Fetch Events Using Scroll APIs
Click here to see this page in full context


Fetch Events Using Scroll

GET/ioc/events/scroll

Input ParametersInput Parameters

Input Parameters

Mandatory/Optional

Description

fromDate (String)

Optional

Show events logged after a certain date. Supports epoch time / unix timestamp.
See https://en.wikipedia.org/wiki/Unix_time 

For example - 1483228800

Note: This parameter is used in conjunction with the "toDate" parameter to fetch events for a specific date. Time value is not considered in this parameter. Use the filter parameter to drill down further by applying the time value.

toDate (String)

Optional

Show events that are logged until a certain date. Supports epoch time / unix timestamp.
See https://en.wikipedia.org/wiki/Unix_time 

For example - 1514764799

Note: This parameter is used in conjunction with the "fromDate" parameter to fetch events for a specific date. Time value is not considered in this parameter. Use the filter parameter to drill down further by applying the time value.

filter (String)

Optional

Filter the events list by providing a query using Qualys syntax. Refer to the “How to Search” topic in the online help for assistance with creating your query.

For example - event.dateTime : ['2017-01-01T05:33:34' .. '2017-01- 31T05:33:34'] AND action: 'Created' You can filter events based on the time they are generated on the asset (event.dateTime) or based on the time they are processed at Qualys (event.eventProcessedTime).

It is recommended to use the "event.dateTime" or "event.eventProcessedTime" parameter if you want to fetch events by date AND time.

goupBy (String)

Optional

Group results based on certain parameters (provide comma separated list).

For example - agentId

sort (String)

Optional

Sort the results using a Qualys token.

For example - [{"action":"asc"}]

include_attributes (String)

Optional

Include certain attributes in search (provide comma-separated list). Only included attributes are fetched in the API response.

For example,include_attributes = _type, _id, processName

exclude_attributes (String)

Optional

Exclude certain attributes from search (provide comma-separated list).

For example, exclude_attributes = _type, _id, processName

Note: You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Not-included attributes are excluded by default.

scrollId (String)

Optional

Identifier for the search. It retrieves the next batch of search results for the request.

For example - scrollId=<scroll_id >

Note: This parameter is only for the Next API Request and onwards. We will get scroll_id from the header of the new request.

Authorization (String)

Mandatory

Authorization token to authenticate to the Qualys Cloud Platform. Prepend token with "Bearer" and one space.

For example - Bearer authToken.

SampleSample

API request

    curl --location --request GET 
"<qualys_base_url>/ioc/events/scroll?filter=type:MUTEX --header "Authorization: Bearer <token>"

