Fetch security events

POST 
/v2/security/rules/events/search

Runs a search query in your Logz.io Cloud SIEM account to fetch the security events that match the query parameters.

You have the option to filter by rule name, rule severity, and/or event timestamp, and sort the results by time and/or severity, but this is not required. If you send the query with an empty JSON body, it returns all of the events logged in your Logz.io Cloud SIEM, going as far back as your account's retention permits.

Note: Run this endpoint with an API token for your Logz.io Security account. Please ensure to change the region in the URL to match your account's region.

Request

application/json

Body

filter object

Filter by rule name, rule severity, or time range.

searchTerm string

Filter for a matching string in the security rule name. You can manually test your results in the UI.

severities string[]

Possible values: [INFO, LOW, MEDIUM, HIGH, SEVERE]

Filter by the severities of the security rules. You can manually test your results in the UI.

timeRange object

Add a timerange to filter by event timestamps that fall within the range. If applied, both the earliest and latest thresholds are required.

fromDate int64required

Absolute UNIX timestamp in seconds (not milliseconds). Your security account's retention policy determines the earliest events you'll be able to retrieve.

toDate int64required

Absolute UNIX timestamp in seconds (not milliseconds).

includeMutedEvents boolean

Defines if muted events need to be passed. The endpoint will return both non-muted and muted events if this is set to true.

sort object[]
Explicit sorting rules are not required, but recommended. Otherwise the database will determine the sorting.
Array [
field stringrequired
Possible values: [DATE, SEVERITY]
Sort by date and/or severity. Order determines secondary sorting.
descending boolean
Default value: true
If left blank, descending sorting will result. If false results in ascending sorting.
]
pagination object

Default pagination is a page of 25 results. Look for the total field in the response for the number of available results overall, and use the pagination function to page through the results.

pageNumber int32

Default value: 1

If you overshoot the page number, it will return empty with no results, but it won't fail the request.

pageSize int32

Possible values: <= 1000

Default value: 25

Controls the number of results per page. Valid inputs are 1 to 1000.

Responses

200

successful operation

Response Headers

application/json

Schema

Schema

total int32

The total number of events returned by the rule search query. The total entities found after filtering and sorting. This number is fixed and not affected by pagination.

results object[]
Array [
alertId int32
Unique identifier of the security rule in Logz.io Cloud SIEM. Equivalent to the log field logzio-alert-definition-id
name string
Name of the security rule in Logz.io Cloud SIEM
description string
Typically an explanation of the security rule's logic and suggested next steps
alertSummary string
Equivalent to the condition field in the rule
eventDate int64
UNIX timestamp in seconds showing when the rule's conditions were met and the event was triggered
alertWindowStartDate int64
UNIX timestamp in seconds of the earliest log that triggered the rule to log an event. It usually takes several logs under certain conditions to trigger a security rule.
alertWindowEndDate int64
UNIX timestamp in seconds of the latest log that triggered the rule to log an event. It usually takes several logs under certain conditions to trigger a security rule.
severity string
Possible values: [INFO, LOW, MEDIUM, HIGH, SEVERE]
Severity of the security event as determined by the security rule's definition
alertEventId string
Unique identifier of the security event in Logz.io Cloud SIEM. Equivalent to the log field logzio-alert-event-id
groupBy object
A map object. Array of field:value pairs (key-value pairs) used by the security rule to aggregate results. Security rules can apply groupBy conditions to aggregate results by up to 3 fields. The fields differ rule by rule.
tags object[]
Tags are labels used to organize security rules.
hits int32
Hits represent the number of logs that triggered the security rule before being aggregated by the groupBy condition.
isMuted boolean
Describes whether a specific returned alert event is muted.
mitreTags string[]
Tags used for classifying, discussing, and interpreting security incidents. This feature is currently under development.
]
pagination object

Default pagination is a page of 25 results. Look for the total field in the response for the number of available results overall, and use the pagination function to page through the results.

pageNumber int32

Default value: 1

If you overshoot the page number, it will return empty with no results, but it won't fail the request.

pageSize int32

Possible values: <= 1000

Default value: 25

Controls the number of results per page. Valid inputs are 1 to 1000.

Example (from schema)

{
  "total": 500,
  "results": [
    {
      "alertId": 453345,
      "name": "AWS EC2 - Brute force SSH login attempts",
      "description": "Suggested next steps...",
      "alertSummary": "Alert if query '*' results GREATER_THAN_OR_EQUALS 5.00 in 10 minutes. Count on Group By '[userIdentity.userName, sourceIPAddress]'",
      "eventDate": 1587860455,
      "alertWindowStartDate": 1587856855,
      "alertWindowEndDate": 1587860455,
      "severity": "SEVERE",
      "alertEventId": "27cdcf45-ae12-581a-809e-17a6bbc9ae07",
      "groupBy": {
        "source_ip": "122.17.45.15",
        "hostname": "hostname1234"
      },
      "tags": "threat",
      "hits": 30,
      "isMuted": true,
      "mitreTags": [
        "string"
      ]
    }
  ],
  "pagination": {
    "pageNumber": 1,
    "pageSize": 100
  }
}

Loading...