Available queries
All queries share the following common parameters:
| Parameter | Type | Mandatory | Default | Description |
|---|---|---|---|---|
start_time |
timestamp | Yes | — | Start of the query period (inclusive). ISO 8601 UTC format, for example, 2024-01-01T00:00:00Z. |
end_time |
timestamp | Yes | — | End of the query period (exclusive). Must be after start_time. |
limit |
integer | No | 100 |
Maximum rows to return. Must be between 1 and 500. |
offset |
integer | No | 0 |
Rows to skip for pagination. Must be zero or positive. |
start_time must be strictly before end_time. Supplying equal or reversed timestamps returns a 400 Bad Request error.
observations-by-domain
Find observations associated with a specific domain name.
Query-specific parameters
| Parameter | Type | Mandatory | Can be array | Operators | Description |
|---|---|---|---|---|---|
domain |
string | Yes | Yes | EQ, IN, CONTAINS |
The domain name to search for |
Default return columns
at_timestamp, related.domain, client.ip, client.port, server.ip, server.port, host.hostname, event.code, ad.event.origin.username, ad.event.title, event.outcome
observations-by-ip-address
Find observations associated with a specific IP address. Both client and server IPs are searched.
Query-specific parameters
| Parameter | Type | Mandatory | Can be array | Operators | Description |
|---|---|---|---|---|---|
ip_address |
string | Yes | Yes | EQ, IN, CONTAINS |
The IP address to search for (IPv4 or IPv6) |
Default return columns
at_timestamp, client.ip, client.port, server.ip, server.port, host.hostname, event.code, ad.event.origin.username, ad.event.title, event.outcome
observations-by-user
Find observations associated with a specific user identifier.
Query-specific parameters
| Parameter | Type | Mandatory | Can be array | Operators | Description |
|---|---|---|---|---|---|
user |
string | Yes | No | EQ, IN, CONTAINS |
The user identifier to search for |
country |
string | No | No | EQ, IN, CONTAINS |
Filter by the country associated with the observation |
Default return columns
at_timestamp, related.user, related.country, client.ip, client.port, server.ip, server.port, host.hostname, event.code, ad.event.origin.username, ad.event.title, event.outcome
observations-by-login-status
Find observations filtered by login outcome. Use this query to investigate authentication events such as brute-force attempts or account lockouts.
Query-specific parameters
| Parameter | Type | Mandatory | Can be array | Operators | Description |
|---|---|---|---|---|---|
login_status |
string | Yes | Yes | EQ, IN, CONTAINS |
The login outcome to filter on. Typical values: success, failure |
user |
string | No | Yes | EQ, IN, CONTAINS |
Narrow results to a specific user identity |
country |
string | No | Yes | EQ, IN, CONTAINS |
Narrow results to a specific country |
Default return columns
at_timestamp, related.login_status, related.user, related.country, client.ip, client.port, server.ip, server.port, host.hostname, event.code, ad.event.origin.username, ad.event.title, event.outcome
observations-by-hostname
Find observations associated with a specific host.
Query-specific parameters
| Parameter | Type | Mandatory | Can be array | Operators | Description |
|---|---|---|---|---|---|
host_name |
string | Yes | Yes | EQ, IN, CONTAINS |
The hostname to search for |
Default return columns
at_timestamp, client.ip, client.port, server.ip, server.port, host.hostname, event.code, ad.event.origin.username, ad.event.title, event.outcome
observations-by-event-code
Find observations by their event code. Event codes identify the type of activity recorded in an observation.
Query-specific parameters
| Parameter | Type | Mandatory | Can be array | Operators | Description |
|---|---|---|---|---|---|
event_code |
string | Yes | Yes | EQ, IN, CONTAINS |
The event code to search for |
Default return columns
at_timestamp, related.event_code, client.ip, client.port, server.ip, server.port, host.hostname, ad.event.origin.username, ad.event.title, event.outcome