Search investigations by filter

Cortex XSOAR 6 API

post /investigations/search

This will search investigations across all indices You can filter by multiple options

CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \ -H "Content-Type: application/json,application/xml" \ "https://hostname:443/investigations/search" \ -d '{ "filter" : { "reason" : [ "reason", "reason" ], "notIDs" : [ "notIDs", "notIDs" ], "ignoreWorkers" : true, "idsOnly" : true, "type" : [ null, null ], "notCategory" : [ "notCategory", "notCategory" ], "fromDateLicense" : "2000-01-23T04:56:07.000+00:00", "andOp" : true, "searchAfterElastic" : [ "searchAfterElastic", "searchAfterElastic" ], "searchBefore" : [ "searchBefore", "searchBefore" ], "fromCloseDate" : "2000-01-23T04:56:07.000+00:00", "id" : [ "id", "id" ], "includeChildInv" : true, "period" : { "fromValue" : "fromValue", "toValue" : "toValue", "byFrom" : "byFrom", "field" : "field", "by" : "by", "byTo" : "byTo" }, "searchAfterMap" : { "key" : [ "searchAfterMap", "searchAfterMap" ] }, "searchAfterMapOrder" : { "key" : 6 }, "searchBeforeElastic" : [ "searchBeforeElastic", "searchBeforeElastic" ], "toDate" : "2000-01-23T04:56:07.000+00:00", "toCloseDate" : "2000-01-23T04:56:07.000+00:00", "sort" : [ { "asc" : true, "field" : "field", "fieldType" : "fieldType" }, { "asc" : true, "field" : "field", "fieldType" : "fieldType" } ], "timeFrame" : 5, "fromDate" : "2000-01-23T04:56:07.000+00:00", "size" : 1, "name" : [ "name", "name" ], "searchAfter" : [ "searchAfter", "searchAfter" ], "page" : 0, "category" : [ "category", "category" ], "user" : [ "user", "user" ], "Cache" : { "key" : [ "Cache", "Cache" ] }, "status" : [ null, null ] } }' \ -d ' UNDEFINED_EXAMPLE_VALUE true aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z aeiou true true true aeiou aeiou aeiou 123456789 aeiou aeiou aeiou UNDEFINED_EXAMPLE_VALUE UNDEFINED_EXAMPLE_VALUE aeiou aeiou 123456789 123456789 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z aeiou '
Authentication: api_key Api Key "Authorization"
Request
Body
optional
filter
optional
Cache
optional
Map
Cache of join functions
andOp
optional
Boolean
category
optional
Array of strings
fromCloseDate
optional
Object
format: date-time
fromDate
optional
Object
format: date-time
fromDateLicense
optional
Object
format: date-time
id
optional
Array of strings
idsOnly
optional
Boolean
ignoreWorkers
optional
Boolean
Do not use workers mechanism while searching bleve
includeChildInv
optional
Boolean
name
optional
Array of strings
notCategory
optional
Array of strings
notIDs
optional
Array of strings
page
optional
Number (Long)
0-based page format: int64
period
optional
by
optional
String
By is used for legacty, and if exists it will override ByTo and ByFrom
byFrom
optional
String
byTo
optional
String
field
optional
String
fromValue
optional
String
format: duration
toValue
optional
String
format: duration
reason
optional
Array of strings
searchAfter
optional
Array of strings
Efficient next page, pass max sort value from previous page
searchAfterElastic
optional
Array of strings
Efficient next page, pass max ES sort value from previous page
searchAfterMap
optional
Map
Map accounts search after values - stores next page sort values per account. There is no need to store searchBeforeMap as [current page searchBefore] equals to [prev page searchAfter] More, there is no way to generate correct searchBefore from current page as some tenants may not appear at all. The map is relevant in proxy mode and used by tenants, each tenant extracts the searchAfter keys from the map.
searchAfterMapOrder
optional
Map of numbers (Long)
format: int64
searchBefore
optional
Array of strings
Efficient prev page, pass min sort value from next page
searchBeforeElastic
optional
Array of strings
Efficient prev page, pass min ES sort value from next page
size
optional
Number (Long)
Size is limited to 1000, if not passed it defaults to 0, and no results will return format: int64
sort
optional
Array
The sort order
Order struct holds a sort field and the direction of sorting
asc
optional
Boolean
field
optional
String
fieldType
optional
String
status
optional
Array of numbers (Double)
format: double
timeFrame
optional
Number (Long)
A Duration represents the elapsed time between two instants as an int64 nanosecond count. The representation limits the largest representable duration to approximately 290 years. format: int64
toCloseDate
optional
Object
format: date-time
toDate
optional
Object
format: date-time
type
optional
Array of numbers (Double)
format: double
user
optional
Array of strings
Responses

investigationSearchResponse

Body
InvestigationSearchResponse returns the response from the investigation search
data
optional
Array
in: body
A special investigation called playground is created for each user-project combination and is a private space for the researcher to play in.
ShardID
optional
Number (Long)
format: int64
allRead
optional
Boolean
allReadWrite
optional
Boolean
cacheVersn
optional
Number (Long)
format: int64
category
optional
String
Category of the investigation
childInvestigations
optional
Array of strings
ChildInvestigations id's
closed
optional
Object
When was this closed format: date-time
closingUserId
optional
String
The user ID that closed this investigation
created
optional
Object
format: date-time
creatingUserId
optional
String
The user ID that created this investigation
dbotCreatedBy
optional
String
Who has created this event - relevant only for manual incidents
details
optional
String
User defined free text details
entitlements
optional
Array of strings
One time entitlements
entryUsers
optional
Array of strings
EntryUsers
hasRole
optional
Boolean
Internal field to make queries on role faster
highPriority
optional
Boolean
HighPriority - tasks of this investigation should run in high priority
highlight
optional
Map
id
optional
String
indexName
optional
String
isChildInvestigation
optional
Boolean
IsChildInvestigation
isDebug
optional
Boolean
IsDebug ...
lastOpen
optional
Object
format: date-time
mirrorAutoClose
optional
Map of booleans
MirrorAutoClose will tell us to close the Chat Module channel if we close investigation
mirrorTypes
optional
Map of strings
MirrorTypes holds info about mirror direction and message type to be mirrored message type can be either 'all' or 'chat' direction can be either 'FromDemisto', 'ToDemisto' or 'Both' if this investigation is mirrored
modified
optional
Object
format: date-time
name
optional
String
The name of the investigation, which is unique to the project
numericId
optional
Number (Long)
format: int64
openDuration
optional
Number (Long)
Duration from open to close time format: int64
parentInvestigation
optional
String
ParentInvestigation - parent id, in case this is a child investigation of another investigation
persistentEntitlements
optional
Map of strings
Persistent entitlement per tag. Empty tag will also return an entitlement
previousAllRead
optional
Boolean
previousAllReadWrite
optional
Boolean
previousRoles
optional
Array of strings
Do not change this field manually
primaryTerm
optional
Number (Long)
format: int64
rawCategory
optional
String
reason
optional
Map of strings
The reason for the status (resolve)
roles
optional
Array of strings
The role assigned to this investigation
runStatus
optional
String
RunStatus of a job
sequenceNumber
optional
Number (Long)
format: int64
sizeInBytes
optional
Number (Long)
format: int64
slackMirrorAutoClose
optional
Boolean
DEPRECATED - DeprecatedSlackMirrorAutoClose will tell us to close the Slack channel if we close investigation
slackMirrorType
optional
String
DEPRECATED - DeprecatedSlackMirrorType holds info about mirror direction and message type to be mirror message type can be either 'all' or 'chat' direction can be either 'demisto2Slack', 'slack2Demisto' or 'both' if this investigation is mirrored to Slack
sortValues
optional
Array of strings
status
optional
Number (Double)
InvestigationStatus is the status type format: double
syncHash
optional
String
systems
optional
Array
The systems involved
System - URL stands for ip or hostname
agent
optional
SystemAgent - represents agent status and holds server context
servercontext
optional
Array of integers
format: uint8
arch
optional
String
ciphers
optional
Array of strings
credentials
optional
String
engineId
optional
String
host
optional
String
integrationinstanceid
optional
String
issharedagent
optional
Boolean
name
optional
String
os
optional
String
password
optional
String
servicesID
optional
String
smb
optional
Number (Long)
format: int64
smbport
optional
Integer
format: uint16
sshkey
optional
String
sshport
optional
Integer
format: uint16
terminalOptions
optional
TerminalOptions - terminal options to use in case of using pty
Echo
optional
Integer
format: uint32
Terminal
optional
Boolean
TerminalHeight
optional
Number (Long)
format: int64
TerminalType
optional
String
TerminalWidth
optional
Number (Long)
format: int64
TyISpeed
optional
Integer
format: uint32
TyOSpeed
optional
Integer
format: uint32
user
optional
String
workgroup
optional
String
tags
optional
Array of strings
Tags
type
optional
Number (Double)
format: double
users
optional
Array of strings
The users who share this investigation
version
optional
Number (Long)
format: int64
xsoarHasReadOnlyRole
optional
Boolean
xsoarPreviousReadOnlyRoles
optional
Array of strings
xsoarReadOnlyRoles
optional
Array of strings
total
optional
Number (Long)
format: int64