Link Search Menu Expand Document

Event Search

The Event Search API allows the user to search and retrieve events from Fluency. This is the same API used for the Global -> Events search page.

POST - get_index_zoom_histogram_lv3

{url}/api/ds/get_index_zoom_histogram_lv3

Request:

Headers:

Content-Type: application/json
Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8

Body:

{
“kargs”:{ }
}

cURL example:

curl -X POST "https://test.cloud.fluencysecurity.com/api/ds/get_index_zoom_histogram_lv3" -H "Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8" -H  "Content-Type: application/json" -d '{"kargs":{"partition":"default","dataType":"event","options":{"dateFacetField":"@timestamp","facets":{},"searchStr":"","sortField":"@timestamp","sortOrder":"desc","range_from":1629240085000,"range_to":1629250085000,"fetchOffset":0,"fetchLimit":10,"dataType":"event"}}}'

Sample Request kargs:

{
   "kargs":{
      "partition":"default", // partition should be "default"
      "dataType":"event",    // or "flow" for flowsearch
      "options":{
         "dateFacetField":"@timestamp", // required
         "facets":{}, // see next section for full example
         "searchStr":"",
         "sortField":"@timestamp",
         "sortOrder":"desc",
         "range_from":1629240085000, // search start time in milliseconds
         "range_to":1629250085000,   // search end time in ms
         "fetchOffset":0,
         "fetchLimit":10, // number of results "hits" to return
         "dataType":"event"
      }
   }
}

Sample Response:

{
   "verdict":"OK",
   "response":{
      "took":0,
      "hits":{
         "total":5899504,
         "sortFieldType":"",
         "hits":[
            {
               "_index":"611b3489be6fea0956f011e2",
               "_type":"event",
               "_id":"38219002",
               "docId":38219002,
               "_source":{
                  "@message":"RAW EVENT MESSAGE HERE",
                  "@facility":"daemon",
                  "@sender":"192.168.1.25",
                  "@timestamp":1629250085000,
                  "@type":"event"
               },
               "_sort":1629250085000,
               "token":false
            },
            {...},
            {...}
         ]
      },
      "aggregations":{
         
      },
      "query":{
         "match_all":{
            
         }
      },
      "terms":[
         
      ]
   }
}

cURL example2:

The following example makes use of the facets parameter:

curl -X POST "https://test.cloud.fluencysecurity.com/api/ds/get_index_zoom_histogram_lv3" -H "Fluencytoken: b23d7bd2-c388-4257-7d05-61704b76a3a8" -H  "Content-Type: application/json" -d '{"kargs":{"partition":"default","dataType":"event","options":{"dateFacetField":"@timestamp","facets":{"facets":[{"title":"Source","size":20,"order":"count","field":"@source"},{"title":"Sender","size":20,"order":"count","field":"@sender"},{"title":"Tags","size":20,"order":"count","field":"@tags"},{"title":"Behaviors","size":20,"order":"count","field":"@behaviors"}],"mustFilters":[],"mustNotFilters":[]},"searchStr":"","sortField":"@timestamp","sortOrder":"desc","range_from":1629290991030,"range_to":1629295200000,"fetchOffset":0,"fetchLimit":5,"dataType":"event"}}}'

Sample Request kargs:

{
   "kargs":{
      "partition":"default",
      "dataType":"event",
      "options":{
         "dateFacetField":"@timestamp",
         "facets":{
            "facets":[
               {
                  "title":"Source",
                  "size":20,
                  "order":"count",
                  "field":"@source"
               },
               {
                  "title":"Sender",
                  "size":20,
                  "order":"count",
                  "field":"@sender"
               },
               {
                  "title":"Tags",
                  "size":20,
                  "order":"count",
                  "field":"@tags"
               },
               {
                  "title":"Behaviors",
                  "size":20,
                  "order":"count",
                  "field":"@behaviors"
               }
            ],
            "mustFilters":[
               
            ],
            "mustNotFilters":[
               
            ]
         },
         "searchStr":"",
         "sortField":"@timestamp",
         "sortOrder":"desc",
         "range_from":1629290991030,
         "range_to":1629295200000,
         "fetchOffset":0,
         "fetchLimit":5,
         "dataType":"event"
      }
   }
}

