Fetch Incident Events Using SearchAfter
For API version information, refer to the API Version History section.
Non-Versioned
This API retrieves a large number of search results in smaller sections or batches.
This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation.
Input Parameters for Incident EventsInput Parameters for Incident Events
Input Parameters |
Mandatory/Optional |
Format |
Description |
---|---|---|---|
Authorization |
Mandatory |
String |
Authorization parameter authenticates the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken. |
filter |
Optional |
String |
Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created' You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. |
pageNumber |
Optional |
String |
The pageNumber parameter returns the page to be returned. It starts from the value zero. |
pageSize |
Optional |
String |
The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10. |
include_attributes |
Optional |
String |
include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes. For example: include_attributes = _type, _id, processName |
exclude_attributes |
Optional |
String |
exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list. For example: exclude_attributes = _type, _id, processName Note:You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded. |
searchAfterValues |
Optional |
Array |
Enter a value for pagination to start fetching the next set of results. For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results. |
Sample - Initial RequestSample - Initial Request
API request
curl -X GET "/ioc/incidents/events/searchAfter" --header "accept: */*" --header "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2021-05-22T07:14:01.924+0000", "eventProcessedTime": "2021-05-22T08:22:17.210+0000", "workflow": 1,
"eventSource": "EDR",
"stateDocumentId": "RTF_2XXX2-XXX8-482e-aXX-e71c9dXX4_74XX87XX19XX4",
"indicator2": [
{
"score": "1",
"sha256": "2da4XXXXXa1c206db6eXXX4bXX654e47XXXX308dab0XX5ff0ebXXX5f9d22XX5",
"familyName": "test-knowntomal",
"verdict": "REMEDIATED",
"threatName": "test-threat",
"category": "test-type",
"rowId": "7405876919274160783"
}
],
"type": "FILE",
"actor": {
"processEventId": "RTP_XXX66462-ff28-48X-eXX671cXXX94_612XXX07X",
"processUniqueId": "6124620742717860794",
"processId": 19400,
"processName": "powershell.exe",
"userName": "NT AUTHORITY\\SYSTEM",
"imageFullPath": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" },
"score": "1",
"file": {
"extension": "exe",
"fileName": "123dsad_MALICIOUS - Copy.exe",
"sha256": "xxxc953e80xxxxxc37eb0xxxxxd97fa71bxxxx9d05f8xxx29", "size": 180736,
"nonPEFile": false,
"macroEmbedded": false,
"fileType": "Regular File",
"md5": "ee59d4xxxxxx578cf8fxxxxx436d" },
"verdict":
[
"REMEDIATED"
],
"familyName": [
"test-knowntomal"
],
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3", "action": "DELETED",
"id": "RTF_c8xxxxxxb-d622-xx-b02b-xxxxxxxxx_22-5-2021", "category": [ "test-type"
],
"incidentId": "7af49e37-4b5a-3912-8715-1f8fe325ea29", "asset": {
"fullOSName":"Microsoft Windows Server 2019 Standard 10.0.17763",
"hostName": "<host_name>",
"agentId": "X1aXX462-fXX8-482e-a0XX-e0eXXXX9dd9X", "interfaces": [
{
"macAddress": "00:xx:56:xx:98:xx",
"ipAddress": "10.xx.98.162",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "xx.xx.98.1"
}
],
"netBiosName": "<net_bios_name>",
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3", "platform": "Windows",
"tags": [
{ "name": "Cloud Agent",
"uuid": "X4e67XXX-XX78-4f32-bfXX-Xe480bc24XXX"
}
]
},
"uniqueId": "7405876919274160783"
},
..
