Examples
Replace {SERVICE_ENDPOINT} in all examples with your region-specific endpoint from the Service endpoint section.
a) List all available queries
BASH
curl -X GET \
"{SERVICE_ENDPOINT}/api/v1beta/organizations/{organizationID}/data-sources/{dataSource}/predefined-queries" \
-H "Accept: application/json" \
-H 'Authorization: Bearer <token>'b) Describe a query before executing it
BASH
curl -X GET \
"{SERVICE_ENDPOINT}/api/v1beta/organizations/{organizationID}/data-sources/{dataSource}/predefined-queries/observations-by-domain" \
-H "Accept: application/json" \
-H 'Authorization: Bearer <token>'c) Search for a domain using CONTAINS
Find all observations where the domain contains example.com, returning only selected columns:
BASH
curl -X POST \
"{SERVICE_ENDPOINT}/api/v1beta/organizations/{organizationID}/data-sources/{dataSource}/predefined-queries/observations-by-domain/execute" \
-H "Content-Type: application/json" \
-H 'Authorization: Bearer <token>' \
-d '{
"parameters": [
{ "name": "start_time", "value": "2024-01-01T00:00:00Z" },
{ "name": "end_time", "value": "2024-01-31T23:59:59Z" },
{ "name": "domain", "comparisonOperator": "CONTAINS", "value": "example.com" }
],
"response_columns": ["at_timestamp", "related.domain", "client.ip", "server.ip"]
}'d) Find failed logins for a specific user
BASH
curl -X POST \
"{SERVICE_ENDPOINT}/api/v1beta/organizations/{organizationID}/data-sources/{dataSource}/predefined-queries/observations-by-login-status/execute" \
-H "Content-Type: application/json" \
-H 'Authorization: Bearer <token>' \
-d '{
"parameters": [
{ "name": "start_time", "value": "2024-03-01T00:00:00Z" },
{ "name": "end_time", "value": "2024-03-31T23:59:59Z" },
{ "name": "login_status", "comparisonOperator": "EQ", "value": "failure" },
{ "name": "user", "comparisonOperator": "CONTAINS", "value": "jsmith" }
]
}'e) Paginate through results — fetching page 2
BASH
curl -X POST \
"{SERVICE_ENDPOINT}/api/v1beta/organizations/{organizationID}/data-sources/{dataSource}/predefined-queries/observations-by-domain/execute" \
-H "Content-Type: application/json" \
-H 'Authorization: Bearer <token>' \
-d '{
"parameters": [
{ "name": "start_time", "value": "2024-01-01T00:00:00Z" },
{ "name": "end_time", "value": "2024-01-31T23:59:59Z" },
{ "name": "domain", "value": "example.com" },
{ "name": "limit", "value": "100" },
{ "name": "offset", "value": "100" }
]
}'f) Search for multiple IP addresses using IN
Supply an array of values when the parameter supports canBeArray:
BASH
curl -X POST \
"{SERVICE_ENDPOINT}/api/v1beta/organizations/{organizationID}/data-sources/{dataSource}/predefined-queries/observations-by-ip-address/execute" \
-H "Content-Type: application/json" \
-H 'Authorization: Bearer <token>' \
-d '{
"parameters": [
{ "name": "start_time", "value": "2024-01-01T00:00:00Z" },
{ "name": "end_time", "value": "2024-01-31T23:59:59Z" },
{ "name": "ip_address", "comparisonOperator": "IN", "value": ["192.168.1.1", "10.0.0.5"] }
]
}'g) Search for multiple event codes
BASH
curl -X POST \
"{SERVICE_ENDPOINT}/api/v1beta/organizations/{organizationID}/data-sources/{dataSource}/predefined-queries/observations-by-event-code/execute" \
-H "Content-Type: application/json" \
-H 'Authorization: Bearer <token>' \
-d '{
"parameters": [
{ "name": "start_time", "value": "2024-06-01T00:00:00Z" },
{ "name": "end_time", "value": "2024-06-30T23:59:59Z" },
{ "name": "event_code", "comparisonOperator": "IN", "value": ["4625", "4771"] }
]
}'