Perform Event Search

POST 
/search/event

Returns the results of an RQL audit event query. You can use event queries to detect and investigate console and API access, monitor privileged activities, and detect account compromise and unusual user behavior in your cloud environment.

Request

application/json; charset=UTF-8

Body

required

Audit event search parameters model

timeRange object

Model for TimeRangeConfig

value object

Model for RelativeTimeDuration

unit string

Possible values: [minute, hour, day, week, month, year]

Time unit

amount int32

Number of time units

groupBy string[]

Group By parameters

filters object[]
Filters
Array [
name string
Name
value string
Value
operator string
Possible values: [=]
Operator
]
alertId string

Alert ID

sort object[]
Sort Fields
Array [
field string
Possible values: [ID, TIME, OPERATION, CLOUD_SERVICE, CRUD, USER, CLOUD_ACCOUNT, CLOUD_REGION, TIMESTAMP]
direction string
Possible values: [asc, desc]
Direction
]
limit int32

Limit

id string

Search ID

query string

RQL query

Responses

200

success

application/json; charset=UTF-8

Schema

Schema

groupBy string[]

Group By

filters object[]
View Order
Array [
name string
Name
value string
Value
operator string
Possible values: [=]
Operator
]
timeGranularity string

Time Granularity

alertId string

Alert ID

cloudType string

Possible values: [aws, azure, gcp, alibaba_cloud, oci]

Cloud Type

id string

Search ID

name string

Search Name

description string

Search Description

searchType string

Possible values: [network, audit_event, config, asset]

Search Type

asyncResultUrl string

Async Result Url

saved boolean

Search Exists

timeRange objectrequired

Model for TimeRangeConfig

value object

Model for RelativeTimeDuration

unit string

Possible values: [minute, hour, day, week, month, year]

Time unit

amount int32

Number of time units

query stringrequired

RQL Query

cursor int32

Cursor

data object
totalRows int64
items object[]
Array [
account string
regionId int32
regionApiIdentifier string
eventTs int64
ingestionTs int64
subject string
type string
Possible values: [UNKNOWN, CREATE, READ, UPDATE, DELETE, LOGIN, TEST, AUDITD]
source string
name string
id int64
rawEvent object
objects object[]
Array [
account string
Account
region string
Region
vpc string
VCP
resource string
Resource
type string
Resource type
insert_ts int64
Insertion timestamp
cloudType string
Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, OTHER, IBM]
Cloud type
apiName string
Resource API name
resourceApiId int32
Resource API ID
]
ip string
accessKey string
anomalyId string
accessKeyUsed boolean
subjectType string
Possible values: [AWS_OTHER, AZURE_OTHER, GCP_OTHER, AWS_IAM_USER, AWS_ROOT, AWS_ASSUMED_ROLE, AWS_ROLE, GCP_USER, GCP_SERVICE_ACCOUNT, AZURE_AD_USER, AZURE_APPLICATION, AWS_ACCOUNT, AWS_SERVICE, AWS_FEDERATED_USER, AWS_SAML_USER, AWS_WEB_IDENTITY_USER, AWS_DIRECTORY]
role string
reasonIds int32[]
flaggedFeature string
cityId int32
cityName string
stateId int32
stateName string
countryId int32
countryName string
cityLatitude double
cityLongitude double
timezone string
success boolean
internal boolean
userAgentOs object
id int32
name string
hash int32
userAgentBrowser object
id int32
name string
hash int32
dynamicData object
property name* object
location string
os string
notPersisted boolean
browser string
accountName string
regionName string
]
dynamicColumns string[]
nextPageToken string
infoMsg string
sortAllowedColumns string[]
default boolean
async boolean

true = Is Async

Example (from schema)

{
  "groupBy": [
    "string"
  ],
  "filters": [
    {
      "name": "string",
      "value": "string",
      "operator": "="
    }
  ],
  "timeGranularity": "string",
  "alertId": "string",
  "cloudType": "aws",
  "id": "string",
  "name": "string",
  "description": "string",
  "searchType": "network",
  "asyncResultUrl": "/search/config/jobs/2df49d4f72e842b582b123bc2b7826b3/download",
  "saved": true,
  "timeRange": {
    "type": "relative",
    "value": {
      "unit": "minute",
      "amount": 0
    }
  },
  "query": "string",
  "cursor": 0,
  "data": {
    "totalRows": 0,
    "items": [
      {
        "account": "string",
        "regionId": 0,
        "regionApiIdentifier": "string",
        "eventTs": 0,
        "ingestionTs": 0,
        "subject": "string",
        "type": "UNKNOWN",
        "source": "string",
        "name": "string",
        "id": 0,
        "rawEvent": {},
        "objects": [
          {
            "account": "string",
            "region": "string",
            "vpc": "string",
            "resource": "string",
            "type": "string",
            "insert_ts": 0,
            "cloudType": "ALL",
            "apiName": "string",
            "resourceApiId": 0
          }
        ],
        "ip": "string",
        "accessKey": "string",
        "anomalyId": "string",
        "accessKeyUsed": true,
        "subjectType": "AWS_OTHER",
        "role": "string",
        "reasonIds": [
          0
        ],
        "flaggedFeature": "string",
        "cityId": 0,
        "cityName": "string",
        "stateId": 0,
        "stateName": "string",
        "countryId": 0,
        "countryName": "string",
        "cityLatitude": 0,
        "cityLongitude": 0,
        "timezone": "string",
        "success": true,
        "internal": true,
        "userAgentOs": {
          "id": 0,
          "name": "string",
          "hash": 0
        },
        "userAgentBrowser": {
          "id": 0,
          "name": "string",
          "hash": 0
        },
        "dynamicData": {},
        "location": "string",
        "os": "string",
        "notPersisted": true,
        "browser": "string",
        "accountName": "string",
        "regionName": "string"
      }
    ],
    "dynamicColumns": [
      "string"
    ],
    "nextPageToken": "string",
    "infoMsg": "string",
    "sortAllowedColumns": [
      "string"
    ]
  },
  "default": true,
  "async": true
}

400

conflict_saved_search

404

not_found

Loading...