Use this API to get FIM events from the user account.
POST/fim/v2/events/search
|
Parameter |
Mandatory/Optional |
Data Type |
Description |
|---|---|---|---|
|
filter |
Optional | String |
Filter the events list by providing a query using Qualys syntax. Refer to the “How to Search” topic in the online help for assistance with creating your query. For example - dateTime:['2019-02-25T18:30:00.000Z'..'2019-02-26T18:29:59.999Z'] AND action: 'Create'
|
|
pageNumber |
Optional | String |
The page to be returned. Starts from zero. |
|
pageSize |
Optional | String |
The number of records per page to be included in the response. Default is 10. |
|
sort |
Optional | String |
Sort the results using a Qualys token. For example - [{\"action\":\"asc\"}] |
|
incidentContext |
Optional | Boolean |
Search within incidents. Default is false. |
|
incidentIds |
Optional | String |
List of incident IDs to be included while searching for events in incidents. |
| file.attribute.hidden | Optional | String | Displays attribute event for file or directory for which hidden attribute is checked or unchecked. |
| file.attribute.readonly | Optional | String | Displays attribute event for file or directory for which readonly attribute is checked or unchecked. |
|
Authorization |
Mandatory | String |
Authorization token to authenticate to the Qualys Cloud Platform. Prepend token with "Bearer" and one space. For example - Bearer authToken |
API Request
curl -X POST
<qualys_base_url>/fim/v2/events/search
-H 'authorization: Bearer <token>'
-H 'content-type: application/json'
-d @request.json
Contents of request.json
{
"pageSize":100,
"filter":"profiles.name: Windows Profile - PCI(NJJ)"
}
Response
[
{
"sortValues": [],
"data": {
"dateTime": "2018-04-25T17:33:29.806+0000",
"fullPath": "\\Device\\HarddiskVolume2\\Windows\\System32\\config\\systemprofile\\ntuser.dat",
"severity": 4,
"profiles": [
{
"name": "Windows Profile - PCI(NJJ)",
"rules": [
{
"severity": 4,
"description": null,
"id": "d6eb7f77-3726-47b3-90d8-3ecc8d8978e0",
"type": "directory"
}
],
"id": "1c3b44f4-fd76-4c4d-8a4e-bebdad5fa124",
"type": "WINDOWS",
"category": null
}
],
"type": "File",
"changedAttributes": [
2,
4,
8,
16
],
"platform": "WINDOWS",
"oldContent": null,
"actor": {
"process": "QualysAgent.exe",
"processID": 11280,
"imagePath": "\\Device\\HarddiskVolume2\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe",
"userName": "NT AUTHORITY\\SYSTEM",
"userID": "S-1-5-18"
},
"newContent": null,
"customerId": "58b888be-a90f-e3be-838d-88877aee572b",
"name": "ntuser.dat",
"action": "Attributes",
"id": "af8b4ba2-d773-307a-834b-415e6b28d31f",
"asset": {
"agentId": "04b3dd30-e731-4d0d-a921-20b6b2d2997c",
"interfaces": [
{
"hostname": "CAAUTOMATION-PC",
"macAddress": "00:50:56:9F:FF:54",
"address": "10.113.197.104",
"interfaceName": "Intel(R) PRO/1000 MT Network Connection"
}
],
"lastCheckedIn": "2018-04-26T05:52:19.000Z",
"created": 1523941162000,
"hostId": null,
"operatingSystem": "Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601",
"tags": [
"7650412",
"7655820",
"7895614"
],
"assetType": "HOST",
"system": {
"lastBoot": "2018-01-15T12:37:35.000Z"
},
"ec2": null,
"lastLoggedOnUser": ".\\Administrator",
"netbiosName": "CAAUTOMATION-PC",
"name": "CAAUTOMATION-PC",
"agentVersion": "2.0.6.1",
"updated": 1524721941789
},
"class": "Disk"
}
}
]
API Request
curl -X POST
<qualys_base_url>/fim/v2/events/search
-H 'authorization: Bearer '
-H 'content-type:application/json'
-d @request.json
Contents of request.json
{
"pageSize":100,
"filter":"reputationStatus: MALICIOUS"
}
Response
[
{
"sortValues": [],
"data": {
"dateTime": "2021-01-25T17:33:29.806+0000",
"fullPath": "\\Device\\HarddiskVolume2\\Windows\\System32\\config\\systemprofile\\Terminator.exe",
"severity": 4,
"profiles": [
{
"name": "Terminator.exe",
"rules": [
{
"severity": 4,
"description": null,
"id": "d6eb7f77-3726-47b3-90d8-3ecc8d8978e9",
"type": "directory"
}
],
"id": "1c3b44f4-fd76-4c4d-8a4e-bebdad5fa124",
"type": "WINDOWS",
"category": null
}
],
"type": "File",
"changedAttributes": [
2,
4,
8,
16
],
"platform": "WINDOWS",
"oldContent": null,
"actor": {
"process": "update.exe",
"processID": 11280,
"imagePath": "C:\\Windows\\system32\\update.exe",
"userName": "NT AUTHORITY\\SYSTEM",
"userID": "S-1-5-18"
},
"newContent": null,
"customerId": "58b888be-a90f-e3be-838d-88877aee572b",
"name": "ntuser.dat",
"action": "Create",
"id": "af8b4ba2-d773-307a-834b-415e6b28d31f",
"asset": {
"agentId": "04b3dd30-e731-4d0d-a921-20b6b2d2997c",
"interfaces": [
{
"hostname": "CAAUTOMATION-PC",
"macAddress": "00:50:56:9F:FF:54",
"address": "10.113.197.104",
"interfaceName": "Intel PRO/1000 MT Network Connection"
}
],
"lastCheckedIn": "2018-04-26T05:52:19.000Z",
"created": 1523941162000,
"hostId": null,
"operatingSystem": "Microsoft Windows 10 Pro 10.0.10586 N/A Build 10586",
"tags": [
"7650412",
"7655820",
"7895614"
],
"assetType": "HOST",
"system": {
"lastBoot": "2018-01-15T12:37:35.000Z"
},
"ec2": null,
"lastLoggedOnUser": ".\\Administrator",
"netbiosName": "CAAUTOMATION-PC",
"name": "CAAUTOMATION-PC",
"agentVersion": "2.0.6.1",
"updated": 1524721941789
},
"class": "Disk",
"fileContentHash": "50dc26047f5572a38aa7adb4e9b140dc301ea41d1f4bed5095a1ed7fc1d03fbc",
"reputationStatus": "MALICIOUS",
"fileCertificateHash": [
"d12bed1761e1b2c244db23cebe4185c2b0839eee",
"7ade32c9b68b944bf291d1fcc59faef061a6d2f2"
],
"trustStatus": "UNTRUSTED"
}
}
]API Request
curl -X POST
<qualys_base_url>/fim/v2/events/search
-H'authorization: Bearer <token>'
-H 'content-type:application/json'
-d @request.json
Contents of request.json
{
"pageSize":100,
"filter":"registryKey.name: Data"
}
Response
[
{
"sortValues": [],
"data": {
"dateTime": "2021-03-05T11:28:36.455+0000",
"fullPath": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Data",
"type": "Value",
"platform": "WINDOWS",
"oldContent": null,
"newContent": null,
"customerId": "00XXXX-643f-f4af-8336-b253066XXXX",
"action": "Content",
"id": "e115XXXX-af72-37b5-8f92-9e878bbbba53",
"severity": 3,
"fileCertificateHash": null,
"profiles": [
{
"name": "Profile Name",
"rules": [
{
"severity": 3,
"number": 1,
"name": "Rule 1",
"description": "Rule 1",
"section": null,
"id": "4282XXXX-cc33-49d8-82df-53a00e27XXXX",
"type": "key"
}
],
"id": "f99941de-2296-4044-bfca-05aeb4575ef5",
"type": "WINDOWS",
"category": {
"name": "PCI",
"id": "2dabXXXX-2fdd-11e7-93ae-92361f00XXXX"
}
}
],
"changedAttributes": null,
"processedTime": "2021-03-05T05:37:30.311+0000",
"actor": {
"process": "reg.exe",
"processID": 2811,
"imagePath": "C:\\Windows\\System32\\reg.exe",
"userName": "MSEDGEWIN10\\IEUser",
"userID": "S-1-5-21-3461203602-4096304019-2269080069-1000"
},
"name": null,
"asset": {
"agentId": "7c99XXXX-92fa-4943-91ab-249e341dd10d",
"interfaces": [
{
"hostname": "WIN10-122.WORKGROUP",
"macAddress": "00:50:56:AA:5C:85",
"address": "10.xxx.98.122",
"interfaceName": "Intel(R) 82574L Gigabit Network Connection"
}
],
"lastCheckedIn": "2019-07-23T11:01:00.000Z",
"created": "2021-01-11T06:40:09.930+0000",
"hostId": null,
"operatingSystem": "Microsoft Windows 10 Pro 10.0.10586 N/A Build 10586",
"tags": [
"7508831",
"7526815",
"7593230"
],
"assetType": "HOST",
"system": {
"lastBoot": "2019-07-23T11:01:00.000Z"
},
"ec2": null,
"lastLoggedOnUser": ".\\Administrator",
"netbiosName": "WIN10-122",
"name": "WIN10-122",
"agentVersion": "3.0.0.101",
"updated": "2021-01-11T06:40:09.930+0000"
},
"fileContentHash": null,
"reputationStatus": null,
"registryPath": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"registryName": "Data",
"oldRegistryValueType": "REG_MULTI_SZ",
"oldRegistryValueContent": [
"Multvalue string",
"Multvalue string"
],
"newRegistryValueType": "REG_MULTI_SZ",
"newRegistryValueContent": [
"Multvalue string1",
"Multvalue string2"
],
"class": "Registry"
}
}
]