Fetch Incident Events Using SearchAfter

For API version information, refer to the API Version History section.

Non-Versioned | V1.0

Non-Versioned

This API retrieves a large number of search results in smaller sections or batches.

This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation. 

GET/ioc/incidents/events/searchAfter

Input Parameters for Incident EventsInput Parameters for Incident Events

Input Parameters

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken.

filter

Optional

String

Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query.

For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created'

You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. 

pageNumber

Optional

String

The pageNumber parameter returns the page to be returned. It starts from the value zero.

pageSize

Optional

String

The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10.

include_attributes

Optional

String

include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes.

For example: include_attributes = _type, _id, processName

exclude_attributes

Optional

String

exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list.

For example: exclude_attributes = _type, _id, processName

Note:You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded.

searchAfterValues

Optional

Array

Enter a value for pagination to start fetching the next set of results.

For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax

Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results.

Sample - Initial RequestSample - Initial Request

API request

curl -X GET "/ioc/incidents/events/searchAfter" --header "accept: */*" --header "Authorization: Bearer <token>"   
    

Response

[
{ 
"dateTime": "2021-05-22T07:14:01.924+0000", "eventProcessedTime": "2021-05-22T08:22:17.210+0000", "workflow": 1, 
"eventSource": "EDR", 
"stateDocumentId": "RTF_2XXX2-XXX8-482e-aXX-e71c9dXX4_74XX87XX19XX4", 
"indicator2": [ 
{ 
"score": "1", 
"sha256": "2da4XXXXXa1c206db6eXXX4bXX654e47XXXX308dab0XX5ff0ebXXX5f9d22XX5", 
"familyName": "test-knowntomal", 
"verdict": "REMEDIATED", 
"threatName": "test-threat", 
"category": "test-type", 
"rowId": "7405876919274160783" 
} 
], 
"type": "FILE", 
"actor": { 
"processEventId": "RTP_XXX66462-ff28-48X-eXX671cXXX94_612XXX07X", 
"processUniqueId": "6124620742717860794", 
"processId": 19400, 
"processName": "powershell.exe", 
"userName": "NT AUTHORITY\\SYSTEM", 
"imageFullPath": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" }, 
"score": "1",
"file": { 
"extension": "exe", 
"fileName": "123dsad_MALICIOUS - Copy.exe", 
"sha256": "xxxc953e80xxxxxc37eb0xxxxxd97fa71bxxxx9d05f8xxx29", "size": 180736, 
"nonPEFile": false, 
"macroEmbedded": false, 
"fileType": "Regular File", 
"md5": "ee59d4xxxxxx578cf8fxxxxx436d" }, 
"verdict": 
[ 
"REMEDIATED" 
], 
"familyName": [ 
"test-knowntomal" 
], 
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3", "action": "DELETED", 
"id": "RTF_c8xxxxxxb-d622-xx-b02b-xxxxxxxxx_22-5-2021", "category": [ "test-type" 
], 
"incidentId": "7af49e37-4b5a-3912-8715-1f8fe325ea29", "asset": { 
"fullOSName":"Microsoft Windows Server 2019 Standard 10.0.17763", 
"hostName": "<host_name>", 
"agentId": "X1aXX462-fXX8-482e-a0XX-e0eXXXX9dd9X", "interfaces": [ 
{ 
"macAddress": "00:xx:56:xx:98:xx", 
"ipAddress": "10.xx.98.162", 
"interfaceName": "Intel(R) 82574L Gigabit Network Connection", 
"gatewayAddress": "xx.xx.98.1" 
} 
], 
"netBiosName": "<net_bios_name>", 
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3", "platform": "Windows", 
"tags": [ 
{ "name": "Cloud Agent", 
"uuid": "X4e67XXX-XX78-4f32-bfXX-Xe480bc24XXX" 
} 
]
 }, 
"uniqueId": "7405876919274160783" 
}, 
.. 
]
    

Sample - Follow-up RequestSample - Follow-up Request

Next API request

curl -X GET "/ioc/incidents/events/searchAfter?searchAfterValues=163 9811976662,RTF_fXX871e0-c2fc-3XXc-XXbf-4XXXXe63ef47_15-12-2021" --header "accept: */*" --header "Authorization: Bearer<token>"    
   

