View the Query Response

When you send a query request, the response returns results that match Feature filters. Each result has its own separate results instance in the response details.

Query response syntax

The query response contains these objects and key/value pairs:

{
  "data": {
    "resultIdToElementDataMap": {
      "<value>": {
        "simpleValues": {
          "<Feature>": {
            "totalValues": "<value>",
            "values": [
              "<value>",
              "<value>"
            ]
          }
        },
        "elementValues": {
          "<Element>": {
            "totalValues": "<value>",
            "elementValue": {
              "elementType": "Element Type",
              "name": "<name>",
              "guid": "<ID value>",
              "hasSuspicions": "<boolean>",
              "hasMalops": "<boolean>"
            },
            "totalSuspicious": "<value>",
            "totalMalicious": "<value>"
          }
        },
        "suspicions": {
          "<suspicion name>": "<timestamp>"
        },
        "filterData": {
          "sortInGroupValue": "<value>",
          "groupByValue": "<value>"
        },
        "suspicioncount": "<number>",
        "isMalicious": "<boolean>",
        "guidString": "<guid for result>",
        "labelIds": "<value>",
        "malopPriority": "value"
      },
      "suspicionsMap": {
        "<suspicion name>": {
          "potentialEvidence": [
            "<evidence>",
            "<evidence>"
          ],
          "firstTimestamp": "<timestamp>",
          "totalSuspicions": "<number of suspicions>"
        }
      },
      "evidenceMap": "<evidence>",
      "totalPossibleResults": "<value>",
      "queryLimits": "<value>",
      "queryTerminated": "boolean",
      "pathResultCounts": [
        {
          "count": "<value>",
          "featureDescriptor": {
            "elementInstanceType": "<element type>",
            "featureName": "<feature name>"
          }
        }
      ]
    }
  },
  "status": "<status>",
  "message": "<message>"
}

Focus on these parts of the query response:

<result instance GUID>

The unique GUID the Cybereason platform assigns the result instance. This GUID is typically a multi-digit number.

simpleValues object

An object containing details about each of the requested Features for the target Element of the query. The Features listed in in the simpleValues object correspond to the fields added in the customFields object in the request.

For details on the specific fields in the object, see simpleValues Object.

elementValues object

An object containing details about Elements related to the requested Element in the request body.

For details on the specific fields in the object, see elementValues Object.

suspicions

A list of suspicion names and suspicion GUIDs for suspicions associated with the requested Element.

For details on the specific fields in the object, see suspicions Object.

suspicionCount key

The number of suspicions associated with the specified instance.

guidString key

The unique GUIDs assigned by the Cybereason platform for the results.

suspicionsMap object

An object containing summary information for each of the suspicions related to the target Element.

For details on the specific fields in the object, see suspicionsMap Object.

evidenceMap object

An object containing summary information for each of the evidence related to the target Element. The information displayed depends on the value you enter in the templateContext field of the request body.

Read the query response

To use the query response body, follow these steps:

  1. In the response body, immediately after the resultIdToElementDataMap object, find a results instance object that has a label that shows the numerical GUID for the specific Element results instance. The GUID usually has more than 20 digits.s

    Example of request body for a request to get Sensor data in the Postman API client

    Depending on your query, the response body might contain many GUIDs.

  2. In the results instance object that has the GUID that represents the element, find the simpleValues object. This object contains the information on related Features for the target Element of the query. You added this information in the customFields object in the query request.

    Example of request body for a request to get Sensor data in the Postman API client

    For example, if you add Features such as commandLine, creationTime, pid, and so forth (to a query for a Process Element), the response contains separate entries inside the simpleValues object for each Feature.

    The different Feature values in the simpleValues object.

  3. In the object for each unique Feature, view the totalValues key, which shows the total number of values for each requested Feature, and the values key, which shows the values that the response returned for the Feature.

    Example of request body for a request to get Sensor data in the Postman API client

  4. Below the simpleValues object, locate the elementValues object. This object contains details on related Elements (processes, machines, and users). View the elementType, guid, and name for each Element included in the elementValues object.

    Example of request body for a request to get Sensor data in the Postman API client

#. Below the elementValues object, locate the suspicions object to view any suspicions associated with the specific Element result instance. Each suspicions object contains a unique suspicion ID and the suspicion name that the Cybereason platform uses.

Example of request body for a request to get Sensor data in the Postman API client

  1. Toward the end of the response, find the suspicionsMap object. This object contains the suspicions and evidence tree associated with any suspicion found for the current Element. View the potential evidence for each suspicion and number of instances of this evidence:

    Example of request body for a request to get Sensor data in the Postman API client