Find Instances of Malicious Process Execution

Use the API to find examples of malicious communication.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

In this topic:

Command line process execution
Renamed processes
Legitimate applications used for malicious purposes
Process opening a listening connection
Malicious script execution
Malicious services associated with a process

Command line process execution

Use this request to find examples of malicious process execution from a command line.

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"commandLine",
                                                                                                            "values":["whoami"],
                                                                                                            "filterType":"ContainsIgnoreCase"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime",
                                                                            "endTime",
                                                                            "commandLine",
                                                                            "isImageFileSignedAndVerified",
                                                                            "imageFile.maliciousClassificationType",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "imageFile.sha1String",
                                                                            "imageFile.md5String",
                                                                            "imageFile.companyName",
                                                                            "imageFile.productName",
                                                                            "iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Process",
			            "filters": [
			                {
			                    "facetName": "commandLine",
			                    "values": [
			                        "whoami"
			                    ],
			                    "filterType": "ContainsIgnoreCase"
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "elementDisplayName",
			        "creationTime",
			        "endTime",
			        "commandLine",
			        "isImageFileSignedAndVerified",
			        "imageFile.maliciousClassificationType",
			        "productType",
			        "children",
			        "parentProcess",
			        "ownerMachine",
			        "calculatedUser",
			        "imageFile",
			        "imageFile.sha1String",
			        "imageFile.md5String",
			        "imageFile.companyName",
			        "imageFile.productName",
			        "iconBase64",
			        "ransomwareAutoRemediationSuspended",
			        "executionPrevented",
			        "isWhiteListClassification",
			        "matchedWhiteListRuleIds"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

endpoint_url = "/rest/visualsearch/query/simple"

# Request URL

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Process"
query_element_1_filter = "commandLine"
query_element_1_filter_value = "whoami"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"ContainsIgnoreCase"}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","isImageFileSignedAndVerified","imageFile.maliciousClassificationType","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","imageFile.sha1String","imageFile.md5String","imageFile.companyName","imageFile.productName","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Renamed processes