]
Sample - Follow-up RequestSample - Follow-up Request
Next API request
curl -X GET "/ioc/incidents/events/searchAfter?searchAfterValues=163 9811976662,RTF_fXX871e0-c2fc-3XXc-XXbf-4XXXXe63ef47_15-12-2021" --header "accept: */*" --header "Authorization: Bearer<token>"
Response
[ { "dateTime": "2025-01-27T00:30:00.000+0000", "eppVerdict": { "score": 3, "verdictSource": "EPP", "familyName": "BD.TestSignature", "verdict": "MALICIOUS", "threatName": "BD.TestSignature", "category": "VIRUS", "rowId": "40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX" }, "workflow": 6, "activeMalware": false, "eventSource": "Anti-malware", "stateDocumentId": "RTF_dXX37e8XXa-1eXX-47XX-86XX-29XX17c9XX04_40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX", "indicator2": [ { "score": "7", "sha256": "b2XX5eXX9XX09XX40XX8eXXadXX3fXX7bbXX1dc8XXf313aXX6aeddXX062bXXXX", "familyName": "CR_OCI_PUA", "verdict": "MALICIOUS", "threatName": "worm", "category": "worm", "rowId": "40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX" } ], "type": "FILE", "eventMetadata": { "isDetectedByEPP": true, "detectionType": "On-Demand", "threatType": "VIRUS", "fileState": "PRESENT", "malwareType": "FILE", "isDetectOnlyEvent": false, "threatName": "BD.TestSignature", "fileActionTaken": "ACTION_DENY" }, "score": "7", "scoreSource": "REVERSING_LAB", "file": { "fullPath": "/root/dummy/dummyarch_test.txt", "path": "/root/dummy", "extension": "txt", "fileName": "dummyarch_test.txt", "sha256": "b2XX5e77XX20909XXc18e09XXaf3f1f7XXad1dcXXaf313a98XXedd6XX62b0XXX", "nonPEFile": false, "macroEmbedded": false }, "verdict": [ "MALICIOUS" ], "familyName": [ "CR_OCI_PUA", "BD.TestSignature" ], "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7", "threatName": [ "worm" ], "action": "ACCESS_DENIED", "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X", "category": [ "VIRUS", "worm" ], "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6", "asset": { "fullOSName": "Red Hat Enterprise Linux 9.4", "hostName": "localhost.localdomain", "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47", "interfaces": [ { "macAddress": "00:X0:XX:0X:00:00", "ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed", "interfaceName": "ens192", "gatewayAddress": "XX.XX.X0X.X" }, { "macAddress": "00:X0:XX:0X:00:00", "ipAddress": "X0.1X.XX1.00", "interfaceName": "ens192", "gatewayAddress": "XX.XX.X0X.X" } ], "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7", "platform": "LINUX", "tags": [ { "name": "Cloud Agent", "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b" } ] } }, .... { "dateTime": "2025-01-27T00:30:00.000+0000", "eppVerdict": { "score": 3, "verdictSource": "EPP", "familyName": "BD.TestSignature", "verdict": "MALICIOUS", "threatName": "BD.TestSignature", "category": "VIRUS", "rowId": "c6740b5f-eb18-3e46-9c96-c012a03dXXXX" }, "workflow": 6, "activeMalware": false, "eventSource": "Anti-malware", "stateDocumentId": "RTF_d83XXe8a-1ea3-47cb-864a-2919XXXX4a04_c6740b5f-eb18-XXXX-9c96-c012a03dXXXX", "indicator2": [ { "score": "7", "sha256": "b22XXXX7912090940c18e09aXXXXX1f7bbad1dc84af313a986XXXX6f062bXXXX", "familyName": "CR_OCI_PUA", "verdict": "MALICIOUS", "threatName": "worm", "category": "worm", "rowId": "c6XXXX5f-eb18-3e46-9cXX-c012a03dXXXX" } ], "type": "FILE", "eventMetadata": { "isDetectedByEPP": true, "detectionType": "On-Demand", "threatType": "VIRUS", "fileState": "PRESENT", "malwareType": "FILE", "isDetectOnlyEvent": false, "threatName": "BD.TestSignature", "fileActionTaken": "ACTION_DENY" }, "score": "7", "scoreSource": "REVERSING_LAB", "file": { "fullPath": "/root/dummy/dummyarch_test_deep.txt", "path": "/root/dummy", "extension": "txt", "fileName": "dummyarch_test_deep.txt", "sha256": " b22XXXX7912090940c18e09aXXXXX1f7bbad1dc84af313a986XXXX6f062bXXXX ", "nonPEFile": false, "macroEmbedded": false }, "verdict": [ "MALICIOUS" ], "familyName": [ "CR_OCI_PUA", "BD.TestSignature" ], "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7", "threatName": [ "worm" ], "action": "ACCESS_DENIED", "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X", "category": [ "VIRUS", "worm" ], "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6", "asset": { "fullOSName": "Red Hat Enterprise Linux 9.4", "hostName": "localhost.localdomain", "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47", "interfaces": [ { "macAddress": "00:X0:XX:0X:00:00", "ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed", "interfaceName": "ens192", "gatewayAddress": "XX.XX.X0X.X" }, { "macAddress": "00:X0:XX:0X:00:00", "ipAddress": "X0.1X.XX1.00", "interfaceName": "ens192", "gatewayAddress": "XX.XX.X0X.X" } ], "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7", "platform": "LINUX", "tags": [ { "name": "Cloud Agent", "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b" } ] } } ]
Response Field DescriptionsResponse Field Descriptions
Dataset Name |
Field Name |
Data Type |
Description |
---|---|---|---|
Incidents-Events | dateTime | Timestamp | Timestamp of the event occurrence. |
eppVerdict | Object | Details about the Endpoint Protection verdict. | |
activeMalware | Boolean | Indicates whether the malware is active. | |
eventSource | String | The source of the event (e.g. Anti-malware). | |
indicator2 | Array of Objects |
The list of indicators related to the event. Dataset: indicator2 |
|
type | String | The type of event (e.g. FILE). | |
eventMetadata | Object |
The metadata related to the event. Dataset: |
|
score | String | The score assigned to the event. | |
scoreSource | String | The source of the score (e.g. Anti-malware, Behavioral Detection, Qualys Research, Sandbox, Threat Intelligence). | |
file | Object |
Details about the affected file. Dataset: file |
|
verdict | Array of Strings | The list of verdicts (e.g. MALICIOUS). | |
familyName | Array of Strings | A list of detected malware families. | |
customerId | String | A unique identifier (UUID) for the customer. | |
threatName | Array of Strings | A list of detected threat names. | |
action | String | An cction taken on the event (e.g. ACCESS_DENIED). | |
id | String | A unique identifier for the event. | |
category | Array of Strings | A list of malware categories (e.g. VIRUS, worm). | |
incidentId | String | A unique identifier (UUID) for the related incident. | |
asset | Object |
Details about the affected asset. Dataset: asset |
|
eppVerdict | score | Integer | The score assigned to the detected event by EPP. |
verdictSource | String | The source of the verdict (e.g. EPP). | |
familyName | String | The family name of the detected malware. | |
verdict | String | The verdict of the detection (e.g. MALICIOUS). | |
threatName | String | The name of the detected threat. | |
category | String | The category of the detected threat. | |
rowId | String | A unique identifier for the verdict record. | |
indicator2 | score | String | The score assigned to the indicator. |
sha256 | String | The SHA-256 hash value of the file associated with the indicator. | |
familyName | String | The family name of the detected malware. | |
verdict | String | The verdict assigned to the file (e.g., "MALICIOUS"). | |
threatName | String | The name of the detected threat. | |
category | String | The category of the detected threat. | |
rowId | String | A unique identifier for the indicator row. | |
eventMetadata | isDetectedByEPP | Boolean | Indicates whether EPP detected the threat. |
detectionType | String | The detection type (e.g.,On-Demand). | |
threatType | String | The threat type (e.g.,VIRUS). | |
fileState | String | The state of the detected file. | |
malwareType | String | The type of detected malware. | |
isDetectOnlyEvent | Boolean | Indicates whether it is a detection-only event. | |
threatName | String | The name of the detected threat. | |
