This API retrieves details for an event.
| Operator | API Affected |
|---|---|
|
|
/ioc/events/{agentid}/{eventid} |
Input ParametersInput Parameters
|
Input Parameters |
Mandatory/Optional |
Description |
|---|---|---|
|
agentId (String) |
Mandatory |
ID of the agent for which you want to fetch the details. |
|
eventId (String) |
Mandatory |
ID of the event for which you want to fetch the details. |
|
Authorization (String) |
Mandatory |
Authorization token to authenticate to the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and one space. For example - Bearer authToken. |
| filter (String) | Optional |
Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created' You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. |
Sample - Fetch Event DetailsSample - Fetch Event Details
API request
curl -G --data-urlencode "filter=type:file"
"<qualys_base_url>/ioc/events/fxxxx2-222a-xxxx-abcd-28exxxxx11/F_fexxxxx-222a-1111-abcd-2xxxx11-1xxxx505xxxxxx8xxx56" -H "Authorization: Bearer <token>"
Response
{
"data"{
"score": 0,
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"verdict": [
"KNOWN"
],
"category": [
""
],
"familyName": [
""
],
"eventId": "RTF_x82xx34x-5xxx-4110-9878-x91x5x476x47_-
3836563445362934026",
"dateTime": "2020-08-17T04:15:06.000+0000",
"type": "FILE",
"action": "CREATED",
"asset": {
"agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
"customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
"netBiosName": "132017-T490",
"platform": "WINDOWS",
"fullOSName": "Microsoft Windows 10 Enterprise 10.0.18363 Build
18363",
"hostName": "132017-X490.corp.qualys.com"
},
"file": {
"path": "C:\\Windows\\System32",
"fullPath": "C:\\Windows\\System32//energyprov.dll",
"md5": "684475093x4x806350x80xxxx3x11332",
"sha256":
"91511x1x0349xxxx43x1067xx627798x5038752364x60x3x81x24217x433x10x"
,
"extension": "dll",
"size": 178688,
"accessDate": "2020-02-13T07:07:44.325+0000",
"writeDate": "2019-03-19T04:43:45.586+0000",
"deviceLetter": "C",
"company": "Microsoft Corporation",
"copyright": "© Microsoft Corporation. All rights reserved.",
"version": "10.0.18362.1",
"product": "Microsoft® Windows® Operating System",
"securityAttributes": "O:S-1-5-80-956xxxxx85-341xxxx49-
1xxxxx8044-1xxxxxx631-22xxxxxx4G:S-1-5-80-956xxxxx85-3418522649-
1xxxxxx044-1853292631-xxxxxx464D:PAI(A;;FA;;;S-1-5-80-956008885-
34xxxxx649-183xxxxxx044-18xxxx631-
2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(
A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-
2)S:AI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)",
"fileName": "energyprov.dll",
"createdDate": "2019-03-19T04:43:45.586+0000",
"certificates": [
{
"certificateHash": "3xxxxxxx01xxxxx0",
"certificateIssuer": "DigiCert High Assurance Code Signing
CA-1",
"certificateIssuedTo": "Avira Operations GmbH & Co. KG",
"certificateValid": true,
"certificateSigned": true,
"certificateSignedDate": "2019-12-16T00:00:00.000+0000",
"subject": "Avira Operations GmbH & Co. KG",
"expiryDate": "2021-11-16T12:00:00.000+0000"
},
{
"certificateHash": "35xxxxxx70195553",
"certificateIssuer": "Microsoft Code Signing PCA 2010",
"certificateIssuedTo": "Microsoft Corporation",
"certificateValid": false,
"certificateSigned": true,
"certificateSignedDate": "2019-05-02T21:25:42.000+0000",
"subject": "Microsoft Corporation",
"expiryDate": "2020-05-02T21:25:42.000+0000"
},
{
"certificateHash": "3538xxxxxxx6645516",
"certificateIssuer": "Microsoft Windows Production PCA
2011",
"certificateIssuedTo": "Microsoft Windows",
"certificateValid": false,
"certificateSigned": true,
"certificateSignedDate": "2019-03-27T19:21:43.000+0000",
"subject": "Microsoft Windows",
"expiryDate": "2020-03-27T19:21:43.000+0000"
},
{
"certificateHash": "3549xxxxxx9643443",
"certificateIssuer": "Microsoft Code Signing PCA",
"certificateIssuedTo": "Microsoft Corporation",
"certificateValid": false,
"certificateSigned": true,
"certificateSignedDate": "2008-10-22T21:24:55.000+0000",
"subject": "Microsoft Corporation",
"expiryDate": "2010-01-22T21:34:55.000+0000"
},
{
"certificateHash": "356xxxxxxxxxx181563",
"certificateIssuer": "Microsoft Code Signing PCA 2011",
"certificateIssuedTo": "Microsoft Corporation",
"certificateValid": true,
"certificateSigned": true,
"certificateSignedDate": "2020-03-04T18:39:48.000+0000",
"subject": "Microsoft Corporation",
"expiryDate": "2021-03-03T18:39:48.000+0000"
}
]
},
"indicator2": [
{
"score": "0",
"sha256":
"91511x1x0349xxxx43x1067xx627798x5038752364x60x3x81x24217x433x10x"
,
"familyName": " ",
"verdict": "KNOWN",
"category": " ",
"rowId": "-3836563445362934026"
}
],
"actor": {
"state": "RUNNING",
"eventId": "RTP_x82xx34x-5xxx-4110-9878-x91x5x476x47_-
7916036775084163258_1612",
"arguments": "-k LocalServiceNetworkRestricted -p -s
TimeBrokerSvc",
"elevated": "false",
"userName": "NT AUTHORITY\\LOCAL SERVICE",
"processId": 1612,
"parentProcessId": 0,
"processName": "svchost.exe",
"imageFullPath": "C:\\Windows\\System32\\svchost.exe"
}
}