Get InstaQuery results

Request an Aurora Focus InstaQuery resource results belonging to a tenant.

Service endpoint

/instaqueries/v2{queryID}/results

Optional query string parameters

Example

https://protectapi.cylance.com/instaqueries/v2/AF593F38EDC1B743BDC0A6FCC53A03CE/results

Method

HTTP/1.1 GET

Request headers
  • Accept: application/json
  • Authorization: Bearer JWT Token returned by Auth API with the opticssurvey:read scope encoded

Request

None

Response

Please see the Response status codes for more information.

Response JSON schema

Field Name Description

Id

This is the unique ID of the InstaQuery.

Status

This is the status of the InstaQuery.

Result

This is the list of responses to the InstaQuery.

@timestamp

This is the timestamp that the result was reported in Unix epoch time.

HostName

This is the hostname of the device that returned the result.

DeviceID

This is the unique ID of the device that returned the result.

@version

This is the version format of the result.

CorrelationID

This is the unique correlation ID of the result object.

Result

This is the object containing response data.

FirstObservedTime

This is the timestamp that the result was first observed on the system (for example, when a file was first observed on the system as in a file being created)

.

LastObservedTime

This is the timestamp that the result was last observed on the system (for example, when a file was last observed as in the last time a file was interacted with).

This value will be the same as the FirstObservedTimestamp for NetworkConnection and process artifacts.

Uid

This is the unique ID of the result.

Type

This is the type of artifact that the result's "properties" contain.

Properties

This is the object containing the individual elements of the result. This will vary depending on the artifact and type that was queried. The following 4 cells outline the possible property values:

File
  • Path: This is the full path to the file.
  • CreationDateTime: This is the timestamp (in UTC) of when the file was created on the responding system.
  • Md5: This is the MD5 hash of the file result (where applicable).
  • Sha256: This is the SHA256 hash of the file result (where applicable).
  • Owner: This is the owner of the file.
  • SuspectedFileType: This is the suspected file type of the file object (where applicable).
  • FileSignature: This is a set of information derived about the file's signature status.
  • Size: This is the size of the file object (in bytes).
  • OwnerUid: This is the unique ID of the owner of the file.

Process
  • Name: This is the name of the process.
  • CommandLine: This is the command line arguments that the process was executed with.
  • StartDateTime: This is the timestamp (in UTC) of when the process was executed on the responding system.
  • PrimaryImagePath: This is the image file path of the process.
  • PrimaryImageMd5: This is the MD5 hash of the image file of the process.
  • PrimaryImageSha256: This is the SHA256 hash of the image file of the process.
  • PrimaryImageUid: This is the unique ID of the image file of the process.
  • Owner: This is the user who owns the process.
  • OwnerUid: This is the unique ID of the user who owns the process.
  • SuspectedFileType: This is the suspected file type of the image file of the process.
  • FileSignature: This is a set of information derived about the image file's siganture status.
  • IsBeingDebugged: This is a Boolean value to determine if the process has a debugger attached to it.

Network
  • DestinationAddress: This is the IP address that the connection was destined to.
  • DestinationPort: This is the port associated with the remote IP address.
  • ProcessName: This is the process name that was associated with the connection.
  • ProcessPrimaryImageUid: This is the unique ID of the process associated with the connection.
  • ProcessPrimaryImagePath: This is the image file path of the process associated with the connection.
  • ProcessImageMd5: This is the MD5 hash of the image file of the process associated with the connection.
  • ProcessImageSha256: This is the SHA256 hash of the image file of the process associated with the connection.
  • SuspectedFileType: This is the suspected file type of the image file of the process associated with the connection.

Registry
  • IsPersistencePoint: This is a binary value (1 or 0) to determine if the resulting Registry item is a common persistence location.
  • ValueName: This is the name of the Registry Value that was interacted with.
  • Path: This is the full path of the Registry Key.
  • FilePath: This is the full path of the file referenced in the Registry Value (where applicable).
  • FileMd5: This is the MD5 hash of the file referenced in the Registry Value (where applicable).
  • FileSha256: This is the SHA256 hash of the file referenced in the Registry Value (where applicable).
  • FileUid: This is the unique ID of the file referenced in the Registry Value (where applicable).
  • SuspectedFileType: This is the suspected file type of the file referenced in the Registry Value (where applicable).
  • FileSignature: This is a set of information derived about a file's signature status that is referenced in the Registry Value (where applicable).