Response

[
  {
    "dateTime": "2025-01-27T00:30:00.000+0000",
    "eppVerdict": {
      "score": 3,
      "verdictSource": "EPP",
      "familyName": "BD.TestSignature",
      "verdict": "MALICIOUS",
      "threatName": "BD.TestSignature",
      "category": "VIRUS",
      "rowId": "40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX"
    },
    "workflow": 6,
    "activeMalware": false,
    "eventSource": "Anti-malware",
    "stateDocumentId": "RTF_dXX37e8XXa-1eXX-47XX-86XX-29XX17c9XX04_40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX",
    "indicator2": [
      {
        "score": "7",
        "sha256": "b2XX5eXX9XX09XX40XX8eXXadXX3fXX7bbXX1dc8XXf313aXX6aeddXX062bXXXX",
        "familyName": "CR_OCI_PUA",
        "verdict": "MALICIOUS",
        "threatName": "worm",
        "category": "worm",
        "rowId": "40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX"
      }
    ],
    "type": "FILE",
    "eventMetadata": {
      "isDetectedByEPP": true,
      "detectionType": "On-Demand",
      "threatType": "VIRUS",
      "fileState": "PRESENT",
      "malwareType": "FILE",
      "isDetectOnlyEvent": false,
      "threatName": "BD.TestSignature",
      "fileActionTaken": "ACTION_DENY"
    },
    "score": "7",
    "scoreSource": "REVERSING_LAB",
    "file": {
      "fullPath": "/root/dummy/dummyarch_test.txt",
      "path": "/root/dummy",
      "extension": "txt",
      "fileName": "dummyarch_test.txt",
      "sha256": "b2XX5e77XX20909XXc18e09XXaf3f1f7XXad1dcXXaf313a98XXedd6XX62b0XXX",
      "nonPEFile": false,
      "macroEmbedded": false
    },
    "verdict": [
      "MALICIOUS"
    ],
    "familyName": [
      "CR_OCI_PUA",
      "BD.TestSignature"
    ],
    "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
    "threatName": [
      "worm"
    ],
    "action": "ACCESS_DENIED",
    "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
    "category": [
      "VIRUS",
      "worm"
    ],
    "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6",
    "asset": {
      "fullOSName": "Red Hat Enterprise Linux 9.4",
      "hostName": "localhost.localdomain",
      "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
      "interfaces": [
        {
          "macAddress": "00:X0:XX:0X:00:00",
          "ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
          "interfaceName": "ens192",
          "gatewayAddress": "XX.XX.X0X.X"
        },
        {
          "macAddress": "00:X0:XX:0X:00:00",
          "ipAddress": "X0.1X.XX1.00",
          "interfaceName": "ens192",
          "gatewayAddress": "XX.XX.X0X.X"
        }
      ],
      "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
      "platform": "LINUX",
      "tags": [
        {
          "name": "Cloud Agent",
          "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
        }
      ]
    }
  },
 
  ....
 