Use these queries to find examples of processes that have renamed files or binary files.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Process",
                                                                                                                            "featureName":"loadedModules"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"Module",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Module",
                                                                                                                            "featureName":"file"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"File",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"File",
                                                                                                                            "featureName":"fileAccessEvents"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"FileAccessEvent",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"fileEventType",
                                                                                                            "values": ["FET_RENAME"],
                                                                                                            "filterType":"Equals"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "ownerProcess",
                                                                            "firstAccessTime",
                                                                            "fileEventType",
                                                                            "path",
                                                                            "newPath"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Process",
			            "filters": [],
			            "connectionFeature": {
			                "elementInstanceType": "Process",
			                "featureName": "loadedModules"
			            }
			        },
			        {
			            "requestedType": "Module",
			            "filters": [],
			            "connectionFeature": {
			                "elementInstanceType": "Module",
			                "featureName": "file"
			            }
			        },
			        {
			            "requestedType": "File",
			            "filters": [],
			            "connectionFeature": {
			                "elementInstanceType": "File",
			                "featureName": "fileAccessEvents"
			            }
			        },
			        {
			            "requestedType": "FileAccessEvent",
			            "filters": [
			                {
			                    "facetName": "fileEventType",
			                    "values": [
			                        "FET_RENAME"
			                    ],
			                    "filterType": "Equals"
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "elementDisplayName",
			        "ownerProcess",
			        "firstAccessTime",
			        "fileEventType",
			        "path",
			        "newPath"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "nKnAJmBSF0i9"
server = "workshop.cybereason.net"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Process"
linking_element = "Process"
linking_feature = "loadedModules"
query_element_2 = "Module"
linking_element_2 = "Module"
linking_feature_2 = "file"
query_element_3 = "File"
linking_element_3 = "File"
linking_feature_3 = "fileAccessEvents"
query_element_4 = "FileAccessEvent"
query_element_4_filter = "fileEventType"
query_element_4_filter_value = "GET_RENAME"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[],"connectionFeature":{"elementInstanceType":linking_element_2,"featureName":linking_feature_2}},{"requestedType":query_element_3,"filters":[],"connectionFeature":{"elementInstanceType":linking_element_3,"featureName":linking_feature_3}},{"requestedType":query_element_4,"filters":[{"facetName":query_element_4_filter,"values":[query_element_4_filter_value],"filterType":"Equals"}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","ownerProcess","firstAccessTime","fileEventType","path","newPath"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Process",
                                                                                                                            "featureName":"loadedModules"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"Module",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Module",
                                                                                                                            "featureName":"file"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"File",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"File",
                                                                                                                            "featureName":"fileAccessEvents"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"FileAccessEvent",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"fileEventType",
                                                                                                            "values": ["FET_RENAME"],
                                                                                                            "filterType":"Equals"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "ownerProcess",
                                                                            "firstAccessTime",
                                                                            "fileEventType",
                                                                            "path",
                                                                            "newPath"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Process",
			            "filters": [],
			            "connectionFeature": {
			                "elementInstanceType": "Process",
			                "featureName": "imageFile"
			            }
			        },
			        {
			            "requestedType": "File",
			            "filters": [],
			            "connectionFeature": {
			                "elementInstanceType": "File",
			                "featureName": "fileAccessEvents"
			            }
			        },
			        {
			            "requestedType": "FileAccessEvent",
			            "filters": [
			                {
			                    "facetName": "fileEventType",
			                    "values": [
			                        "FET_RENAME"
			                    ],
			                    "filterType": "Equals"
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "elementDisplayName",
			        "ownerProcess",
			        "firstAccessTime",
			        "fileEventType",
			        "path",
			        "newPath"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Process"
linking_element = "Process"
linking_feature = "imageFile"
query_element_2 = "File"
linking_element_2 = "File"
linking_feature_2 = "fileAccessEvents"
query_element_3 = "FileAccessEvent"
query_element_3_filter = "fileEventType"
query_element_3_filter_value = "GET_RENAME"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[],"connectionFeature":{"elementInstanceType":linking_element,"featureName":linking_feature}},{"requestedType":query_element_2,"filters":[],"connectionFeature":{"elementInstanceType":linking_element_2,"featureName":linking_feature_2}},{"requestedType":query_element_3,"filters":[{"facetName":query_element_3_filter,"values":[query_element_3_filter_value],"filterType":"Equals"}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","ownerProcess","firstAccessTime","fileEventType","path","newPath"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Query 3:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"File",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"elementDisplayName",
                                                                                                            "values":["cmd.exe"],
                                                                                                            "filterType":"ContainsIgnoreCase"
                                                                                                    },
                                                                                                    {
                                                                                                            "facetName":"internalName",
                                                                                                            "values":["cmd"],
                                                                                                            "filterType":"ContainsIgnoreCase"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit": 1000,
                                    "perGroupLimit": 100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "ownerMachine",
                                                                            "avRemediationStatus",
                                                                            "isSigned",
                                                                            "signatureVerified",
                                                                            "sha1String",
                                                                            "maliciousClassificationType",
                                                                            "createdTime",
                                                                            "modifiedTime",
                                                                            "size",
                                                                            "correctedPath",
                                                                            "productName",
                                                                            "productVersion",
                                                                            "companyName",
                                                                            "internalName",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "File",
			            "filters": [
			                {
			                    "facetName": "elementDisplayName",
			                    "values": [
			                        "cmd.exe"
			                    ],
			                    "filterType": "ContainsIgnoreCase"
			                },
			                {
			                    "facetName": "internalName",
			                    "values": [
			                        "cmd"
			                    ],
			                    "filterType": "ContainsIgnoreCase"
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "ownerMachine",
			        "avRemediationStatus",
			        "isSigned",
			        "signatureVerified",
			        "sha1String",
			        "maliciousClassificationType",
			        "createdTime",
			        "modifiedTime",
			        "size",
			        "correctedPath",
			        "productName",
			        "productVersion",
			        "companyName",
			        "internalName",
			        "elementDisplayName"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "File"
query_element_1_filter = "elementDisplayName"
query_element_1_filter_value = "cmd.exe"
query_element_1_filter_2 = "internalName"
query_element_1_filter_2_value = "cmd"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value],"filterType":"ContainsIgnoreCase"},{"facetName":query_element_1_filter_2,"values":[query_element_1_filter_2_value],"filterType":"ContainsIgnoreCase"}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["ownerMachine","avRemediationStatus","isSigned","signatureVerified","sha1String","maliciousClassificationType","createdTime","modifiedTime","size","correctedPath","productName","productVersion","companyName","internalName","elementDisplayName"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Legitimate applications used for malicious purposes