Sample Response:

{
   "verdict":"OK",
   "response":{
      "took":0,
      "hits":{
         "total":78158,
         "sortFieldType":"",
         "hits":[
            {
               "_index":"6118918bf2ceb23428d0ca4e",
               "_type":"event",
               "_id":"2168634",
               "docId":2168634,
               "_source":{
                  "@message":"RAW EVENT MESSAGE HERE",
                  "@tags":[
                     "fortigate"
                  ],
                  "@source":"192.168.1.2",
                  "@sender":"192.168.1.2",
                  "@timestamp":1629295199000,
                  "@customer":"udp",
                  "@fields":{... parsed JSON fields ...},
                  "@type":"event"
               },
               "_sort":1629295199000,
               "token":false
            },
            {...},
            {...}
         ]
      },
      "aggregations":{
         "@behaviors":{
            "TokenEntity":"",
            "buckets":[
               {
                  "doc_count":59,
                  "key":"O365_Successful_Login"
               },
               {
                  "doc_count":44,
                  "key":"NewTimeZone"
               },
               {
                  "doc_count":44,
                  "key":"newZoom"
               },
               {
                  "doc_count":44,
                  "key":"TimeZoneField"
               },
               {
                  "doc_count":6,
                  "key":"ZoomLeftMeeting"
               },
               {
                  "doc_count":6,
                  "key":"ZoomJoinMeeting"
               },
               {
                  "doc_count":2,
                  "key":"AD_Kerberos_Srvc_Ticket_Requested"
               }
            ]
         },
         "@sender":{
            "TokenEntity":"",
            "buckets":[
               {
                  "doc_count":72674,
                  "key":"sentinelone"
               },
               {
                  "doc_count":4311,
                  "key":"192.168.1.234"
               },
               {
                  "doc_count":952,
                  "key":"192.168.1.2"
               },
               {
                  "doc_count":153,
                  "key":"office365"
               },
               {
                  "doc_count":44,
                  "key":"Zoom"
               },
               {
                  "doc_count":20,
                  "key":"192.168.1.238"
               },
               {
                  "doc_count":4,
                  "key":"192.168.1.25"
               }
            ]
         },
         "@source":{
            "TokenEntity":"",
            "buckets":[
               {
                  "doc_count":72674,
                  "key":"sentinelone"
               },
               {
                  "doc_count":2422,
                  "key":"192.168.1.1"
               },
               {
                  "doc_count":1624,
                  "key":"192.168.1.30"
               },
               {
                  "doc_count":952,
                  "key":"192.168.1.2"
               },
               {
                  "doc_count":263,
                  "key":"ssh-vm"
               },
               {
                  "doc_count":153,
                  "key":""
               },
               {
                  "doc_count":44,
                  "key":"Zoom"
               },
               {
                  "doc_count":24,
                  "key":"192.168.1.25"
               },
               {
                  "doc_count":2,
                  "key":"162.142.125.60"
               }
            ]
         },
         "@tags":{
            "TokenEntity":"",
            "buckets":[
               {
                  "doc_count":72674,
                  "key":"SentinelOneDV"
               },
               {
                  "doc_count":2028,
                  "key":"INFO"
               },
               {
                  "doc_count":1982,
                  "key":"AD_EVENTID"
               },
               {
                  "doc_count":1070,
                  "key":"AUDIT_SUCCESS"
               },
               {
                  "doc_count":952,
                  "key":"fortigate"
               },
               {
                  "doc_count":836,
                  "key":"ERROR"
               },
               {
                  "doc_count":257,
                  "key":"audispd"
               },
               {
                  "doc_count":112,
                  "key":"WARNING"
               },
               {
                  "doc_count":24,
                  "key":"AUDIT_FAILURE"
               },
               {
                  "doc_count":3,
                  "key":"systemd"
               }
            ]
         }
      },
      "query":{
         "match_all":{
            
         }
      },
      "terms":[
         
      ]
   }
}

Notice the aggregations object in the Response. The fields “@behaviors”, “@source”, “@sender”, and “@tags” in the aggregations Response corresponds with the facets defined in the Request.