  {
    "dateTime": "2025-01-27T00:30:00.000+0000",
    "eppVerdict": {
      "score": 3,
      "verdictSource": "EPP",
      "familyName": "BD.TestSignature",
      "verdict": "MALICIOUS",
      "threatName": "BD.TestSignature",
      "category": "VIRUS",
      "rowId": "c6740b5f-eb18-3e46-9c96-c012a03dXXXX"
    },
    "workflow": 6,
    "activeMalware": false,
    "eventSource": "Anti-malware",
    "stateDocumentId": "RTF_d83XXe8a-1ea3-47cb-864a-2919XXXX4a04_c6740b5f-eb18-XXXX-9c96-c012a03dXXXX",
    "indicator2": [
      {
        "score": "7",
        "sha256": "b22XXXX7912090940c18e09aXXXXX1f7bbad1dc84af313a986XXXX6f062bXXXX",
        "familyName": "CR_OCI_PUA",
        "verdict": "MALICIOUS",
        "threatName": "worm",
        "category": "worm",
        "rowId": "c6XXXX5f-eb18-3e46-9cXX-c012a03dXXXX"
      }
    ],
    "type": "FILE",
    "eventMetadata": {
      "isDetectedByEPP": true,
      "detectionType": "On-Demand",
      "threatType": "VIRUS",
      "fileState": "PRESENT",
      "malwareType": "FILE",
      "isDetectOnlyEvent": false,
      "threatName": "BD.TestSignature",
      "fileActionTaken": "ACTION_DENY"
    },
    "score": "7",
    "scoreSource": "REVERSING_LAB",
    "file": {
      "fullPath": "/root/dummy/dummyarch_test_deep.txt",
      "path": "/root/dummy",
      "extension": "txt",
      "fileName": "dummyarch_test_deep.txt",
      "sha256": " b22XXXX7912090940c18e09aXXXXX1f7bbad1dc84af313a986XXXX6f062bXXXX ",
      "nonPEFile": false,
      "macroEmbedded": false
    },
    "verdict": [
      "MALICIOUS"
    ],
    "familyName": [
      "CR_OCI_PUA",
      "BD.TestSignature"
    ],
    "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
    "threatName": [
      "worm"
    ],
    "action": "ACCESS_DENIED",
    "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
    "category": [
      "VIRUS",
      "worm"
    ],
    "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6",
    "asset": {
      "fullOSName": "Red Hat Enterprise Linux 9.4",
      "hostName": "localhost.localdomain",
      "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
      "interfaces": [
        {
          "macAddress": "00:X0:XX:0X:00:00",
          "ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
          "interfaceName": "ens192",
          "gatewayAddress": "XX.XX.X0X.X"
        },
        {
          "macAddress": "00:X0:XX:0X:00:00",
          "ipAddress": "X0.1X.XX1.00",
          "interfaceName": "ens192",
          "gatewayAddress": "XX.XX.X0X.X"
        }
      ],
      "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
      "platform": "LINUX",
      "tags": [
        {
          "name": "Cloud Agent",
          "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
        }
      ]
    }
  }
]

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description

Incidents-Events dateTime Timestamp Timestamp of the event occurrence.
  eppVerdict Object Details about the Endpoint Protection verdict.
  activeMalware Boolean Indicates whether the malware is active.
  eventSource String The source of the event (e.g. Anti-malware).
  indicator2 Array of Objects

The list of indicators related to the event.

Dataset: indicator2

   type  String The type of event (e.g. FILE).
  eventMetadata Object

The metadata related to the event.

Dataset:
eventMetadata

  score String The score assigned to the event.
  scoreSource String The source of the score (e.g. Anti-malware, Behavioral Detection, Qualys Research, Sandbox, Threat Intelligence).
  file Object

Details about the affected file.

Dataset: file

  verdict Array of Strings The list of verdicts (e.g. MALICIOUS).
  familyName Array of Strings A list of detected malware families.
  customerId String A unique identifier (UUID) for the customer.
  threatName Array of Strings A list of detected threat names.
  action String An cction taken on the event (e.g. ACCESS_DENIED).
  id String A unique identifier for the event.
  category Array of Strings A list of malware categories (e.g. VIRUS, worm).
  incidentId String A unique identifier (UUID) for the related incident.
  asset Object

Details about the affected asset.

Dataset: asset

eppVerdict  score Integer The score assigned to the detected event by EPP.
  verdictSource String The source of the verdict (e.g. EPP).
  familyName String The family name of the detected malware.
  verdict String The verdict of the detection (e.g. MALICIOUS).
  threatName String The name of the detected threat.
  category String The category of the detected threat.
  rowId String A unique identifier for the verdict record.
indicator2 score String The score assigned to the indicator.
  sha256 String The SHA-256 hash value of the file associated with the indicator. 
  familyName String The family name of the detected malware.
  verdict String The verdict assigned to the file (e.g., "MALICIOUS"). 
  threatName String The name of the detected threat.
  category String The category of the detected threat.
  rowId String A unique identifier for the indicator row.
eventMetadata isDetectedByEPP Boolean Indicates whether EPP detected the threat.
  detectionType String The detection type (e.g.,On-Demand).
  threatType String The threat type (e.g.,VIRUS).
  fileState String The state of the detected file.
  malwareType String The type of detected malware.
  isDetectOnlyEvent Boolean Indicates whether it is a detection-only event.
  threatName String The name of the detected threat.
  fileActionTaken String Action taken on the file (e.g., ACTION_DENY).
file fullPath String The full file path of the file.
  path String The directory where the file is located. 
  extension String The file extension of the involved file (e.g., "exe").
  fileName String The name of the file.
  sha256 String The SHA256 hash of the file.
  nonPEFile Boolean Indicates whether the file is a non-PE (Portable Executable) file.
  macroEmbedded Boolean Indicates whether the file contains embedded macros (e.g., 'false' if no macros are present).
asset     fullOSName String The full operating system name running on the host system.
  hostName  String The hostname of the system.
  agentId  String The unique identifier for the agent on the asset.
  interfaces Array of Objects

The list of network interfaces on the asset.