Use these queries to find examples where legitimate applications (such as an operating system process) has been repurposed for malicious use.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"maliciousUseOfWinOSProcessEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime",
                                                                            "endTime",
                                                                            "commandLine",
                                                                            "isImageFileSignedAndVerified",
                                                                            "imageFile.maliciousClassificationType",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "imageFile.sha1String",
                                                                            "imageFile.md5String",
                                                                            "imageFile.companyName",
                                                                            "imageFile.productName",
                                                                            "iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Process",
			            "filters": [
			                {
			                    "facetName": "maliciousUseOfWinOSProcessEvidence",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "elementDisplayName",
			        "creationTime",
			        "endTime",
			        "commandLine",
			        "isImageFileSignedAndVerified",
			        "imageFile.maliciousClassificationType",
			        "productType",
			        "children",
			        "parentProcess",
			        "ownerMachine",
			        "calculatedUser",
			        "imageFile",
			        "imageFile.sha1String",
			        "imageFile.md5String",
			        "imageFile.companyName",
			        "imageFile.productName",
			        "iconBase64",
			        "ransomwareAutoRemediationSuspended",
			        "executionPrevented",
			        "isWhiteListClassification",
			        "matchedWhiteListRuleIds"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Process"
query_element_1_filter = "maliciousUseOfWinOSProcessEvidence"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","isImageFileSignedAndVerified","imageFile.maliciousClassificationType","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","imageFile.sha1String","imageFile.md5String","imageFile.companyName","imageFile.productName","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Process",
                                                                                                                            "featureName":"loadedModules"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"Module",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"Module",
                                                                                                                            "featureName":"file"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"File",
                                                                            "filters":[],
                                                                            "connectionFeature": {
                                                                                                                            "elementInstanceType":"File",
                                                                                                                            "featureName":"fileAccessEvents"
                                                                                                                     }
                                                                    },
                                                                    {
                                                                            "requestedType":"FileAccessEvent",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"fileEventType",
                                                                                                            "values": ["FET_RENAME"],
                                                                                                            "filterType":"Equals"
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "ownerProcess",
                                                                            "firstAccessTime",
                                                                            "fileEventType",
                                                                            "path",
                                                                            "newPath"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Process",
			            "filters": [
			                {
			                    "facetName": "integrity",
			                    "values": [
			                        "PROTECTED",
			                        "SYSTEM"
			                    ],
			                    "filterType": "Equals"
			                },
			                {
			                    "facetName": "dualExtensionNameEvidence",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "elementDisplayName",
			        "creationTime",
			        "endTime",
			        "commandLine",
			        "isImageFileSignedAndVerified",
			        "imageFile.maliciousClassificationType",
			        "productType",
			        "children",
			        "parentProcess",
			        "ownerMachine",
			        "calculatedUser",
			        "imageFile",
			        "imageFile.sha1String",
			        "imageFile.md5String",
			        "imageFile.companyName",
			        "imageFile.productName",
			        "iconBase64",
			        "ransomwareAutoRemediationSuspended",
			        "executionPrevented",
			        "isWhiteListClassification",
			        "matchedWhiteListRuleIds"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "myserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Process"
query_element_1_filter = "integrity"
query_element_1_filter_value_1 = "PROTECTED"
query_element_1_filter_value_2 = "SYSTEM"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[query_element_1_filter_value_1,query_element_1_filter_value_2],"filterType":"Equals"},{"facetName":"dualExtensionNameEvidence","values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","isImageFileSignedAndVerified","imageFile.maliciousClassificationType","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","imageFile.sha1String","imageFile.md5String","imageFile.companyName","imageFile.productName","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Process opening a listening connection

Use this request to find instances of a process opening a listening connection.

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"hasListeningConnection",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                             ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime",
                                                                            "endTime",
                                                                            "commandLine",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "knownMalwareSuspicion",
                                                                            "hasListeningConnection",
                                                                            "scanningProcessSuspicion",
                                                                            "tid","iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Process",
			            "filters": [
			                {
			                    "facetName": "hasListeningConnection",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "elementDisplayName",
			        "creationTime",
			        "endTime",
			        "commandLine",
			        "productType",
			        "children",
			        "parentProcess",
			        "ownerMachine",
			        "calculatedUser",
			        "imageFile",
			        "knownMalwareSuspicion",
			        "hasListeningConnection",
			        "scanningProcessSuspicion",
			        "tid",
			        "iconBase64",
			        "ransomwareAutoRemediationSuspended",
			        "executionPrevented",
			        "isWhiteListClassification",
			        "matchedWhiteListRuleIds"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Process"
query_element_1_filter = "hasListeningConnection"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","knownMalwareSuspicion","hasListeningConnection","scanningProcessSuspicion","tid","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Malicious script execution