Response

  {
    "data": [
        {
   "dateTime": "2020-08-17T04:15:06.000+0000",
   "process": {
"fullPath": "C:\\Program
Files\\WindowsApps\\Microsoft.Windows.Photos_2022.30120.12007.0_x64__8wek
yb3d8bbwe\\Microsoft.Photos.exe",
"parentProcessName": "svchost.exe",
"processFile": {
"fullPath": "C:\\Program
Files\\WindowsApps\\Microsoft.Windows.Photos_2022.30120.12007.0_x64__8wek
yb3d8bbwe\\Microsoft.Photos.exe",
"path": "C:\\Program
Files\\WindowsApps\\Microsoft.Windows.Photos_2022.30120.12007.0_x64__8wek
yb3d8bbwe",
"sha256":
"xa9xxx5a9aaxxxxx36e721exxx7d00aa2438xxd800xxxxx172axxx2f8xxx88a",
"size": 756736,
"moduleName": "Microsoft.Photos.exe",
"md5": "3d8bxxxea865fxxx6d755bxxxd67aaca"
},
"processEventId": "RTP_xxxx0e2f-4ea0-3xx2-xxx0-
9cxxxx60e227_17-1-2023",
"processName": "Microsoft.Photos.exe",
"elevated": true,
"parentPid": 912,
"arguments": "-
ServerName:App.AppXzst44mncqdg84v7sv6p7yznqwssy6f7f.mca",
"pid": 6008,
"parentEventId": "RTP_2xxxxxe0-xxx4-3xx7-8xxx-eaxxxxxfe0x4_11-
1-2023",
"userName": "DESKTOP-SF6JTIO\\Administrator",
"integrityLevel": "ML_LOW"
},
"eventProcessedTime": "2023-01-17T02:41:25.383+0000",
"eventSource": "EDR",
"mutex": {
"mutexName": "\\Sessions\\2\\AppContainerNamedObjects\\S-1-15-
2-222XXXX697-XXXXX7180-2301XXX-42489XXXXX-2024719031-23XXXXX081-
291XXXXXX\\SessionImmersiveColorMutex"
},
"indicator2": [
{
"score": "0",
"sha256":
"xa9xxx5a9aaxxxxx36e721exxx7d00aa2438xxd800xxxxx172axxx2f8xxx88a",
"verdict": "KNOWN",
"rowId": "4184411994868091297"
}
],
"type": "MUTEX",
"score": "0",
"md5": "3xxxxxxxxx5fad7xxxxxxxx6d67xxxx"
},
"processEventId": "RTP_xxxx0e2f-4ea0-3xx2-xxx0-
9cxxxx60e227_17-1-2023",
"processName": "Microsoft.Photos.exe",
"elevated": true,
"parentPid": 912,
"arguments": "-
ServerName:App.AppXzst4xxxcqdxxxxxyznqwsxxx7f.mca",
"pid": 6008,
"parentEventId": "RTP_2xxxxxe0-xxx4-3xx7-8xxx-eaxxxxxfe0x4_11-
1-2023",
"userName": "xxxx-xxxxx\\Administrator",
"integrityLevel": "ML_LOW"
},
"eventProcessedTime": "2023-01-17T02:41:25.383+0000",
"eventSource": "EDR",
"mutex": {
"mutexName": "\\Sessions\\2\\AppContainerNamedObjects\\S-1-15-
2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-
2915787518\\SM0:6008:120:WilError_03"
},
"indicator2": [
{
"score": "0",
"sha256":
"xa9xxx5a9aaxxxxx36e721exxx7d00aa2438xxd800xxxxx172axxx2f8xxx88a",
"verdict": "KNOWN",
"rowId": "-744512xxxxxxx98913"
}
],
"type": "MUTEX",
"score": "0",
"scoreSource": "REVERSING_LAB",
"action": "RUNNING",
"id": "RTM_bxxx1397-4xxx-3xxc-xxx9-xx2f0xxx8axx_17-1-2023",
"asset": {
"fullOSName": "Microsoft Windows 10 Enterprise 10.0.19044 Build
19044",
"hostName": "xxxx-xxxx",
"agentId": "xxxa98xx-xxx5-4xx8-8xx3-xxxd76xx02x",
"interfaces": [
{
"macAddress": "XX:XX:XX:XX:XX:XX",
"ipAddress": "XX.XXX.XXX.X",
"interfaceName": "Intel(R) 82574L Gigabit Network
Connection",
"gatewayAddress": "XX.XXX.XXX.X"
}
],
"netBiosName": "xxxx-xxxx",
"isQuarantineHost": false,
"customerId": "xxxcade1-6xx5-xxx1-8xxx-xx008f55xxx3",
"platform": "Windows",
"assetType": "HOST",
"tags": [
{
"name": "Cloud Agent",
"uuid": "xxx676fe-cxxx-4xxx-xx5f-xx48xxcxxx1b"
}
]
},
"uniqueId": "-xxxx1xx6xxx27xxxx1x"
}
]

Next API request

curl --location --request GET "<qualys_base_url>/ioc/events/scroll?scrollId=<scroll_id> --header "Authorization: Bearer <token>"

