Skip to main content

Fetch security events

POST 

/v2/security/rules/events/search

Runs a search query in your Logz.io Cloud SIEM account to fetch the security events that match the query parameters.

You have the option to filter by rule name, rule severity, and/or event timestamp, and sort the results by time and/or severity, but this is not required. If you send the query with an empty JSON body, it returns all of the events logged in your Logz.io Cloud SIEM, going as far back as your account's retention permits.

Note: Run this endpoint with an API token for your Logz.io Security account. Please ensure to change the region in the URL to match your account's region.

Request

Body

    filter object

    Filter by rule name, rule severity, or time range.

    searchTerm string

    Filter for a matching string in the security rule name. You can manually test your results in the UI.

    severities string[]

    Possible values: [INFO, LOW, MEDIUM, HIGH, SEVERE]

    Filter by the severities of the security rules. You can manually test your results in the UI.

    timeRange object

    Add a timerange to filter by event timestamps that fall within the range. If applied, both the earliest and latest thresholds are required.

    fromDate int64required

    Absolute UNIX timestamp in seconds (not milliseconds). Your security account's retention policy determines the earliest events you'll be able to retrieve.

    toDate int64required

    Absolute UNIX timestamp in seconds (not milliseconds).

    includeMutedEvents boolean

    Defines if muted events need to be passed. The endpoint will return both non-muted and muted events if this is set to true.

    sort object[]

    Explicit sorting rules are not required, but recommended. Otherwise the database will determine the sorting.

  • Array [
  • field stringrequired

    Possible values: [DATE, SEVERITY]

    Sort by date and/or severity. Order determines secondary sorting.

    descending boolean

    Default value: true

    If left blank, descending sorting will result. If false results in ascending sorting.

  • ]
  • pagination object

    Default pagination is a page of 25 results. Look for the total field in the response for the number of available results overall, and use the pagination function to page through the results.

    pageNumber int32

    Default value: 1

    If you overshoot the page number, it will return empty with no results, but it won't fail the request.

    pageSize int32

    Possible values: <= 1000

    Default value: 25

    Controls the number of results per page. Valid inputs are 1 to 1000.

Responses

successful operation

Response Headers
    Schema
      total int32

      The total number of events returned by the rule search query. The total entities found after filtering and sorting. This number is fixed and not affected by pagination.

      results object[]
    • Array [
    • alertId int32

      Unique identifier of the security rule in Logz.io Cloud SIEM. Equivalent to the log field logzio-alert-definition-id

      name string

      Name of the security rule in Logz.io Cloud SIEM

      description string

      Typically an explanation of the security rule's logic and suggested next steps

      alertSummary string

      Equivalent to the condition field in the rule

      eventDate int64

      UNIX timestamp in seconds showing when the rule's conditions were met and the event was triggered

      alertWindowStartDate int64

      UNIX timestamp in seconds of the earliest log that triggered the rule to log an event. It usually takes several logs under certain conditions to trigger a security rule.

      alertWindowEndDate int64

      UNIX timestamp in seconds of the latest log that triggered the rule to log an event. It usually takes several logs under certain conditions to trigger a security rule.

      severity string

      Possible values: [INFO, LOW, MEDIUM, HIGH, SEVERE]

      Severity of the security event as determined by the security rule's definition

      alertEventId string

      Unique identifier of the security event in Logz.io Cloud SIEM. Equivalent to the log field logzio-alert-event-id

      groupBy object

      A map object. Array of field:value pairs (key-value pairs) used by the security rule to aggregate results. Security rules can apply groupBy conditions to aggregate results by up to 3 fields. The fields differ rule by rule.

      tags object[]

      Tags are labels used to organize security rules.

      hits int32

      Hits represent the number of logs that triggered the security rule before being aggregated by the groupBy condition.

      isMuted boolean

      Describes whether a specific returned alert event is muted.

      mitreTags string[]

      Tags used for classifying, discussing, and interpreting security incidents. This feature is currently under development.

    • ]
    • pagination object

      Default pagination is a page of 25 results. Look for the total field in the response for the number of available results overall, and use the pagination function to page through the results.

      pageNumber int32

      Default value: 1

      If you overshoot the page number, it will return empty with no results, but it won't fail the request.

      pageSize int32

      Possible values: <= 1000

      Default value: 25

      Controls the number of results per page. Valid inputs are 1 to 1000.

    Loading...