Use these queries to find examples of a script running in an unexpected or malicious manner.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"maliciousScriptDropperSuspicion",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime",
                                                                            "endTime",
                                                                            "commandLine",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "knownMalwareSuspicion",
                                                                            "hasListeningConnection",
                                                                            "scanningProcessSuspicion",
                                                                            "tid",
                                                                            "iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Process",
			            "filters": [
			                {
			                    "facetName": "maliciousScriptDropperSuspicion",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "elementDisplayName",
			        "creationTime",
			        "endTime",
			        "commandLine",
			        "productType",
			        "children",
			        "parentProcess",
			        "ownerMachine",
			        "calculatedUser",
			        "imageFile",
			        "knownMalwareSuspicion",
			        "hasListeningConnection",
			        "scanningProcessSuspicion",
			        "tid",
			        "iconBase64",
			        "ransomwareAutoRemediationSuspended",
			        "executionPrevented",
			        "isWhiteListClassification",
			        "matchedWhiteListRuleIds"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Process"
query_element_1_filter = "maliciousScriptDropperSuspicion"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","knownMalwareSuspicion","hasListeningConnection","scanningProcessSuspicion","tid","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath":[
                                                                    {
                                                                            "requestedType":"Process",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"maliciousScriptExecutionEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                            ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "elementDisplayName",
                                                                            "creationTime","endTime",
                                                                            "commandLine",
                                                                            "productType",
                                                                            "children",
                                                                            "parentProcess",
                                                                            "ownerMachine",
                                                                            "calculatedUser",
                                                                            "imageFile",
                                                                            "knownMalwareSuspicion",
                                                                            "hasListeningConnection",
                                                                            "scanningProcessSuspicion",
                                                                            "tid",
                                                                            "iconBase64",
                                                                            "ransomwareAutoRemediationSuspended",
                                                                            "executionPrevented",
                                                                            "isWhiteListClassification",
                                                                            "matchedWhiteListRuleIds"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Process",
			            "filters": [
			                {
			                    "facetName": "maliciousScriptExecutionEvidence",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "elementDisplayName",
			        "creationTime",
			        "endTime",
			        "commandLine",
			        "productType",
			        "children",
			        "parentProcess",
			        "ownerMachine",
			        "calculatedUser",
			        "imageFile",
			        "knownMalwareSuspicion",
			        "hasListeningConnection",
			        "scanningProcessSuspicion",
			        "tid",
			        "iconBase64",
			        "ransomwareAutoRemediationSuspended",
			        "executionPrevented",
			        "isWhiteListClassification",
			        "matchedWhiteListRuleIds"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Process"
query_element_1_filter = "maliciousScriptExecutionEvidence"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["elementDisplayName","creationTime","endTime","commandLine","productType","children","parentProcess","ownerMachine","calculatedUser","imageFile","knownMalwareSuspicion","hasListeningConnection","scanningProcessSuspicion","tid","iconBase64","ransomwareAutoRemediationSuspended","executionPrevented","isWhiteListClassification","matchedWhiteListRuleIds"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Malicious services associated with a process

Use these queries to find evidence of malicious services associated with a process.

Query 1:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"rareServiceEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Service",
			            "filters": [
			                {
			                    "facetName": "rareServiceEvidence",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "displayName",
			        "description",
			        "commandLineArguments",
			        "binaryFile",
			        "isActive",
			        "startType",
			        "ownerMachine",
			        "process",
			        "parentProcess",
			        "elementDisplayName"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Service"
query_element_1_filter = "rareServiceEvidence"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["displayName","description","commandLineArguments","binaryFile","isActive","startType","ownerMachine","process","parentProcess","elementDisplayName"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Query 2:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"rareActiveServiceEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Service",
			            "filters": [
			                {
			                    "facetName": "rareActiveServiceEvidence",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "displayName",
			        "description",
			        "commandLineArguments",
			        "binaryFile",
			        "isActive",
			        "startType",
			        "ownerMachine",
			        "process",
			        "parentProcess",
			        "elementDisplayName"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Service"
query_element_1_filter = "rareActiveServiceEvidence"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["displayName","description","commandLineArguments","binaryFile","isActive","startType","ownerMachine","process","parentProcess","elementDisplayName"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Query 3:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"rareStartTypeEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Service",
			            "filters": [
			                {
			                    "facetName": "rareStartTypeEvidence",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "displayName",
			        "description",
			        "commandLineArguments",
			        "binaryFile",
			        "isActive",
			        "startType",
			        "ownerMachine",
			        "process",
			        "parentProcess",
			        "elementDisplayName"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Service"
query_element_1_filter = "rareStartTypeEvidence"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["displayName","description","commandLineArguments","binaryFile","isActive","startType","ownerMachine","process","parentProcess","elementDisplayName"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Query 4:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"binaryFileChangedEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Service",
			            "filters": [
			                {
			                    "facetName": "binaryFileChangedEvidence",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "displayName",
			        "description",
			        "commandLineArguments",
			        "binaryFile",
			        "isActive",
			        "startType",
			        "ownerMachine",
			        "process",
			        "parentProcess",
			        "elementDisplayName"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Service"
query_element_1_filter = "binaryFileChangedEvidence"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["displayName","description","commandLineArguments","binaryFile","isActive","startType","ownerMachine","process","parentProcess","elementDisplayName"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))