Dataset: asset.interfaces

  customerId String The unique identifier for the customer.
  platform String The platform on which the host is running (e.g., LINUX).
  tags Array of Objects

A list of tags assigned to the asset.

Dataset: asset.tags

asset.interfaces   macAddress String The MAC address of the network interface.
  ipAddress String The IP address of the network interface.    
  interfaceName     String The name of the network interface.   
  gatewayAddress String The gateway address of the network interface.
asset.tags name String The name of the tag.
  uuid String The unique identifier for the tag.

Response Codes

The response codes for this API are as follows:

HTTP Status Code Description
200 | OK: Get data The request was successful, and the data was returned.
204 | No Content: All data received The request was successful, but there is no data to return.
400 | Bad Request: Data not found The request was invalid or malformed (e.g., missing parameters, invalid syntax).

V1.0

This API retrieves a large number of search results in smaller sections or batches.

This API involves a two-step process: an Initial Request to start the process and a Follow-Up Request to complete it. Both steps are necessary to ensure the full execution of the API operation. 

GET/ioc/v1/incidents/events/searchAfter

Input Parameters for Incident EventsInput Parameters for Incident Events

Input Parameters

Mandatory/Optional

Format

Description

Authorization

Mandatory

String

Authorization parameter authenticates the Qualys Enterprise TruRisk™  Platform. Prepend token with "Bearer" and a space. For example: Bearer authToken.

filter

Optional

String

Filter the events list by providing a query using Qualys syntax. Refer to the How to Search topic in the online help for assistance with creating your query.

For example - event.datetime:["2024-09-15T00:30:00.000Z".."2024-09-22T18:29:59.999Z"] AND action: 'Created'

You can filter events based on the time they are generated on the event (event.datetime) or the time they are processed at Qualys (event.eventprocesstime). If you want to fetch events by date AND time, it is recommended to use the "event.datetime" or "event.eventprocesstime" parameter. 

pageNumber

Optional

String

The pageNumber parameter returns the page to be returned. It starts from the value zero.

pageSize

Optional

String

The pageSize parameter mentions the number of records per page to be included in the response. The default value is 10.

include_attributes

Optional

String

include_attribute parameter includes certain attributes in the search. The search results generated are provided using a comma-separated list. The API response fetches only the included attributes.

For example: include_attributes = _type, _id, processName

exclude_attributes

Optional

String

exclude_attribute parameter excludes certain attributes from the search. The search results generated are provided using a comma-separated list.

For example: exclude_attributes = _type, _id, processName

Note:You need not exclude attributes if you have included specific attributes using the include_attributes parameter. Attributes that are not included are by default excluded.

searchAfterValues

Optional

Array

Enter a value for pagination to start fetching the next set of results.

For example: 1722538573707,b2xxx2c4-xxx9-352f-8xx6-axxce3xx37ax

Note: This is the value from the searchAfterValue header returned in the previous response. If not provided, the API will return the first page of results.

Sample - Initial RequestSample - Initial Request

API request

curl -X GET "/ioc/v1/incidents/events/searchAfter" --header "accept: */*" --header "Authorization: Bearer <token>"   
    

