Skip to main content

Aggregated Event Search

POST 
/search/event/aggregate

Returns the results of an RQL aggregated audit events query. This RQL query is similar to an RQL event query, but the data returned includes location and service data.

Request

Body

required

Audit event search parameters model

    timeRange object

    Model for TimeRangeConfig

    value object

    Model for RelativeTimeDuration

    unit string

    Possible values: [minute, hour, day, week, month, year]

    Time unit

    amount int32

    Number of time units

    groupBy string[]

    Group By parameters

    filters object[]

    Filters

  • Array [
    • name string

    Name

    value string

    Value

    operator string

    Possible values: [=]

    Operator

  • ]
    • alertId string

    Alert ID

    sort object[]

    Sort Fields

  • Array [
    • field string

    Possible values: [ID, TIME, OPERATION, CLOUD_SERVICE, CRUD, USER, CLOUD_ACCOUNT, CLOUD_REGION, TIMESTAMP]

    direction string

    Possible values: [asc, desc]

    Direction

  • ]
    • limit int32

    Limit

    id string

    Search ID

    query string

    RQL query

Responses

success

Schema
    groupBy string[]

    Group By

    filters object[]

    View Order

  • Array [
    • name string

    Name

    value string

    Value

    operator string

    Possible values: [=]

    Operator

  • ]
    • timeGranularity string

    Time Granularity

    alertId string

    Alert ID

    cloudType string

    Possible values: [aws, azure, gcp, alibaba_cloud, oci]

    Cloud Type

    id string

    Search ID

    name string

    Search Name

    description string

    Search Description

    searchType string

    Possible values: [network, audit_event, config, asset]

    Search Type

    asyncResultUrl string

    Async Result Url

    saved boolean

    Search Exists

    timeRange objectrequired

    Model for TimeRangeConfig

    value object

    Model for RelativeTimeDuration

    unit string

    Possible values: [minute, hour, day, week, month, year]

    Time unit

    amount int32

    Number of time units

    query stringrequired

    RQL Query

    cursor int32

    Cursor

    data object[]
  • Array [
    • service string
    user string
    cityId int32
    cityName string
    stateId int32
    stateName string
    countryId int32
    countryName string
    timestamp int64
    latitude double
    longitude double
    events int32
    anomalies int32
    serviceAnomalies int32
    geoAnomalies int32
    serviceNGeoAnomalies int32
    bruteForceAnomalies int32
    timeTravelAnomalies int32
    deviceFingerprintLoginAnomalies int32
    serviceAnomaliesByUser int32
    geoAnomaliesByUser int32
    serviceNGeoAnomaliesByUser int32
    serviceAnomaliesByAccessKey int32
    geoAnomaliesByAccessKey int32
    serviceNGeoAnomaliesByAccessKey int32
    distinctUsers int32
    unusualLocations string
    description string
    serviceHighlighted boolean
  • ]
    • default boolean
    async boolean

    true = Is Async

Loading...