View the Query Response
When you send a query request, the response returns results that match Feature filters. Each result has its own separate results instance in the response details.
In this topic:
Query response syntax
The query response contains these objects and key/value pairs:
{
"data": {
"resultIdToElementDataMap": {
"<value>": {
"simpleValues": {
"<Feature>": {
"totalValues": "<value>",
"values": [
"<value>",
"<value>"
]
}
},
"elementValues": {
"<Element>": {
"totalValues": "<value>",
"elementValue": {
"elementType": "Element Type",
"name": "<name>",
"guid": "<ID value>",
"hasSuspicions": "<boolean>",
"hasMalops": "<boolean>"
},
"totalSuspicious": "<value>",
"totalMalicious": "<value>"
}
},
"suspicions": {
"<suspicion name>": "<timestamp>"
},
"filterData": {
"sortInGroupValue": "<value>",
"groupByValue": "<value>"
},
"suspicioncount": "<number>",
"isMalicious": "<boolean>",
"guidString": "<guid for result>",
"labelIds": "<value>",
"malopPriority": "value"
},
"suspicionsMap": {
"<suspicion name>": {
"potentialEvidence": [
"<evidence>",
"<evidence>"
],
"firstTimestamp": "<timestamp>",
"totalSuspicions": "<number of suspicions>"
}
},
"evidenceMap": "<evidence>",
"totalPossibleResults": "<value>",
"queryLimits": "<value>",
"queryTerminated": "boolean",
"pathResultCounts": [
{
"count": "<value>",
"featureDescriptor": {
"elementInstanceType": "<element type>",
"featureName": "<feature name>"
}
}
]
}
},
"status": "<status>",
"message": "<message>"
}
Focus on these parts of the query response:
<result instance GUID> |
The unique GUID the Cybereason platform assigns the result instance. This GUID is typically a multi-digit number. |
simpleValues object |
An object containing details about each of the requested Features for the target Element of the query. The Features listed in in the simpleValues object correspond to the fields added in the customFields object in the request. For details on the specific fields in the object, see simpleValues Object. |
elementValues object |
An object containing details about Elements related to the requested Element in the request body. For details on the specific fields in the object, see elementValues Object. |
suspicions |
A list of suspicion names and suspicion GUIDs for suspicions associated with the requested Element. For details on the specific fields in the object, see suspicions Object. |
suspicionCount key |
The number of suspicions associated with the specified instance. |
guidString key |
The unique GUIDs assigned by the Cybereason platform for the results. |
suspicionsMap object |
An object containing summary information for each of the suspicions related to the target Element. For details on the specific fields in the object, see suspicionsMap Object. |
evidenceMap object |
An object containing summary information for each of the evidence related to the target Element. The information displayed depends on the value you enter in the templateContext field of the request body. |
Read the query response
To use the query response body, follow these steps:
In the response body, immediately after the resultIdToElementDataMap object, find a results instance object that has a label that shows the numerical GUID for the specific Element results instance. The GUID usually has more than 20 digits.s
Depending on your query, the response body might contain many GUIDs.
In the results instance object that has the GUID that represents the element, find the simpleValues object. This object contains the information on related Features for the target Element of the query. You added this information in the customFields object in the query request.
For example, if you add Features such as commandLine, creationTime, pid, and so forth (to a query for a Process Element), the response contains separate entries inside the simpleValues object for each Feature.
In the object for each unique Feature, view the totalValues key, which shows the total number of values for each requested Feature, and the values key, which shows the values that the response returned for the Feature.
Below the simpleValues object, locate the elementValues object. This object contains details on related Elements (processes, machines, and users). View the elementType, guid, and name for each Element included in the elementValues object.
#. Below the elementValues object, locate the suspicions object to view any suspicions associated with the specific Element result instance. Each suspicions object contains a unique suspicion ID and the suspicion name that the Cybereason platform uses.