Response

  {
    "data": [
        {
   "dateTime": "2020-08-17T04:15:06.000+0000",
   "process": {
"fullPath": "C:\\Program Files\\Common Files\\Macrovision
Shared\\FlexNet Publisher\\FNPLicensingService64.exe",
"parentProcessName": "services.exe",
"processFile": {
"fullPath": "C:\\Program Files\\Common Files\\Macrovision
Shared\\FlexNet Publisher\\FNPLicensingService64.exe",
"path": "C:\\Program Files\\Common Files\\Macrovision
Shared\\FlexNet Publisher",
"sha256":
"xxxc953e80xxxxxc37eb0xxxxxd97fa71bxxxx9d05f8xxxxd36xxxx29",
"size": 1519440,
"certificates": [
{
"certificateSigned": true,
"certificateIssuer": "Symantec Class 3 SHA256 Code
Signing CA",
"certificateValid": true,
"certificateIssuedTo": "Flexera Software LLC",
"certificateSignedDate": "2018-09-13T00:00:00.000+0000",
"certificateHash":
"xxx0dxxb23f9a2xxx4d22b2f7xxx32e7c934xxx8"
}
],
"moduleName": "FNPLicensingService64.exe",
"md5": "xxxc890f8539d4d3689xxx73cd52ac5"
},
"processEventId": "RTP_xxx26173-8axx-3xx6-8xxx-
41xxxbe55xxx_22-12-2022",
"processName": "FNPLicensingService64.exe",
"elevated": true,
"parentPid": 816,
"pid": 3280,
"parentEventId": "RTP_xxxd8a66-xxx0-3fxx-xxx5-xxxad8d62xxx_22-
12-2022",
"userName": "NT AUTHORITY\\SYSTEM",
"integrityLevel": "ML_SYSTEM"
},
"eventProcessedTime": "2023-01-23T13:03:24.731+0000",
"eventSource": "EDR",
"mutex": {
"mutexName": "\\BaseNamedObjects\\{xxxxxxxx-ef71-4xxf-axxx-
91dcaxxxf13}-cxx-s_tpm_init"
},
"indicator2": [
{
"score": "0",
"sha256":
"xxxc953xxxx79b5dec37ebxxx8173d9xxxx1b1599529xxxf82cd74xxx6291xxx",
"verdict": "KNOWN",
"rowId": "-32xx86xxxxxxx76x5x"
}
],
"type": "MUTEX",
"score": "0",
"scoreSource": "REVERSING_LAB",
"action": "TERMINATED",
"id": "RTM_xxxx2ecd-xxxc-33f0-b2xx-0xxxx60adexx_23-1-2023",
"asset": {
"fullOSName": "Microsoft Windows 10 Pro 10.0.19045 Build
19045",
"hostName": "xxx-xxx-xxxx",
"agentId": "xxxx7a51-xxx7-xxx1-xxx1-xxx0e7b33xxx",
"interfaces": [
{
"macAddress": "xx:xx:xx:xx:xx:xx",
"ipAddress": "xxxx:0:0:0:xxxx:xxxx:xxxx:xxxx",
"interfaceName": "VirtualBox Host-Only Ethernet
Adapter"
},
{
"macAddress": "xx:xx:xx:xx:xx:xx",
"ipAddress": "xx.xx.xxx.xxx",
"interfaceName": "Intel(R) 82574L Gigabit Network
Connection",
"gatewayAddress": "xx.xx.xxx.x
},
{
"macAddress": "xx:xx:xx:00:00:xx",
"ipAddress": "xxx.xxx.xxx.xx",
"interfaceName": "VirtualBox Host-Only Ethernet
Adapter"
},
{
"macAddress": "xx:xx:xx:xx:xx:xx",
"ipAddress": "xxxx:0:0:0:xxxx:xxxx:xxxx:xxxx",
"interfaceName": "Intel(R) 82574L Gigabit Network
Connection",
"gatewayAddress": "xx.xx.xxx.x"
}
],
"netBiosName": "xxx-xxxx-xxxxx",
"isQuarantineHost": false,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3",
"platform": "Windows",
"assetType": "HOST",
"tags": [
{
"name": "Cloud Agent",
"uuid": "xxx676fe-xxx8-xxx2-xxxf-xxx80bc2411b"
}
]
},
"uniqueId": "-xxxx38xxxxxxx61xxx"
},
{
"dateTime": "2023-01-23T13:06:28.941+0000",