fileActionTaken | String | Action taken on the file (e.g., ACTION_DENY). | |
file | fullPath | String | The full file path of the file. |
path | String | The directory where the file is located. | |
extension | String | The file extension of the involved file (e.g., "exe"). | |
fileName | String | The name of the file. | |
sha256 | String | The SHA256 hash of the file. | |
nonPEFile | Boolean | Indicates whether the file is a non-PE (Portable Executable) file. | |
macroEmbedded | Boolean | Indicates whether the file contains embedded macros (e.g., 'false' if no macros are present). | |
asset | fullOSName | String | The full operating system name running on the host system. |
hostName | String | The hostname of the system. | |
agentId | String | The unique identifier for the agent on the asset. | |
interfaces | Array of Objects |
The list of network interfaces on the asset. Dataset: asset.interfaces |
|
customerId | String | The unique identifier for the customer. | |
platform | String | The platform on which the host is running (e.g., LINUX). | |
tags | Array of Objects |
A list of tags assigned to the asset. Dataset: asset.tags |
|
asset.interfaces | macAddress | String | The MAC address of the network interface. |
ipAddress | String | The IP address of the network interface. | |
interfaceName | String | The name of the network interface. | |
gatewayAddress | String | The gateway address of the network interface. | |
asset.tags | name | String | The name of the tag. |
uuid | String | The unique identifier for the tag. |
Response Codes
The response codes for this API are as follows:
HTTP Status Code | Description |
200 | OK: Get data | The request was successful, and the data was returned. |
204 | No Content: All data received | The request was successful, but there is no data to return. |
400 | Bad Request: Data not found | The request was invalid or malformed (e.g., missing parameters, invalid syntax). |
V1.0
This API retrieves a large number of search results in smaller sections or batches.
This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation.
Input Parameters for Incident EventsInput Parameters for Incident Events
Input Parameters |
Mandatory/Optional |
Format |
Description |
---|---|---|---|
Authorization |
Mandatory |
String |
Authorization parameter authenticates the Qualys Enterprise TruRisk™ Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken. |
filter |
Optional |
String |
Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query. For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created' You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. |
pageNumber |
Optional |
String |
The pageNumber parameter returns the page to be returned. It starts from the value zero. |
pageSize |
Optional |
String |
The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10. |
include_attributes |
Optional |
String |
include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes. For example: include_attributes = _type, _id, processName |
exclude_attributes |
Optional |
String |
exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list. For example: exclude_attributes = _type, _id, processName Note:You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded. |
searchAfterValues |
Optional |
Array |
Enter a value for pagination to start fetching the next set of results. For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results. |
Sample - Initial RequestSample - Initial Request
API request
curl -X GET "/ioc/v1/incidents/events/searchAfter" --header "accept: */*" --header "Authorization: Bearer <token>"
Response
[
{
"dateTime": "2021-05-22T07:14:01.924+0000", "eventProcessedTime": "2021-05-22T08:22:17.210+0000", "workflow": 1,
"eventSource": "EDR",
"stateDocumentId": "RTF_2XXX2-XXX8-482e-aXX-e71c9dXX4_74XX87XX19XX4",
"indicator2": [
{
"score": "1",
