Build a Query Request
The query request for an investigation query requires you to specify the following objects and keys:
The Elements to use in the query
Features (filters) for these Elements
Related Features for the query Element about which to view details in the response
You add the relevant details in the various fields to customize your request.
In this topic:
Request body syntax
The following template example shows the full syntax for the query request body.
{
"queryPath":
[
{
"requestedType": "<First Element>",
"filters": [
{
"facetName": "<First Feature>",
"values": [
"<value>",
"<value>",
"<value>"
],
"filterType": "<operator>"
},
{
"facetName": "<Second Feature>",
"values": [
"<value>",
"<value>",
"<value>"
],
"filterType": "<operator>"
}
],
"connectionFeature": {
"elementInstanceType": "<Element for Connecting Feature>",
"featureName": "<Connecting Feature>"
},
"isResult": "<Boolean value>",
"isReversed": "<Boolean value>"
},
{
"requestedType": "<Second Element>",
"filters": [
{
"facetName": "<Feature>",
"values": [
"<value>",
"<value>",
"<value>"
],
"filterType": "<value>"
}
],
"isResult": "<Boolean value>",
"isReversed": "<Boolean value>"
}
],
"templateContext": "<value>",
"totalResultLimit": "1000",
"perGroupLimit": "100",
"perFeatureLimit": "100",
"queryTimeout": "12000",
"customFields": [
"<field name>",
"<field name>",
"<field name>"
]
}
The request body contains the following:
queryPath object |
This object is the container for the query (the Elements and Features). |
requestedType key |
This key is where you identify the Elements in the query. The request body of your query can contain multiple requestedType keys. |
filters object |
This object contains the filters for an Element. Inside each filters object, you add keys for:
You can view all the possible Features to use, the type of Feature, and the potential values in the Query Elements and Features topic. |
connectionFeature object |
If your query contains more than one Element, this object contains details on the Feature that connects the Elements. Many Elements in the Cybereason CMC engine have Features that are actually references to data in other Elements. In the connectionFeature object, you provide the following keys:
|
isResult key |
This key indicates the target Element for the query. You can add the isResult key to any Element in the query. The request body can only contain one isResult key. |
templateContext key |
This field enables you to specify the overall level of detail in the response. For more information on how to use this field, see Customize Query Response Fields. |
customFields object |
This object enables you to add related Features for the target Element about which you would like to see additional details. For more details on how to use this object, see Customize Query Response Fields. |
Build the request body
To build the request body, follow these steps:
In the request body, in the queryPath object, locate the requestedType key. This is the key for the first Element in your query.
In the first requestedType key, add the first Element.
To see the list of names for each Element, see Query Elements and Features.
Below the requestedType key, locate the filters object. This object contains the details on the Features you use to filter the Element.
In the filters object, in the facetType key, add the Feature by which you want to filter.
For a list of Features you can use per Element, see Query Elements and Features.
Below the facetType key, in the values array, enter the values you can use for the Feature you selected in the facetType key.
For a list of values you need to provide for each Feature, see Query Elements and Features.
Below the values array, in the filterType key, add the operator for the Feature added in the facetType key. The type of operator depends on the type for the selected Feature.
For a list of types for each Feature, see Query Elements and Features.
If your query contains more than one Element, in the connectionFeature object, for the elementInstanceType key, add the Element which contains the Feature to connect the first Element to another Element.
For details on how to build the parts of the request body to connect Elements in a query, see Use Multiple Elements in a Query.
If you only have a single Element in the query, this step is not necessary.
Below the elementInstanceType key, in the featureName key, add the Feature that connects Elements.
For a list of Features available to connect Elements, see Use Multiple Elements in a Query.
If the query has only one Element, this step is not necessary.
For the Element which is the target Element of your query, add the “isResult”:true key/value pair.
If the query has only one Element, you add the isResult key parallel to the filters object in the Element. If the query has multiple Elements, you must add this key parallel to the filters object in the part of the request body.
In the customFields object, add the Features related to the target Element (the Element with the “isResult”:true key value pair) about which you want to see data in the response. You can add any Feature for the target Element.
For a list of available Features for each Element, see Query Elements and Features.
Note
You can quickly create the request body by setting up the query in the Investigation screen, and then viewing the request body in the Chrome developer tools window (in the Network tab). Run the query in the Investigation screen and then copy the JSON request body as the request body.