Skip to main content

Event Search

The Event Search API allows the user to search and retrieve events from Fluency. This is the same API used for the Data Lake -> Events Search page.

POST - get_index_zoom_histogram_lv3

{url}/api/ds/get_index_zoom_histogram_lv3

Request

Headers:

Content-Type: application/json
Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8

Body:

{
"kargs":{ }
}

Default Search (cURL example)

curl -X POST "https://test.cloud.fluencysecurity.com/api/ds/get_index_zoom_histogram_lv3" -H "Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8" -H  "Content-Type: application/json" -d '{"kargs":{"partition":"default","dataType":"event","options":{"dateFacetField":"@timestamp","facets":{},"searchStr":"","sortField":"@timestamp","sortOrder":"desc","range_from":1629240085000,"range_to":1629250085000,"fetchOffset":0,"fetchLimit":10,"dataType":"event"}}}'

Sample Request kargs

{
"kargs":{
"partition":"default", // partition should be "default"
"dataType":"event", // or "flow" for flowsearch
"options":{
"dateFacetField":"@timestamp", // required
"facets":{}, // see next section for full example
"searchStr":"",
"sortField":"@timestamp",
"sortOrder":"desc",
"range_from":1629240085000, // search start time in milliseconds
"range_to":1629250085000, // search end time in ms
"fetchOffset":0,
"fetchLimit":10, // number of results "hits" to return
"dataType":"event"
}
}
}

Sample Response

{
"verdict":"OK",
"response":{
"took":0,
"hits":{
"total":5899504,
"sortFieldType":"",
"hits":[
{
"_index":"611b3489be6fea0956f011e2",
"_type":"event",
"_id":"38219002",
"docId":38219002,
"_source":{
"@message":"RAW EVENT MESSAGE HERE",
"@facility":"daemon",
"@sender":"192.168.1.25",
"@timestamp":1629250085000,
"@type":"event"
},
"_sort":1629250085000,
"token":false
},
{...},
{...}
]
},
"aggregations":{
...
},
"query":{
...
},
"terms":[
...
]
}
}

Facet Search (cURL example2)

The following example makes use of the facets parameter:

curl -X POST "https://test.cloud.fluencysecurity.com/api/ds/get_index_zoom_histogram_lv3" -H "Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8" -H  "Content-Type: application/json" -d '{"kargs":{"partition":"default","dataType":"event","options":{"dateFacetField":"@timestamp","facets":{"facets":[{"title":"Source","size":20,"order":"count","field":"@source"},{"title":"Sender","size":20,"order":"count","field":"@sender"},{"title":"Tags","size":20,"order":"count","field":"@tags"},{"title":"Behaviors","size":20,"order":"count","field":"@behaviors"}],"mustFilters":[],"mustNotFilters":[]},"searchStr":"","sortField":"@timestamp","sortOrder":"desc","range_from":1629290991030,"range_to":1629295200000,"fetchOffset":0,"fetchLimit":5,"dataType":"event"}}}'

Sample Request kargs

{
"kargs":{
"partition":"default",
"dataType":"event",
"options":{
"dateFacetField":"@timestamp",
"facets":{
"facets":[
{
"title":"Source",
"size":20,
"order":"count",
"field":"@source"
},
{
"title":"Sender",
"size":20,
"order":"count",
"field":"@sender"
},
{
"title":"Tags",
"size":20,
"order":"count",
"field":"@tags"
},
{
"title":"Behaviors",
"size":20,
"order":"count",
"field":"@behaviors"
}
],
"mustFilters":[

],
"mustNotFilters":[

]
},
"searchStr":"",
"sortField":"@timestamp",
"sortOrder":"desc",
"range_from":1629290991030,
"range_to":1629295200000,
"fetchOffset":0,
"fetchLimit":5,
"dataType":"event"
}
}
}