"sha256": "2da4XXXXXa1c206db6eXXX4bXX654e47XXXX308dab0XX5ff0ebXXX5f9d22XX5",
"familyName": "test-knowntomal",
"verdict": "REMEDIATED",
"threatName": "test-threat",
"category": "test-type",
"rowId": "7405876919274160783"
}
],
"type": "FILE",
"actor": {
"processEventId": "RTP_XXX66462-ff28-48X-eXX671cXXX94_612XXX07X",
"processUniqueId": "6124620742717860794",
"processId": 19400,
"processName": "powershell.exe",
"userName": "NT AUTHORITY\\SYSTEM",
"imageFullPath": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" },
"score": "1",
"file": {
"extension": "exe",
"fileName": "123dsad_MALICIOUS - Copy.exe",
"sha256": "xxxc953e80xxxxxc37eb0xxxxxd97fa71bxxxx9d05f8xxx29", "size": 180736,
"nonPEFile": false,
"macroEmbedded": false,
"fileType": "Regular File",
"md5": "ee59d4xxxxxx578cf8fxxxxx436d" },
"verdict":
[
"REMEDIATED"
],
"familyName": [
"test-knowntomal"
],
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3", "action": "DELETED",
"id": "RTF_c8xxxxxxb-d622-xx-b02b-xxxxxxxxx_22-5-2021", "category": [ "test-type"
],
"incidentId": "7af49e37-4b5a-3912-8715-1f8fe325ea29", "asset": {
"fullOSName":"Microsoft Windows Server 2019 Standard 10.0.17763",
"hostName": "<host_name>",
"agentId": "X1aXX462-fXX8-482e-a0XX-e0eXXXX9dd9X", "interfaces": [
{
"macAddress": "00:xx:56:xx:98:xx",
"ipAddress": "10.xx.98.162",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection",
"gatewayAddress": "xx.xx.98.1"
}
],
"netBiosName": "<net_bios_name>",
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3", "platform": "Windows",
"tags": [
{ "name": "Cloud Agent",
"uuid": "X4e67XXX-XX78-4f32-bfXX-Xe480bc24XXX"
}
]
},
"uniqueId": "7405876919274160783"
},
..
]
Sample - Follow-up RequestSample - Follow-up Request
Next API request
curl -X GET "/ioc/v1/incidents/events/searchAfter?searchAfterValues=163 9811976662,RTF_fXX871e0-c2fc-3XXc-XXbf-4XXXXe63ef47_15-12-2021" --header "accept: */*" --header "Authorization: Bearer<token>"
Response
[ { "dateTime": "2025-01-27T00:30:00.000+0000", "eppVerdict": { "score": 3, "verdictSource": "EPP", "familyName": "BD.TestSignature", "verdict": "MALICIOUS", "threatName": "BD.TestSignature", "category": "VIRUS", "rowId": "40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX" }, "workflow": 6, "activeMalware": false, "eventSource": "Anti-malware", "stateDocumentId": "RTF_dXX37e8XXa-1eXX-47XX-86XX-29XX17c9XX04_40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX", "indicator2": [ { "score": "7", "sha256": "b2XX5eXX9XX09XX40XX8eXXadXX3fXX7bbXX1dc8XXf313aXX6aeddXX062bXXXX", "familyName": "CR_OCI_PUA", "verdict": "MALICIOUS", "threatName": "worm", "category": "worm", "rowId": "40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX" } ], "type": "FILE", "eventMetadata": { "isDetectedByEPP": true, "detectionType": "On-Demand", "threatType": "VIRUS", "fileState": "PRESENT", "malwareType": "FILE", "isDetectOnlyEvent": false, "threatName": "BD.TestSignature", "fileActionTaken": "ACTION_DENY" }, "score": "7", "scoreSource": "REVERSING_LAB", "file": { "fullPath": "/root/dummy/dummyarch_test.txt", "path": "/root/dummy", "extension": "txt", "fileName": "dummyarch_test.txt", "sha256": "b2XX5e77XX20909XXc18e09XXaf3f1f7XXad1dcXXaf313a98XXedd6XX62b0XXX", "nonPEFile": false, "macroEmbedded": false }, "verdict": [ "MALICIOUS" ], "familyName": [ "CR_OCI_PUA", "BD.TestSignature" ], "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7", "threatName": [ "worm" ], "action": "ACCESS_DENIED", "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X", "category": [ "VIRUS", "worm" ], "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6", "asset": { "fullOSName": "Red Hat Enterprise Linux 9.4", "hostName": "localhost.localdomain", "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47", "interfaces": [ { "macAddress": "00:X0:XX:0X:00:00", "ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed", "interfaceName": "ens192", "gatewayAddress": "XX.XX.X0X.X" }, { "macAddress": "00:X0:XX:0X:00:00", "ipAddress": "X0.1X.XX1.00", "interfaceName": "ens192", "gatewayAddress": "XX.XX.X0X.X" } ], "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7", "platform": "LINUX", "tags": [ { "name": "Cloud Agent", "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b" } ] } }, .... { "dateTime": "2025-01-27T00:30:00.000+0000", "eppVerdict": { "score": 3, "verdictSource": "EPP", "familyName": "BD.TestSignature", "verdict": "MALICIOUS", "threatName": "BD.TestSignature", "category": "VIRUS", "rowId": "c6740b5f-eb18-3e46-9c96-c012a03dXXXX" }, "workflow": 6, "activeMalware": false, "eventSource": "Anti-malware", "stateDocumentId": "RTF_d83XXe8a-1ea3-47cb-864a-2919XXXX4a04_c6740b5f-eb18-XXXX-9c96-c012a03dXXXX", "indicator2": [ { "score": "7", "sha256": "b22XXXX7912090940c18e09aXXXXX1f7bbad1dc84af313a986XXXX6f062bXXXX", "familyName": "CR_OCI_PUA", "verdict": "MALICIOUS", "threatName": "worm", "category": "worm", "rowId": "c6XXXX5f-eb18-3e46-9cXX-c012a03dXXXX" } ], "type": "FILE", "eventMetadata": { "isDetectedByEPP": true, "detectionType": "On-Demand", "threatType": "VIRUS", "fileState": "PRESENT", "malwareType": "FILE", "isDetectOnlyEvent": false, "threatName": "BD.TestSignature", "fileActionTaken": "ACTION_DENY" }, "score": "7", "scoreSource": "REVERSING_LAB", "file": { "fullPath": "/root/dummy/dummyarch_test_deep.txt", "path": "/root/dummy", "extension": "txt", "fileName": "dummyarch_test_deep.txt", "sha256": " b22XXXX7912090940c18e09aXXXXX1f7bbad1dc84af313a986XXXX6f062bXXXX ", "nonPEFile": false, "macroEmbedded": false }, "verdict": [ "MALICIOUS" ], "familyName": [ "CR_OCI_PUA", "BD.TestSignature" ], "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7", "threatName": [ "worm" ], "action": "ACCESS_DENIED", "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X", "category": [ "VIRUS", "worm" ], "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6", "asset": { "fullOSName": "Red Hat Enterprise Linux 9.4", "hostName": "localhost.localdomain", "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47", "interfaces": [ { "macAddress": "00:X0:XX:0X:00:00", "ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed", "interfaceName": "ens192", "gatewayAddress": "XX.XX.X0X.X" }, { "macAddress": "00:X0:XX:0X:00:00", "ipAddress": "X0.1X.XX1.00", "interfaceName": "ens192", "gatewayAddress": "XX.XX.X0X.X" } ], "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7", "platform": "LINUX", "tags": [ { "name": "Cloud Agent", "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b" } ] } } ]
Response Field DescriptionsResponse Field Descriptions
Dataset Name |
Field Name |
Data Type |
Description |
---|---|---|---|
Incidents-Events | dateTime | Timestamp | Timestamp of the event occurrence. |
eppVerdict | Object | Details about the Endpoint Protection verdict. | |
activeMalware | Boolean | Indicates whether the malware is active. | |
eventSource | String | The source of the event (e.g. Anti-malware). | |
indicator2 | Array of Objects |
The list of indicators related to the event. Dataset: indicator2 |
|
type | String | The type of event (e.g. FILE). | |
eventMetadata | Object |
The metadata related to the event. Dataset: |
|
score | String | The score assigned to the event. | |
scoreSource | String | The source of the score (e.g. Anti-malware, Behavioral Detection, Qualys Research, Sandbox, Threat Intelligence). | |
file | Object |
Details about the affected file. Dataset: file |
|
verdict | Array of Strings | The list of verdicts (e.g. MALICIOUS). | |
familyName | Array of Strings | A list of detected malware families. | |
customerId | String | A unique identifier (UUID) for the customer. | |
threatName | Array of Strings | A list of detected threat names. | |
action | String | An cction taken on the event (e.g. ACCESS_DENIED). | |
id | String | A unique identifier for the event. | |