Response

[
{ 
"dateTime": "2021-05-22T07:14:01.924+0000", "eventProcessedTime": "2021-05-22T08:22:17.210+0000", "workflow": 1, 
"eventSource": "EDR", 
"stateDocumentId": "RTF_2XXX2-XXX8-482e-aXX-e71c9dXX4_74XX87XX19XX4", 
"indicator2": [ 
{ 
"score": "1", 
"sha256": "2da4XXXXXa1c206db6eXXX4bXX654e47XXXX308dab0XX5ff0ebXXX5f9d22XX5", 
"familyName": "test-knowntomal", 
"verdict": "REMEDIATED", 
"threatName": "test-threat", 
"category": "test-type", 
"rowId": "7405876919274160783" 
} 
], 
"type": "FILE", 
"actor": { 
"processEventId": "RTP_XXX66462-ff28-48X-eXX671cXXX94_612XXX07X", 
"processUniqueId": "6124620742717860794", 
"processId": 19400, 
"processName": "powershell.exe", 
"userName": "NT AUTHORITY\\SYSTEM", 
"imageFullPath": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" }, 
"score": "1",
"file": { 
"extension": "exe", 
"fileName": "123dsad_MALICIOUS - Copy.exe", 
"sha256": "xxxc953e80xxxxxc37eb0xxxxxd97fa71bxxxx9d05f8xxx29", "size": 180736, 
"nonPEFile": false, 
"macroEmbedded": false, 
"fileType": "Regular File", 
"md5": "ee59d4xxxxxx578cf8fxxxxx436d" }, 
"verdict": 
[ 
"REMEDIATED" 
], 
"familyName": [ 
"test-knowntomal" 
], 
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3", "action": "DELETED", 
"id": "RTF_c8xxxxxxb-d622-xx-b02b-xxxxxxxxx_22-5-2021", "category": [ "test-type" 
], 
"incidentId": "7af49e37-4b5a-3912-8715-1f8fe325ea29", "asset": { 
"fullOSName":"Microsoft Windows Server 2019 Standard 10.0.17763", 
"hostName": "<host_name>", 
"agentId": "X1aXX462-fXX8-482e-a0XX-e0eXXXX9dd9X", "interfaces": [ 
{ 
"macAddress": "00:xx:56:xx:98:xx", 
"ipAddress": "10.xx.98.162", 
"interfaceName": "Intel(R) 82574L Gigabit Network Connection", 
"gatewayAddress": "xx.xx.98.1" 
} 
], 
"netBiosName": "<net_bios_name>", 
"customerId": "xxxcade1-xxx5-xxx1-xxx3-xxx08f55bce3", "platform": "Windows", 
"tags": [ 
{ "name": "Cloud Agent", 
"uuid": "X4e67XXX-XX78-4f32-bfXX-Xe480bc24XXX" 
} 
]
 }, 
"uniqueId": "7405876919274160783" 
}, 
.. 
]
    

Sample - Follow-up RequestSample - Follow-up Request

Next API request

curl -X GET "/ioc/v1/incidents/events/searchAfter?searchAfterValues=163 9811976662,RTF_fXX871e0-c2fc-3XXc-XXbf-4XXXXe63ef47_15-12-2021" --header "accept: */*" --header "Authorization: Bearer<token>"    
   

Response

[
  {
    "dateTime": "2025-01-27T00:30:00.000+0000",
    "eppVerdict": {
      "score": 3,
      "verdictSource": "EPP",
      "familyName": "BD.TestSignature",
      "verdict": "MALICIOUS",
      "threatName": "BD.TestSignature",
      "category": "VIRUS",
      "rowId": "40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX"
    },
    "workflow": 6,
    "activeMalware": false,
    "eventSource": "Anti-malware",
    "stateDocumentId": "RTF_dXX37e8XXa-1eXX-47XX-86XX-29XX17c9XX04_40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX",
    "indicator2": [
      {
        "score": "7",
        "sha256": "b2XX5eXX9XX09XX40XX8eXXadXX3fXX7bbXX1dc8XXf313aXX6aeddXX062bXXXX",
        "familyName": "CR_OCI_PUA",
        "verdict": "MALICIOUS",
        "threatName": "worm",
        "category": "worm",
        "rowId": "40XX1bXX-2XX5-3XXa-aXX7-22XX07XX77XX"
      }
    ],
    "type": "FILE",
    "eventMetadata": {
      "isDetectedByEPP": true,
      "detectionType": "On-Demand",
      "threatType": "VIRUS",
      "fileState": "PRESENT",
      "malwareType": "FILE",
      "isDetectOnlyEvent": false,
      "threatName": "BD.TestSignature",
      "fileActionTaken": "ACTION_DENY"
    },
    "score": "7",
    "scoreSource": "REVERSING_LAB",
    "file": {
      "fullPath": "/root/dummy/dummyarch_test.txt",
      "path": "/root/dummy",
      "extension": "txt",
      "fileName": "dummyarch_test.txt",
      "sha256": "b2XX5e77XX20909XXc18e09XXaf3f1f7XXad1dcXXaf313a98XXedd6XX62b0XXX",
      "nonPEFile": false,
      "macroEmbedded": false
    },
    "verdict": [
      "MALICIOUS"
    ],
    "familyName": [
      "CR_OCI_PUA",
      "BD.TestSignature"
    ],
    "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
    "threatName": [
      "worm"
    ],
    "action": "ACCESS_DENIED",
    "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
    "category": [
      "VIRUS",
      "worm"
    ],
    "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6",
    "asset": {
      "fullOSName": "Red Hat Enterprise Linux 9.4",
      "hostName": "localhost.localdomain",
      "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
      "interfaces": [
        {
          "macAddress": "00:X0:XX:0X:00:00",
          "ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
          "interfaceName": "ens192",
          "gatewayAddress": "XX.XX.X0X.X"
        },
        {
          "macAddress": "00:X0:XX:0X:00:00",
          "ipAddress": "X0.1X.XX1.00",
          "interfaceName": "ens192",
          "gatewayAddress": "XX.XX.X0X.X"
        }
      ],
      "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
      "platform": "LINUX",
      "tags": [
        {
          "name": "Cloud Agent",
          "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
        }
      ]
    }
  },
 