Sample Response

{
"verdict":"OK",
"response":{
"took":0,
"hits":{
"total":78158,
"sortFieldType":"",
"hits":[
{
"_index":"6118918bf2ceb23428d0ca4e",
"_type":"event",
"_id":"2168634",
"docId":2168634,
"_source":{
"@message":"RAW EVENT MESSAGE HERE",
"@tags":[
"fortigate"
],
"@source":"192.168.1.2",
"@sender":"192.168.1.2",
"@timestamp":1629295199000,
"@customer":"udp",
"@fields":{... parsed JSON fields ...},
"@type":"event"
},
"_sort":1629295199000,
"token":false
},
{...},
{...}
]
},
"aggregations":{
"@behaviors":{
"TokenEntity":"",
"buckets":[
{
"doc_count":59,
"key":"O365_Successful_Login"
},
{
"doc_count":44,
"key":"NewTimeZone"
},
{
"doc_count":44,
"key":"newZoom"
},
{
"doc_count":44,
"key":"TimeZoneField"
},
{
"doc_count":6,
"key":"ZoomLeftMeeting"
},
{
"doc_count":6,
"key":"ZoomJoinMeeting"
},
{
"doc_count":2,
"key":"AD_Kerberos_Srvc_Ticket_Requested"
}
]
},
"@sender":{
"TokenEntity":"",
"buckets":[
{
"doc_count":72674,
"key":"sentinelone"
},
{
"doc_count":4311,
"key":"192.168.1.234"
},
{
"doc_count":952,
"key":"192.168.1.2"
},
{
"doc_count":153,
"key":"office365"
},
{
"doc_count":44,
"key":"Zoom"
},
{
"doc_count":20,
"key":"192.168.1.238"
},
{
"doc_count":4,
"key":"192.168.1.25"
}
]
},
"@source":{
"TokenEntity":"",
"buckets":[
{
"doc_count":72674,
"key":"sentinelone"
},
{
"doc_count":2422,
"key":"192.168.1.1"
},
{
"doc_count":1624,
"key":"192.168.1.30"
},
{
"doc_count":952,
"key":"192.168.1.2"
},
{
"doc_count":263,
"key":"ssh-vm"
},
{
"doc_count":153,
"key":""
},
{
"doc_count":44,
"key":"Zoom"
},
{
"doc_count":24,
"key":"192.168.1.25"
},
{
"doc_count":2,
"key":"162.142.125.60"
}
]
},
"@tags":{
"TokenEntity":"",
"buckets":[
{
"doc_count":72674,
"key":"SentinelOneDV"
},
{
"doc_count":2028,
"key":"INFO"
},
{
"doc_count":1982,
"key":"AD_EVENTID"
},
{
"doc_count":1070,
"key":"AUDIT_SUCCESS"
},
{
"doc_count":952,
"key":"fortigate"
},
{
"doc_count":836,
"key":"ERROR"
},
{
"doc_count":257,
"key":"audispd"
},
{
"doc_count":112,
"key":"WARNING"
},
{
"doc_count":24,
"key":"AUDIT_FAILURE"
},
{
"doc_count":3,
"key":"systemd"
}
]
}
},
"query":{
...
},
"terms":[
...
]
}
}

Notice the aggregations object in the Response. The fields "@behaviors", "@source", "@sender", and "@tags" in the aggregations Response corresponds with the facets defined in the Request.

Search with Lucene String (cURL example3)

curl -X POST "https://test.cloud.fluencysecurity.com/api/ds/get_index_zoom_histogram_lv3" -H "Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8" -H  "Content-Type: application/json" -d '{"kargs":{"partition":"default","dataType":"event","options":{"dateFacetField":"@timestamp","facets":{},"searchStr":"@tags:sshd AND root","sortField":"@timestamp","sortOrder":"desc","range_from":1701870527967,"range_to":1701884927967,"fetchOffset":0,"fetchLimit":50,"dataType":"event"}}}'

Sample Request kargs

{
"kargs": {
"partition": "default",
"dataType": "event",
"options": {
"dateFacetField": "@timestamp",
"facets": {},
"searchStr": "@tags:sshd AND root",
"sortField": "@timestamp",
"sortOrder": "desc",
"range_from": 1701870527967,
"range_to": 1701884927967,
"fetchOffset": 0,
"fetchLimit": 50,
"dataType": "event"
}
}
}

Notice the searchStr field in the Request. The search (@tags:sshd AND root) follows the Apache Lucene search syntax.

The searchStr can always be used in conjuction with the facets object, described in Example 2.

Sample Response

{
"verdict": "OK",
"response": {
"took": 0,
"hits": {
"total": 172,
"sortFieldType": "",
"hits": [
{
"_index":"6118918bf2ceb23428d0ca4e",
"_type":"event",
"_id":"2168634",
"docId":2168634,
"_source":{
"@message":"RAW EVENT MESSAGE HERE",
"@tags":[
"sshd"
],
"@source":"192.168.1.2",
"@sender":"192.168.1.2",
"@timestamp":1629295199000,
"@customer":"udp",
"@fields":{... parsed JSON fields ...},
"@type":"event"
},
"_sort":1629295199000,
"token":false
},
{...},
{...}
]
},
"query": {
...
},
"terms": [
...
]
}
}

Page last updated: 2023 Dec 06