Create InstaQuery
Update Aurora Focus InstaQuery resources for a specific tenant.
|
Service endpoint |
/instaqueries/v2 |
|
Optional query string parameters |
— |
|
Example |
https://protectapi.cylance.com/instaqueries/v2 |
|
Method |
HTTP/1.1 POST |
|
Request headers |
|
Request
{
"name": "InstaQuery Name",
"description": "Test InstaQuery",
"artifact": "File",
"match_value_type": "Path",
"match_values": [
"exe"
],
"case_sensitive": true,
"match_type": "Fuzzy",
"zones": [
"D27FF5C45C0D4F56A00DA1FB297E440F"
],
"filters": [
{
"aspect": "OS",
"value": "Windows"
}
],
"relations": [
{
"object": "/focus/focus_id",
"relationship": "originated-from"
}
]
}Response
Please see the Response status codes for more information.
Request JSON schema
| Field Name | Description |
|---|---|
|
name |
This is the name of the InstaQuery. |
|
description |
This is the description of the InstaQuery. |
|
artifact |
This is the type of artifact to search. Possible values are "File", "Process", "NetworkConnection", and "RegistryKey". |
|
match_value_type |
This is the type of value (also known as a facet) to search. Possible values are dependent on the selected artifact type. Valid selections for each are as follows:
|
|
match_values |
This is a list of strings to be matched against for the InstaQuery. |
|
case_sensitive |
This determines whether to consider case sensitivity when matching values. |
|
match_type |
This determines whether or not to use an exact or "fuzzy" match. The default behavior of InstaQuery is to use a "fuzzy" match. Possible values are:
|
|
zones |
This is a list of zone IDs to perform the InstaQuery against. |
|
filters |
This is a list of filters when performing the InstaQuery. |
|
aspect |
This is the aspect (or type) of filters (for example, "OS"). |
|
value |
This is the value to filter for (for example,. "Windows"). |
|
relations |
This is a list of objects (for example, Focus View URLs) that are related to the InstaQuery. This is similar to the "Pivot Query" functionality in the Console. |
|
object |
This is the URL of the focus view that the InstaQuery relates to. |
|
relationship |
This is how the InstaQuery relates to the URL. This should almost always be "originated-from". |
Response JSON schema
| Field Name | Description |
|---|---|
|
name |
This is the name of the InstaQuery. |
|
description |
This is the description of the InstaQuery. |
|
artifact |
This is the type of artifact to search. Possible values are "File", "Process", "NetworkConnection", and "RegistryKey". |
|
match_value_type |
This is the type of value (also known as a facet) to search. Possible values are dependent on the selected artifact type. Valid selections for each are as follows:
|
|
match_values |
This is a list of strings to be matched against for the InstaQuery. |
|
case_sensitive |
This determines whether to consider case sensitivity when matching values. |
|
match_type |
This determines whether or not to use an exact or "fuzzy" match. The default behavior of InstaQuery is to use a "fuzzy" match. Possible values are:
|
|
zones |
This is a list of zone IDs to perform the InstaQuery against. |
|
filters |
This is a list of filters when performing the InstaQuery. |
|
aspect |
This is the aspect (or type) of filters (for example, "OS"). |
|
value |
This is the value to filter for (for example, "Windows"). |
|
relations |
This is a list of objects (for example, Focus View URLs) that are related to the InstaQuery. This is similar to the "Pivot Query" functionality in the Console. |
|
object |
This is the URL of the focus view that the InstaQuery relates to. |
|
relationship |
This is how the InstaQuery relates to the URL. This should almost always be "originated-from". |
|
id |
This is the unique identifier of the created InstaQuery. |
|
created_at |
This is the date and time that the InstaQuery was created. |
|
progress |
This is the progress of the InstaQuery. |