  ....
 
  {
    "dateTime": "2025-01-27T00:30:00.000+0000",
    "eppVerdict": {
      "score": 3,
      "verdictSource": "EPP",
      "familyName": "BD.TestSignature",
      "verdict": "MALICIOUS",
      "threatName": "BD.TestSignature",
      "category": "VIRUS",
      "rowId": "c6740b5f-eb18-3e46-9c96-c012a03dXXXX"
    },
    "workflow": 6,
    "activeMalware": false,
    "eventSource": "Anti-malware",
    "stateDocumentId": "RTF_d83XXe8a-1ea3-47cb-864a-2919XXXX4a04_c6740b5f-eb18-XXXX-9c96-c012a03dXXXX",
    "indicator2": [
      {
        "score": "7",
        "sha256": "b22XXXX7912090940c18e09aXXXXX1f7bbad1dc84af313a986XXXX6f062bXXXX",
        "familyName": "CR_OCI_PUA",
        "verdict": "MALICIOUS",
        "threatName": "worm",
        "category": "worm",
        "rowId": "c6XXXX5f-eb18-3e46-9cXX-c012a03dXXXX"
      }
    ],
    "type": "FILE",
    "eventMetadata": {
      "isDetectedByEPP": true,
      "detectionType": "On-Demand",
      "threatType": "VIRUS",
      "fileState": "PRESENT",
      "malwareType": "FILE",
      "isDetectOnlyEvent": false,
      "threatName": "BD.TestSignature",
      "fileActionTaken": "ACTION_DENY"
    },
    "score": "7",
    "scoreSource": "REVERSING_LAB",
    "file": {
      "fullPath": "/root/dummy/dummyarch_test_deep.txt",
      "path": "/root/dummy",
      "extension": "txt",
      "fileName": "dummyarch_test_deep.txt",
      "sha256": " b22XXXX7912090940c18e09aXXXXX1f7bbad1dc84af313a986XXXX6f062bXXXX ",
      "nonPEFile": false,
      "macroEmbedded": false
    },
    "verdict": [
      "MALICIOUS"
    ],
    "familyName": [
      "CR_OCI_PUA",
      "BD.TestSignature"
    ],
    "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
    "threatName": [
      "worm"
    ],
    "action": "ACCESS_DENIED",
    "id": "XXX8a87X-XXbb-4XX9-XX74-XXX08f6XX54X",
    "category": [
      "VIRUS",
      "worm"
    ],
    "incidentId": "0bXX08XX-2XXd-3XX5-8XX9-10XX8XX7aXX6",
    "asset": {
      "fullOSName": "Red Hat Enterprise Linux 9.4",
      "hostName": "localhost.localdomain",
      "agentId": "x82xx34x-5xxx-4110-9878-x91x5x476x47",
      "interfaces": [
        {
          "macAddress": "00:X0:XX:0X:00:00",
          "ipAddress": "fXX0:0:0:0:XXX9:1XX9:2XXb:XXed",
          "interfaceName": "ens192",
          "gatewayAddress": "XX.XX.X0X.X"
        },
        {
          "macAddress": "00:X0:XX:0X:00:00",
          "ipAddress": "X0.1X.XX1.00",
          "interfaceName": "ens192",
          "gatewayAddress": "XX.XX.X0X.X"
        }
      ],
      "customerId": "8380x005-x923-x37x-8032-42xx709x6xx7",
      "platform": "LINUX",
      "tags": [
        {
          "name": "Cloud Agent",
          "uuid": "XXX676fX-cXX8-XX32-bfXX-XXX8XbcXXX1b"
        }
      ]
    }
  }
]

Response Field DescriptionsResponse Field Descriptions

Dataset Name

Field Name

Data Type

Description

Incidents-Events dateTime Timestamp Timestamp of the event occurrence.
  eppVerdict Object Details about the Endpoint Protection verdict.
  activeMalware Boolean Indicates whether the malware is active.
  eventSource String The source of the event (e.g. Anti-malware).
  indicator2 Array of Objects

The list of indicators related to the event.

