Behavior Timeline Search
The Behavior Event Search API allows the user to search and retrieve events from Fluency. This is the same API used for the EventWatch -> Behavior Timeline page.
POST - fsm_behavior_search
{url}/api/ds/fsm_behavior_search
Request
Headers:
Content-Type: application/json\ Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8
Body:
{\ "kargs":{ }\ }
cURL example
curl -X POST "https://test.cloud.fluencysecurity.com/api/ds/fsm_behavior_search" -H "Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8" -H "Content-Type: application/json" -d '{"kargs":{"options":{"fetchOffset":0,"fetchLimit":20,"searchStr":"","facets":{"facets":[],"mustFilters":[],"mustNotFilters":[{"field":"scoreLevel","terms":["0"]}]},"range_from":1701286297828,"range_to":1701891097828,"range_field":"timestamp"}}}'
Sample Request kargs
{
"kargs": {
"options": {
"fetchOffset": 0,
"fetchLimit": 20,
"searchStr": "",
"facets": {
"facets": [],
"mustFilters": [],
"mustNotFilters": [
{
"field": "scoreLevel",
"terms": [
"0"
]
}
]
},
"range_from": 1701286297828,
"range_to": 1701891097828,
"range_field": "timestamp"
}
}
}
Sample Response
{
"verdict": "OK",
"response": {
"took": 1,
"_scroll_id": "",
"hits": {
"total": 1,
"max_score": null,
"hits": [
{
"_score": null,
"_index": "behavior",
"_type": "behavior",
"_id": "AYwhhZTwJgzty4xThH5A",
"_uid": "",
"_timestamp": 0,
"_ttl": 0,
"_routing": "",
"_parent": "",
"_version": null,
"sort": [
1701351240000
],
"highlight": null,
"_source": {
"sequence": 1701369450453326600,
"timestamp": 1701351240000,
"key": "71.178.173.2",
"originalKey": "71.178.173.2",
"originalKeyType": "ip",
"keyType": "ip",
"description": "",
"behaviorRule": "SyslogEventReceived",
"behavior": "application activity",
"riskScore": 600,
"attributes": [
{
"key": "@message",
"aliase": "Message",
"value": "syslog-test {\"server\":\"demo.syslog.fluencysecurity.com\",\"mode\":\"tcp+tls\",\"port\":6514,\"certfile\":\"ca.crt\"} "
},
{
"key": "@sender",
"aliase": "Sender",
"value": "71.178.173.2"
},
{
"key": "@source",
"aliase": "Source",
"value": "remote.fluencysecurity.com"
}
],
"risks": [
"ALERT_SEVERITY_CRITICAL"
],
"ruleRisks": [
"ALERT_SEVERITY_CRITICAL"
],
"ruleHits": [
{
"name": "New Behavior",
"scope": "global",
"risks": [
"ML_NEW_ALERT"
]
},
{
"name": "New Key",
"scope": "global",
"risks": [
"ML_NEW_ASSET"
]
}
],
"scoreLevel": "<1000",
"customer": "default",
"history": {
"BehaviorFirstSeen": true,
"KeyFirstSeen": true,
"KeyBehaviorFirstSeen": true,
"ReOccurrence": false
},
"keyContext": {
"infoList": null
}
},
"fields": null,
"_explanation": null,
"matched_queries": null,
"inner_hits": null
},
{...}
]
},
"suggest": null,
"aggregations": {
...
},
"timed_out": false,
"terminated_early": false,
"_shards": {
"total": 1,
"successful": 1,
"failed": 0
}
}
}
Similar to the Event Search API, the searchStr can be used in conjuction with the facets object to parameterize the search.
See the Apache Lucene page for a syntax guide.
Page last updated: 2023 Dec 06