"process": {
"fullPath": "C:\\Program Files\\Common Files\\Macrovision
Shared\\FlexNet Publisher\\FNPLicensingService64.exe",
"parentProcessName": "services.exe",
"processFile": {
"fullPath": "C:\\Program Files\\Common Files\\Macrovision
Shared\\FlexNet Publisher\\FNPLicensingService64.exe",
"path": "C:\\Program Files\\Common Files\\Macrovision
Shared\\FlexNet Publisher",
"sha256": "xxxx953e803d9xxxxxb1599xxxxx46d3xxxx29",
"size": 1519440,
"certificates": [
{
"certificateSigned": true,
"certificateIssuer": "Symantec Class 3 SHA256 Code
Signing CA",
"certificateValid": true,
"certificateIssuedTo": "Flexera Software LLC",
"certificateSignedDate": "2018-09-
13T00:00:00.000+0000",
"certificateHash":
"xxxxd07b23xxx25e2xxx2f7bxxx7c9xx2f98"
}
],
"moduleName": "FNPLicensingService64.exe",
"md5": "xxxx90f8539dxxxx68928327xxx52ac5"
},
"processEventId": "RTP_x26173-xxx2-xxx6-xxx3-xxx93abe5xxx_22-
12-2022",
"processName": "FNPLicensingService64.exe",
"elevated": true,
"parentPid": 816,
"pid": 3280,
"parentEventId": "RTP_xxxd8a66--xxxad8d62xxx_22-12-2022",
"userName": "NT AUTHORITY\\SYSTEM",
"integrityLevel": "ML_SYSTEM"
},
"eventProcessedTime": "2023-01-23T13:03:24.732+0000",
"eventSource": "EDR",
"mutex": {
"mutexName": "\\BaseNamedObjects\\{xxxxxxxx-exxx-xxxf-xxxx-
91xxxx37xxxx}-cxx-s_wxx_init"
},
"indicator2": [
{
"score": "0",
"sha256":"xxxc953e37eb0xxxx73d97faxxxx99529d05f82cd74xxx6",
"verdict": "KNOWN",
"rowId": "-4893206851394137947"
}
],
"type": "MUTEX",
"score": "0",
"scoreSource": "REVERSING_LAB",
"action": "TERMINATED",
"id": "RTM_xxx0c057-xxx8-xxxf-xxxf-xxx921a7fxxx_23-1-2023",
"asset": {
"fullOSName": "Microsoft Windows 10 Pro 10.0.19045 Build 19045",
"hostName": "xxx-xxxx-xxxx",
"agentId": "xxxd7a51-xxx7-xxx1-xxx1-xxx0e7b33xxx",
"interfaces": [
{
"macAddress": "xx:xx:xx:xx:00:xx",
"ipAddress": "xxxx:0:0:0:xxxx:xxxx:xxxx:xxxx",
"interfaceName": "VirtualBox Host-Only Ethernet
Adapter"
},
{
"macAddress": "xx:xx:xx:xx:00:xx",
"ipAddress": "xx:xx:xx:xx",
"interfaceName": "Intel(R) 82574L Gigabit Network
Connection",
"gatewayAddress": "xx:xx:xx:x"
},
{
"macAddress": "xx:xx:xx:xx:00:xx",
"ipAddress": "xxx:xx:xx:x",
"interfaceName": "VirtualBox Host-Only Ethernet
Adapter"
},
{
"macAddress": "xx:xx:xx:xx:00:xx",
"ipAddress": "xxxx:0:0:0:xxxx:xxxx:xxxx:xxxx",
"interfaceName": "Intel(R)82574L Gigabit Network
Connection",
"gatewayAddress": "xx:xx:xx:x"
}
],
"netBiosName": "xxx-xxxx-xxxx",
"isQuarantineHost": false,
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3",
"platform": "Windows",
"assetType": "HOST",
"tags": [
{
"name": "Cloud Agent",
"uuid": "xxxx67xx-xxx8-xxx2-xxxf-xxx80bc2411b"
}
]
},
"uniqueId": "-4xx32xxxxx94137xxx"
}
]

 

 

Was this topic helpful?

success Thank you! We're glad to hear that this topic was useful.
success We appreciate your feedback. We'll work to make this topic better for you in the future.