Dataset: indicator2

   type  String The type of event (e.g. FILE).
  eventMetadata Object

The metadata related to the event.

Dataset:
eventMetadata

  score String The score assigned to the event.
  scoreSource String The source of the score (e.g. Anti-malware, Behavioral Detection, Qualys Research, Sandbox, Threat Intelligence).
  file Object

Details about the affected file.

Dataset: file

  verdict Array of Strings The list of verdicts (e.g. MALICIOUS).
  familyName Array of Strings A list of detected malware families.
  customerId String A unique identifier (UUID) for the customer.
  threatName Array of Strings A list of detected threat names.
  action String An cction taken on the event (e.g. ACCESS_DENIED).
  id String A unique identifier for the event.
  category Array of Strings A list of malware categories (e.g. VIRUS, worm).
  incidentId String A unique identifier (UUID) for the related incident.
  asset Object

Details about the affected asset.

Dataset: asset

eppVerdict  score Integer The score assigned to the detected event by EPP.
  verdictSource String The source of the verdict (e.g. EPP).
  familyName String The family name of the detected malware.
  verdict String The verdict of the detection (e.g. MALICIOUS).
  threatName String The name of the detected threat.
  category String The category of the detected threat.
  rowId String A unique identifier for the verdict record.
indicator2 score String The score assigned to the indicator.
  sha256 String The SHA-256 hash value of the file associated with the indicator. 
  familyName String The family name of the detected malware.
  verdict String The verdict assigned to the file (e.g., "MALICIOUS"). 
  threatName String The name of the detected threat.
  category String The category of the detected threat.
  rowId String A unique identifier for the indicator row.
eventMetadata isDetectedByEPP Boolean Indicates whether EPP detected the threat.
  detectionType String The detection type (e.g.,On-Demand).
  threatType String The threat type (e.g.,VIRUS).
  fileState String The state of the detected file.
  malwareType String The type of detected malware.
  isDetectOnlyEvent Boolean Indicates whether it is a detection-only event.
  threatName String The name of the detected threat.
  fileActionTaken String Action taken on the file (e.g., ACTION_DENY).
file fullPath String The full file path of the file.
  path String The directory where the file is located. 
  extension String The file extension of the involved file (e.g., "exe").
  fileName String The name of the file.
  sha256 String The SHA256 hash of the file.
  nonPEFile Boolean Indicates whether the file is a non-PE (Portable Executable) file.
  macroEmbedded Boolean Indicates whether the file contains embedded macros (e.g., 'false' if no macros are present).
asset     fullOSName String The full operating system name running on the host system.
  hostName  String The hostname of the system.
  agentId  String The unique identifier for the agent on the asset.
  interfaces Array of Objects

The list of network interfaces on the asset.

Dataset: asset.interfaces

  customerId String The unique identifier for the customer.
  platform String The platform on which the host is running (e.g., LINUX).
  tags Array of Objects

A list of tags assigned to the asset.

Dataset: asset.tags

asset.interfaces   macAddress String The MAC address of the network interface.
  ipAddress String The IP address of the network interface.    
  interfaceName     String The name of the network interface.   
  gatewayAddress String The gateway address of the network interface.
asset.tags name String The name of the tag.
  uuid String The unique identifier for the tag.

Response Codes

The response codes for this API are as follows:

HTTP Status Code Description
200 | OK: Get data The request was successful, and the data was returned.
204 | No Content: All data received The request was successful, but there is no data to return.
400 | Bad Request: Data not found The request was invalid or malformed (e.g., missing parameters, invalid syntax).

API Version History

The following table depicts the information about the different versions of this API along with the status:

API Version API Status Release Date
/ioc/incidents/events/searchAfter Active  
/ioc/v1/incidents/events/searchAfter} Active May 2025