Limit Results in the Response
To help optimize query performance, the API provides the ability to set limits on the data returned in a response. You can add a limit on two different levels:
total number of results
group limit
The total results limit restricts the total number of results.
Group limits include three settings:
Limit per group
Limit of maximum groups
Grouping feature
However, the group limit ensures diversity of results. For example, consider a situation where a setup has 1 million processes. Of these 1 million, 200,000 are chrome.exe, and 800,000 are other processes. A search on all the processes with a total limit of 10,000 might produce results that contain only chrome.exe. This would hide results from the other processes. By setting the group limit (such as 100 processes per process name), you ensure that you see a sample of all results. In the example, if you set the group limit to 100 processes per process name, this ensures that no more than 100 of the 10K results are chrome.exe. This enables Cybereason to display results from other processes.
To add limits, do the following:
Parallel to the queryPath object, add a totalResultLimit parameter. Provide an integer value for the total number of results to include in the response.
Parallel to the totalResultLimit parameter, if you want to limit a specific number of results for a group, add a perGroupLimit parameter. Provide an integer value for the total number of results for the group.
Beginning in versions 20.1.381 and later, the default value for this field is 100. The maximum value for this field is 1000.
If you want to group the results by a specific Feature of an Element, parallel to the other parameters, add a groupingFeature object.
In the groupingFeature object, provide:
An elementInstanceType parameter. Provide the Element name string as the value.
A featureName value. Provide the Element’s Feature name string as the value.
If the specified feature is a collection of items, add a perFeatureLimit parameter. Provide an integer value for limit.
Example: Add limits to a query to search for process details
curl --request POST \
--url https://123.456.789.012:443/rest/visualsearch/query/simple \
--header 'Content-Type: application/json' \
--data '{
"queryPath" : [
{
"requestedType" : "Process",
"isResult" : true
}
],
"queryLimits" : {
"perFeatureLimit" : 20,
"totalResultLimit" : 10000,
"perGroupLimit" : 100,
"groupingFeature" : {
"elementInstanceType" : "Process",
"featureName" : "elementDisplayName"
}
},
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"parentProcess",
"hasSuspicions",
"creationTime",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"endTime"
]
}'
{
"queryPath" : [
{
"requestedType" : "Process",
"isResult" : true
}
],
"queryLimits" : {
"perFeatureLimit" : 20,
"totalResultLimit" : 10000,
"perGroupLimit" : 100,
"groupingFeature" : {
"elementInstanceType" : "Process",
"featureName" : "elementDisplayName"
}
},
"totalResultLimit": 100,
"perGroupLimit": 10,
"perFeatureLimit": 10,
"templateContext": "SPECIFIC",
"queryTimeout": 120000,
"customFields": [
"elementDisplayName",
"parentProcess",
"hasSuspicions",
"creationTime",
"ransomwareAutoRemediationSuspended",
"executionPrevented",
"endTime"
]
}