Query 5:

Request

curl --request POST \
     --url https://12.34.56.78/rest/visualsearch/query/simple \
     --header 'Content-Type: application/json' \
     --data '{
                                    "queryPath": [
                                                                    {
                                                                            "requestedType":"Service",
                                                                            "filters": [
                                                                                                    {
                                                                                                            "facetName":"serviceStartNameChangedEvidence",
                                                                                                            "values":[true]
                                                                                                    }
                                                                                               ],
                                                                            "isResult":true
                                                                    }
                                                              ],
                                    "totalResultLimit":1000,
                                    "perGroupLimit":100,
                                    "perFeatureLimit":100,
                                    "templateContext":"SPECIFIC",
                                    "queryTimeout":120000,
                                    "customFields": [
                                                                            "displayName",
                                                                            "description",
                                                                            "commandLineArguments",
                                                                            "binaryFile",
                                                                            "isActive",
                                                                            "startType",
                                                                            "ownerMachine",
                                                                            "process",
                                                                            "parentProcess",
                                                                            "elementDisplayName"
                                                                    ]
                            }'

Request

Use this request body:

{
			    "queryPath": [
			        {
			            "requestedType": "Service",
			            "filters": [
			                {
			                    "facetName": "serviceStartNameChangedEvidence",
			                    "values": [
			                        true
			                    ]
			                }
			            ],
			            "isResult": true
			        }
			    ],
			    "totalResultLimit": 1000,
			    "perGroupLimit": 100,
			    "perFeatureLimit": 100,
			    "templateContext": "SPECIFIC",
			    "queryTimeout": 120000,
			    "customFields": [
			        "displayName",
			        "description",
			        "commandLineArguments",
			        "binaryFile",
			        "isActive",
			        "startType",
			        "ownerMachine",
			        "process",
			        "parentProcess",
			        "elementDisplayName"
			    ]
			}

Request

Download Python script

Depending on your browser settings, this linked file may open in a separate tab instead of downloading directly to your machine. If this happens, use the Save As option in your browser to save the file locally.

import requests
import json

# Login information

username = "[email protected]"
password = "mypassword"
server = "yourserver.com"
port = "443"

data = {
    "username": username,
    "password": password
}

headers = {"Content-Type": "application/json"}

base_url = "https://" + server + ":" + port

login_url = base_url + "/login.html"

session = requests.session()

login_response = session.post(login_url, data=data, verify=True)

print (login_response.status_code)
print (session.cookies.items())

# Request URL

endpoint_url = "/rest/visualsearch/query/simple"

api_url = base_url + endpoint_url

# These are the variables that represent different fields in the request.

query_element_1 = "Service"
query_element_1_filter = "serviceStartNameChangedEvidence"

query = json.dumps({"queryPath":[{"requestedType":query_element_1,"filters":[{"facetName":query_element_1_filter,"values":[True]}],"isResult":True}],"totalResultLimit":1000,"perGroupLimit":100,"perFeatureLimit":100,"templateContext":"SPECIFIC","queryTimeout":120000,"customFields":["displayName","description","commandLineArguments","binaryFile","isActive","startType","ownerMachine","process","parentProcess","elementDisplayName"]})

api_headers = {'Content-Type':'application/json'}

api_response = session.request("POST", api_url, data=query, headers=api_headers)

your_response = json.loads(api_response.content)

print(json.dumps(your_response, indent=4, sort_keys=True))