category | Array of Strings | A list of malware categories (e.g. VIRUS, worm). | |
incidentId | String | A unique identifier (UUID) for the related incident. | |
asset | Object |
Details about the affected asset. Dataset: asset |
|
eppVerdict | score | Integer | The score assigned to the detected event by EPP. |
verdictSource | String | The source of the verdict (e.g. EPP). | |
familyName | String | The family name of the detected malware. | |
verdict | String | The verdict of the detection (e.g. MALICIOUS). | |
threatName | String | The name of the detected threat. | |
category | String | The category of the detected threat. | |
rowId | String | A unique identifier for the verdict record. | |
indicator2 | score | String | The score assigned to the indicator. |
sha256 | String | The SHA-256 hash value of the file associated with the indicator. | |
familyName | String | The family name of the detected malware. | |
verdict | String | The verdict assigned to the file (e.g., "MALICIOUS"). | |
threatName | String | The name of the detected threat. | |
category | String | The category of the detected threat. | |
rowId | String | A unique identifier for the indicator row. | |
eventMetadata | isDetectedByEPP | Boolean | Indicates whether EPP detected the threat. |
detectionType | String | The detection type (e.g.,On-Demand). | |
threatType | String | The threat type (e.g.,VIRUS). | |
fileState | String | The state of the detected file. | |
malwareType | String | The type of detected malware. | |
isDetectOnlyEvent | Boolean | Indicates whether it is a detection-only event. | |
threatName | String | The name of the detected threat. | |
fileActionTaken | String | Action taken on the file (e.g., ACTION_DENY). | |
file | fullPath | String | The full file path of the file. |
path | String | The directory where the file is located. | |
extension | String | The file extension of the involved file (e.g., "exe"). | |
fileName | String | The name of the file. | |
sha256 | String | The SHA256 hash of the file. | |
nonPEFile | Boolean | Indicates whether the file is a non-PE (Portable Executable) file. | |
macroEmbedded | Boolean | Indicates whether the file contains embedded macros (e.g., 'false' if no macros are present). | |
asset | fullOSName | String | The full operating system name running on the host system. |
hostName | String | The hostname of the system. | |
agentId | String | The unique identifier for the agent on the asset. | |
interfaces | Array of Objects |
The list of network interfaces on the asset. Dataset: asset.interfaces |
|
customerId | String | The unique identifier for the customer. | |
platform | String | The platform on which the host is running (e.g., LINUX). | |
tags | Array of Objects |
A list of tags assigned to the asset. Dataset: asset.tags |
|
asset.interfaces | macAddress | String | The MAC address of the network interface. |
ipAddress | String | The IP address of the network interface. | |
interfaceName | String | The name of the network interface. | |
gatewayAddress | String | The gateway address of the network interface. | |
asset.tags | name | String | The name of the tag. |
uuid | String | The unique identifier for the tag. |
Response Codes
The response codes for this API are as follows:
HTTP Status Code | Description |
200 | OK: Get data | The request was successful, and the data was returned. |
204 | No Content: All data received | The request was successful, but there is no data to return. |
400 | Bad Request: Data not found | The request was invalid or malformed (e.g., missing parameters, invalid syntax). |
API Version History
The following table depicts the information about the different versions of this API along with the status:
API Version | API Status | Release Date |
/ioc/incidents/events/searchAfter | Active | |
/ioc/v1/incidents/events/searchAfter} | Active | May 2025 |