Search evidence

Cortex XSOAR 6 API

post /evidence/search

Search for an evidence entutiy by filter

CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \ -H "Content-Type: application/json,application/xml" \ "https://hostname:443/evidence/search" \ -d '{ "filter" : { "period" : { "fromValue" : "fromValue", "toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by", "byTo" : "byTo" }, "searchAfterMap" : { "key" : [ "searchAfterMap", "searchAfterMap" ] }, "searchAfterMapOrder" : { "key" : 6 }, "ignoreWorkers" : true, "query" : "query", "searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ], "toDate" : "2000-01-23T04:56:07.000+00:00", "trim_events" : 5, "sort" : [ { "asc" : true, "field" : "field", "fieldType" : "fieldType" }, { "asc" : true, "field" : "field", "fieldType" : "fieldType" } ], "filterobjectquery" : "filterobjectquery", "timeFrame" : 5, "fromDate" : "2000-01-23T04:56:07.000+00:00", "fromDateLicense" : "2000-01-23T04:56:07.000+00:00", "size" : 1, "searchAfterElastic" : [ "searchAfterElastic", "searchAfterElastic" ], "searchBefore" : [ "searchBefore", "searchBefore" ], "searchAfter" : [ "searchAfter", "searchAfter" ], "accounts" : { "key" : "{}" }, "page" : 0, "fields" : [ "fields", "fields" ], "Cache" : { "key" : [ "Cache", "Cache" ] } }, "incidentID" : "incidentID" }' \ -d ' UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE aeiou aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z true 123456789 aeiou aeiou aeiou UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 123456789 2000-01-23T04:56:07.000Z 123456789 aeiou '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
filter
optional
GenericStringDateFilter is a general filter that will fetch entities using the Query value and a date filter
Cache
optional
Map
Cache of join functions
accounts
optional
Map of objects
fields
optional
Array of strings
filterobjectquery
optional
String
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
page
optional
Number (Long)
0-based page format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
query
optional
String
searchAfter
optional
Array of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account. There is no need to store searchBeforeMap as [current page searchBefore] equals to [prev page searchAfter] More, there is no way to generate correct searchBefore from current page as some tenants may not appear at all. The map is relevant in proxy mode and used by tenants, each tenant extracts the searchAfter keys from the map.
searchAfterMapOrder
optional
Map of numbers (Long)
format: int64
searchBefore
optional
Array of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number (Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will return format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64 nanosecond count. The representation limits the largest representable duration to approximately 290 years. format: int64
toDate
optional
Object
format: date-time
trim_events
optional
Number (Long)
format: int64
incidentID
optional
String
Responses

EvidencesSearchResponse

Body
EvidencesSearchResponse returns the response from the evidences search
evidences
optional
Array
Evidences is a list of evidence entities
ShardID
optional
Number (Long)
format: int64
allRead
optional
Boolean
allReadWrite
optional
Boolean
cacheVersn
optional
Number (Long)
format: int64
created
optional
Object
format: date-time
dbotCreatedBy
optional
String
Who has created this event - relevant only for manual incidents
description
optional
String
The description for the resolve
entryId
optional
String
The entry ID
fetched
optional
Object
when the evidence entry was fetched format: date-time
hasRole
optional
Boolean
Internal field to make queries on role faster
highlight
optional
Map
id
optional
String
incidentId
optional
String
The incident ID
indexName
optional
String
markedBy
optional
String
the user that marked this evidence
markedDate
optional
Object
when this evidence was marked format: date-time
modified
optional
Object
format: date-time
numericId
optional
Number (Long)
format: int64
occurred
optional
Object
When this evidence has occurred format: date-time
previousAllRead
optional
Boolean
previousAllReadWrite
optional
Boolean
previousRoles
optional
Array of strings
Do not change this field manually
primaryTerm
optional
Number (Long)
format: int64
roles
optional
Array of strings
The role assigned to this investigation
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
sortValues
optional
Array of strings
syncHash
optional
String
tags
optional
Array of strings
Tags
tagsRaw
optional
Array of strings
TagsRaw
taskId
optional
String
when the evidence entry was fetched
version
optional
Number (Long)
format: int64
xsoarHasReadOnlyRole
optional
Boolean
xsoarPreviousReadOnlyRoles
optional
Array of strings
xsoarReadOnlyRoles
optional
Array of strings
total
optional
Number (Long)
format: int64