Link Search Menu Expand Document

Behavior Summary Search

The Behavior Search API allows the user to search and retrieve events from Fluency. This is the same API used for the Analytics -> Behavior Summary page.

POST - behavior_summary_search

{url}/api/ds/behavior_summary_search

Request:

Headers:

Content-Type: application/json
Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8

Body:

{
“kargs”:{ }
}

cURL example:

curl -X POST "https://test.cloud.fluencysecurity.com/api/ds/behavior_summary_search" -H "Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8" -H  "Content-Type: application/json" -d  '{"kargs":{"options":{"fetchOffset":0,"fetchLimit":20,"searchStr":"","sortField":"to","sortOrder":"desc","facets":{"facets":[{"title":"Incident Status","size":10,"order":"count","field":"status"},{"title":"Analyst","size":20,"order":"count","field":"comments.username"},{"title":"Score Level","size":30,"order":"count","field":"scoreLevel"},{"title":"Key","size":30,"order":"count","field":"key"},{"title":"Key Type","size":30,"order":"count","field":"keyType"},{"title":"Behavior Rules","size":30,"order":"count","field":"behaviorRules"}],"mustFilters":[],"mustNotFilters":[{"field":"scoreLevel","terms":["0"]}]},"range_from":1633964452896,"range_to":1634569252896,"range_field":"from"}}}'

Sample Request kargs:

{
   "kargs": {
      "options": {
         "fetchOffset": 0,
         "fetchLimit": 20,
         "searchStr": "",
         "sortField": "to",
         "sortOrder": "desc",
         "facets": {
            "facets": [
               {
                  "title": "Incident Status",
                  "size": 10,
                  "order": "count",
                  "field": "status"
               },
               {
                  "title": "Analyst",
                  "size": 20,
                  "order": "count",
                  "field": "comments.username"
               },
               {
                  "title": "Score Level",
                  "size": 30,
                  "order": "count",
                  "field": "scoreLevel"
               },
               {
                  "title": "Key",
                  "size": 30,
                  "order": "count",
                  "field": "key"
               },
               {
                  "title": "Key Type",
                  "size": 30,
                  "order": "count",
                  "field": "keyType"
               },
               {
                  "title": "Behavior Rules",
                  "size": 30,
                  "order": "count",
                  "field": "behaviorRules"
               }
            ],
            "mustFilters": [],
            "mustNotFilters": [
               {
                  "field": "scoreLevel",
                  "terms": [
                     "0"
                  ]
               }
            ]
         },
         "range_from": 1633964452896,
         "range_to": 1634569252896,
         "range_field": "from"
      }
   }
}

Sample Response:

{
   "verdict": "OK",
   "response": {
      "took": 2,
      "_scroll_id": "",
      "hits": {
         "total": 1,
         "max_score": null,
         "hits": [
            {
               "_score": null,
               "_index": "behavior_summary",
               "_type": "behavior_summary",
               "_id": "username_centos_20211012",
               "_uid": "",
               "_timestamp": 0,
               "_ttl": 0,
               "_routing": "",
               "_parent": "",
               "_version": null,
               "sort": [
                  1634062440000
               ],
               "highlight": null,
               "_source": {
                  "id": "username_centos_20211012",
                  "from": 1634047560000,
                  "to": 1634062440000,
                  "count": 5,
                  "key": "centos",
                  "keyType": "username",
                  "dayIndex": "20211012",
                  "behaviorRules": [
                     "SSH_Login_Accepted"
                  ],
                  "behaviors": [
                     "account login"
                  ],
                  "riskScore": 1000,
                  "summaryList": [
                     {
                        "hits": [
                           {
                              "risks": [
                                 "ML_NEW_ASSET"
                              ],
                              "values": [
                                 "18.166.19.200"
                              ],
                              "scope": "local",
                              "name": "NewServer",
                              "fields": [
                                 "@sender"
                              ]
                           }
                        ],
                        "risks": [
                           "ML_NEW_ASSET"
                        ],
                        "count": 5,
                        "from": 1634047560000,
                        "to": 1634062440000,
                        "riskScore": 1000,
                        "behavior": "account login",
                        "attributeSummaries": [],
                        "behaviorRule": "SSH_Login_Accepted"
                     }
                  ],
                  "scoreLevel": "1000 - 2000",
                  "keyContext": {
                     "infoList": null
                  },
                  "comments": null,
                  "incident": false,
                  "scoreAdjust": 0,
                  "updatedOn": 1634062570000,
                  "risks": [
                     "ML_NEW_ASSET"
                  ]
               },
               "fields": null,
               "_explanation": null,
               "matched_queries": null,
               "inner_hits": null
            }
         ]
      },
      "suggest": null,
      "aggregations": {
         "behaviorRules": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
               {
                  "key": "SSH_Login_Accepted",
                  "doc_count": 1
               }
            ]
         },
         "comments.username": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": []
         },
         "key": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
               {
                  "key": "centos",
                  "doc_count": 1
               }
            ]
         },
         "keyType": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
               {
                  "key": "username",
                  "doc_count": 1
               }
            ]
         },
         "scoreLevel": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": [
               {
                  "key": "1000 - 2000",
                  "doc_count": 1
               }
            ]
         },
         "status": {
            "doc_count_error_upper_bound": 0,
            "sum_other_doc_count": 0,
            "buckets": []
         }
      },
      "timed_out": false,
      "terminated_early": false,
      "_shards": {
         "total": 1,
         "successful": 1,
         "failed": 0
      }
   }
}

Notice the aggregations object in the Response. The fields in the aggregations Response corresponds with the facets defined in the Request.

Identical call performed by the Fluency interface: