Get Events
Get events with timestamps within last 24 hours.
Basic Parameters
| Parameter | Description |
|---|---|
| Exclude Types | The String of list of types of events to be excluded. |
| From Date | The starting date from which alerts will be retrieved defined as Unix timestamp in UTC.Ignored if cursor is set. Must be within last 24 hours. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Cursor | Identifier for next item in the list, this value is available in response as next_cursor. Response will default to last 24 hours if cursor is not within last 24 hours. |
| Limit | The maximum number of items to return, default is 200, max is 1000. |
Example Output
{
"has_more": false,
"items": [
{
"amsi_threat_data": {
"parentProcessId": "string",
"parentProcessPath": "string",
"processId": "string",
"processName": "string",
"processPath": "string"
},
"appCerts": [
{
"signer": "string",
"thumbprint": "string"
}
],
"appSha256": "SHA 256 hash of the application associated with the threat, if available.",
"core_remedy_items": {
"items": [
{
"descriptor": "string",
"result": "string",
"type": "string"
}
],
"totalItems": 0
},
"created_at": "The date at which the event was created.",
"customer_id": "The identifier of the customer for which record is created.",
"details": [
{
"property": "string",
"type": "string"
}
],
"endpoint_id": "The corresponding endpoint id associated with the record.",
"endpoint_type": "The corresponding endpoint type associated with the record.",
"group": "The group associated with the group.",
"id": "The Identifier for the event.",
"ips_threat_data": {
"detectionType": 0,
"executableName": "string",
"executablePath": "string",
"executablePid": "string",
"executableVersion": "string",
"localPort": "string",
"rawData": "string",
"remoteIp": "string",
"remotePort": "string",
"techSupportId": "string"
},
"location": "The location captured for this record.",
"name": "The name of the record created.",
"origin": "originating component of a detection.",
"severity": "The severity for this alert.",
"source": "The source for this record.",
"source_info": {},
"threat": "The threat associated with the record.",
"type": "The type of this record.",
"user_id": "The identifier of the user for which record is created.",
"when": "The date at which the event was created.",
"whitelist_properties": [
{
"property": "string",
"type": "string"
}
]
}
],
"next_cursor": "Value of the next cursor. This will be used to make next call of API."
}
Workflow Library Example
Get Events with Sophos and Send Results Via Email
Preview this Workflow on desktop