":0,"ingress_time":1676578177580,"modload_count":37,"netconn_count":58,"observation_description":"HTTP traffic from ","observation_id":"9BC8401D-AE6F-11ED-A7AB-005056A5B601:9bc8401c-ae6f-11ed-a7ab-1234566","observation_type":"INTRUSION_DETECTION_SYSTEM","org_id":"VZMTP3M2P6","parent_guid":"VZMTP3M2P6-0243c0e7-000002b8-00000000-1d93a21111111","parent_pid":111,"process_guid":"VZMTP3M2P6-0243c0e7-000015b0-00000000-1111111","process_hash":["f586835082f632dc8d9404d83bc16316","643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6511111"],"process_name":"c:\\windows\\system32\\svchost.exe","process_pid":[5552],"process_username":["NT AUTHORITY\\SYSTEM"],"regmod_count":1,"scriptload_count":0}],"total_events":1}],"groups_num_available":0,"num_aggregated":0,"num_available":1,"num_found":1}