Raw Records Search

Field Values

get

Values that can be used for the field parameter in subsequent search API calls

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

contextstring · enumRequired

Data category or event type to query (e.g., alerts, audit logs, blocked traffic, network flows, DNS queries)

Possible values:

Responses

200

An object which contains response metadata information and a data array of Fields.

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

get

/api/v1/search/{context}/fields

GET /api/v1/search/{context}/fields HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": []
}

Search Records

post

Retrieves a list of individual events or records for the specified context over a given time range. This call takes advantage of the Netography Query Language via the search parameter.

Authorizations

AuthorizationstringRequired

Bearer authentication header of the form Bearer <token>.

Path parameters

contextstring · enumRequired

Data category or event type to query (e.g., alerts, audit logs, blocked traffic, network flows, DNS queries)

Possible values:

Body

Search configuration schema for querying data. This schema defines the parameters used to filter and retrieve records from a dataset.

startintegerRequired

When the search should begin. Timestamp or negative number of seconds to look back.

Example: -7200

endintegerRequired

When the search should end. Timestamp, 0 for now or negative number of seconds to look back.

Example: 0

sizeintegerOptional

Number of results to return. To avoid timeouts on large datasets, we recommend setting this value.

Example: 100

fromintegerOptional

Used in pagination. Combination of from + size

includestring[] · max: 100Optional

Array of fields you want returned as part of the records. Default is ALL fields.

searchstringOptional

A NQL search filter for constraining the dataset.

Example: bits > 1000

Responses

200

An object which contains response metadata information and a data array of records

application/json

400

Bad Request. Typically due to a malformatted JSON body, or parameter values are not validating.

application/json

401

Access token is missing or invalid

application/json

403

Access is forbidden

application/json

default

Unknown Error Occurred

application/json

post

/api/v1/search/{context}

POST /api/v1/search/{context} HTTP/1.1
Host: api.netography.com
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 85

{
  "start": -7200,
  "end": 0,
  "size": 100,
  "from": 1,
  "include": [
    "text"
  ],
  "search": "bits > 1000"
}

{
  "meta": {
    "code": 200,
    "count": 1
  },
  "data": [
    {
      "alerttype": "start",
      "algorithm": "knownphisher",
      "categories": [
        "security"
      ],
      "description": "Srcip reputation is a known phisher",
      "dstports": [
        80,
        443
      ],
      "duration": 0,
      "end": 0,
      "flowsrcnames": [
        "myrouter.mydomain"
      ],
      "id": "7da7af39-04f8-49f7-9b20-74d61b100250",
      "ipinfo": [
        {
          "as": {
            "number": 65001,
            "org": "WebHostOrg"
          },
          "bogon": false,
          "count": 1,
          "firstseen": 1618433146,
          "geo": null,
          "ip": "10.0.0.1",
          "iprep": {
            "categories": [
              "Phishing"
            ],
            "count": 1
          },
          "lastseen": 1618433146,
          "pdns": {
            "count": null,
            "records": null
          },
          "rdns": [
            "web01.smarthosten.nl"
          ]
        }
      ],
      "ipinfocount": 2,
      "metrics": {
        "bits": {
          "min": 624,
          "max": 624,
          "avg": 624,
          "sum": 624
        },
        "bitsxrate": {
          "min": 624,
          "max": 624,
          "avg": 624,
          "sum": 624
        },
        "packets": {
          "min": 1,
          "max": 1,
          "avg": 1,
          "sum": 1
        },
        "packetsxrate": {
          "min": 1,
          "max": 1,
          "avg": 1,
          "sum": 1
        }
      },
      "rollupperiod": 300,
      "rulecount": 0,
      "rules": [],
      "search": "((tcpflagsint == 0 && protocol == tcp && srcport != 0 && dstport != 0 && (flowversion == 3 or flowversion == 4)) && flowtype == aws) && (dstip == 10.0.18.65)",
      "severity": "medium",
      "sites": [
        "mysite1"
      ],
      "srcports": [
        36834,
        39954,
        46108
      ],
      "start": 1618246683,
      "summary": "Knownphisher alert has started to dstip 10.0.0.1",
      "tag": "text",
      "tags": [
        "aws",
        "vpc-id:vpc-04db1588169de0100",
        "instance-id:i-0048f0897ae2d8b89",
        "subnet-id:subnet-01a3ecfbad0f2bc59",
        "instance-id:i-0458e0d3d24637924",
        "subnet-id:subnet-00a17206163ae6f9a"
      ],
      "threshold": "count(track_by) >= 1",
      "timestamp": 1618246748,
      "track": "srcip 192.168.1.1",
      "track_by": [
        "srcip",
        "dstip"
      ],
      "updateinterval": 300
    }
  ]
}

PreviousAnalytics NextRaw Records Fetch

Last updated 1 month ago

Good morning

hashtagField Values

hashtagSearch Records

Field Values

Search Records