Event Search
The Event Search API allows the user to search and retrieve events from Fluency. This is the same API used for the Global -> Events search page.
POST - get_index_zoom_histogram_lv3
{url}/api/ds/get_index_zoom_histogram_lv3
Request:
Headers:
Content-Type: application/json
Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8
Body:
{
“kargs”:{ }
}
cURL example:
curl -X POST "https://test.cloud.fluencysecurity.com/api/ds/get_index_zoom_histogram_lv3" -H "Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8" -H "Content-Type: application/json" -d '{"kargs":{"partition":"default","dataType":"event","options":{"dateFacetField":"@timestamp","facets":{},"searchStr":"","sortField":"@timestamp","sortOrder":"desc","range_from":1629240085000,"range_to":1629250085000,"fetchOffset":0,"fetchLimit":10,"dataType":"event"}}}'
Sample Request kargs:
{
"kargs":{
"partition":"default", // partition should be "default"
"dataType":"event", // or "flow" for flowsearch
"options":{
"dateFacetField":"@timestamp", // required
"facets":{}, // see next section for full example
"searchStr":"",
"sortField":"@timestamp",
"sortOrder":"desc",
"range_from":1629240085000, // search start time in milliseconds
"range_to":1629250085000, // search end time in ms
"fetchOffset":0,
"fetchLimit":10, // number of results "hits" to return
"dataType":"event"
}
}
}
Sample Response:
{
"verdict":"OK",
"response":{
"took":0,
"hits":{
"total":5899504,
"sortFieldType":"",
"hits":[
{
"_index":"611b3489be6fea0956f011e2",
"_type":"event",
"_id":"38219002",
"docId":38219002,
"_source":{
"@message":"RAW EVENT MESSAGE HERE",
"@facility":"daemon",
"@sender":"192.168.1.25",
"@timestamp":1629250085000,
"@type":"event"
},
"_sort":1629250085000,
"token":false
},
{...},
{...}
]
},
"aggregations":{
},
"query":{
"match_all":{
}
},
"terms":[
]
}
}
cURL example2:
The following example makes use of the facets parameter:
curl -X POST "https://test.cloud.fluencysecurity.com/api/ds/get_index_zoom_histogram_lv3" -H "Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8" -H "Content-Type: application/json" -d '{"kargs":{"partition":"default","dataType":"event","options":{"dateFacetField":"@timestamp","facets":{"facets":[{"title":"Source","size":20,"order":"count","field":"@source"},{"title":"Sender","size":20,"order":"count","field":"@sender"},{"title":"Tags","size":20,"order":"count","field":"@tags"},{"title":"Behaviors","size":20,"order":"count","field":"@behaviors"}],"mustFilters":[],"mustNotFilters":[]},"searchStr":"","sortField":"@timestamp","sortOrder":"desc","range_from":1629290991030,"range_to":1629295200000,"fetchOffset":0,"fetchLimit":5,"dataType":"event"}}}'
Sample Request kargs:
{
"kargs":{
"partition":"default",
"dataType":"event",
"options":{
"dateFacetField":"@timestamp",
"facets":{
"facets":[
{
"title":"Source",
"size":20,
"order":"count",
"field":"@source"
},
{
"title":"Sender",
"size":20,
"order":"count",
"field":"@sender"
},
{
"title":"Tags",
"size":20,
"order":"count",
"field":"@tags"
},
{
"title":"Behaviors",
"size":20,
"order":"count",
"field":"@behaviors"
}
],
"mustFilters":[
],
"mustNotFilters":[
]
},
"searchStr":"",
"sortField":"@timestamp",
"sortOrder":"desc",
"range_from":1629290991030,
"range_to":1629295200000,
"fetchOffset":0,
"fetchLimit":5,
"dataType":"event"
}
}
}
Sample Response:
{
"verdict":"OK",
"response":{
"took":0,
"hits":{
"total":78158,
"sortFieldType":"",
"hits":[
{
"_index":"6118918bf2ceb23428d0ca4e",
"_type":"event",
"_id":"2168634",
"docId":2168634,
"_source":{
"@message":"RAW EVENT MESSAGE HERE",
"@tags":[
"fortigate"
],
"@source":"192.168.1.2",
"@sender":"192.168.1.2",
"@timestamp":1629295199000,
"@customer":"udp",
"@fields":{... parsed JSON fields ...},
"@type":"event"
},
"_sort":1629295199000,
"token":false
},
{...},
{...}
]
},
"aggregations":{
"@behaviors":{
"TokenEntity":"",
"buckets":[
{
"doc_count":59,
"key":"O365_Successful_Login"
},
{
"doc_count":44,
"key":"NewTimeZone"
},
{
"doc_count":44,
"key":"newZoom"
},
{
"doc_count":44,
"key":"TimeZoneField"
},
{
"doc_count":6,
"key":"ZoomLeftMeeting"
},
{
"doc_count":6,
"key":"ZoomJoinMeeting"
},
{
"doc_count":2,
"key":"AD_Kerberos_Srvc_Ticket_Requested"
}
]
},
"@sender":{
"TokenEntity":"",
"buckets":[
{
"doc_count":72674,
"key":"sentinelone"
},
{
"doc_count":4311,
"key":"192.168.1.234"
},
{
"doc_count":952,
"key":"192.168.1.2"
},
{
"doc_count":153,
"key":"office365"
},
{
"doc_count":44,
"key":"Zoom"
},
{
"doc_count":20,
"key":"192.168.1.238"
},
{
"doc_count":4,
"key":"192.168.1.25"
}
]
},
"@source":{
"TokenEntity":"",
"buckets":[
{
"doc_count":72674,
"key":"sentinelone"
},
{
"doc_count":2422,
"key":"192.168.1.1"
},
{
"doc_count":1624,
"key":"192.168.1.30"
},
{
"doc_count":952,
"key":"192.168.1.2"
},
{
"doc_count":263,
"key":"ssh-vm"
},
{
"doc_count":153,
"key":""
},
{
"doc_count":44,
"key":"Zoom"
},
{
"doc_count":24,
"key":"192.168.1.25"
},
{
"doc_count":2,
"key":"162.142.125.60"
}
]
},
"@tags":{
"TokenEntity":"",
"buckets":[
{
"doc_count":72674,
"key":"SentinelOneDV"
},
{
"doc_count":2028,
"key":"INFO"
},
{
"doc_count":1982,
"key":"AD_EVENTID"
},
{
"doc_count":1070,
"key":"AUDIT_SUCCESS"
},
{
"doc_count":952,
"key":"fortigate"
},
{
"doc_count":836,
"key":"ERROR"
},
{
"doc_count":257,
"key":"audispd"
},
{
"doc_count":112,
"key":"WARNING"
},
{
"doc_count":24,
"key":"AUDIT_FAILURE"
},
{
"doc_count":3,
"key":"systemd"
}
]
}
},
"query":{
"match_all":{
}
},
"terms":[
]
}
}
Notice the aggregations object in the Response. The fields “@behaviors”, “@source”, “@sender”, and “@tags” in the aggregations Response corresponds with the facets defined in the Request.