Query observables

Updated on Nov 5, 2024
Published on Jan 1, 2024

9 minute(s) read

Prev Next

Post

/v1alpha/observables/query

Returns a list of all observables within the workspace that match the provided query.

Security

HTTP

Type bearer

Body parameters

Expand All

object

filter

object (v1ListObservablesFilters)

types

Array of object (v1ObservableType)

The types of the observables to be retrieved.

Example[ "TYPE_ID_HOSTNAME", "TYPE_ID_IP_ADDRESS" ]

object

string

TYPE_ID_UNKNOWN: The observable type is unknown.
TYPE_ID_HOSTNAME: The observable type is Hostname.
TYPE_ID_IP_ADDRESS: The observable type is IP address.
TYPE_ID_MAC_ADDRESS: The observable type is MAC address.
TYPE_ID_USER_NAME: The observable type is User name.
TYPE_ID_EMAIL_ADDRESS: The observable type is Email.
TYPE_ID_URL: The observable type is URL.
TYPE_ID_FILE_NAME: The observable type is File name.
TYPE_ID_FILE_HASH: The observable type is File hash.
TYPE_ID_PROCESS_NAME: The observable type is Process name.
TYPE_ID_RESOURCE_UID: The observable type is Resource UID.
TYPE_ID_OTHER: The observable type is Other.

Valid values[ "TYPE_ID_UNKNOWN", "TYPE_ID_HOSTNAME", "TYPE_ID_IP_ADDRESS", "TYPE_ID_MAC_ADDRESS", "TYPE_ID_USER_NAME", "TYPE_ID_EMAIL_ADDRESS", "TYPE_ID_URL", "TYPE_ID_FILE_NAME", "TYPE_ID_FILE_HASH", "TYPE_ID_PROCESS_NAME", "TYPE_ID_RESOURCE_UID", "TYPE_ID_OTHER" ]

Default"TYPE_ID_UNKNOWN"

reputations

Array of object (v1Reputation)

The reputations of the observables to be retrieved.

object

string

SCORE_UNKNOWN: The reputation score is unknown.
SCORE_VERY_SAFE: The reputation score is Very safe.
SCORE_SAFE: The reputation score is Safe.
SCORE_PROBABLY_SAFE: The reputation score is Probably safe.
SCORE_LEANS_SAFE: The reputation score is Leans safe.
SCORE_MAY_NOT_BE_SAFE: The reputation score is May not be safe.
SCORE_EXERCISE_CAUTION: The reputation score is Exercise caution.
SCORE_SUSPICIOUS_OR_RISKY: The reputation score is Suspicious or risky.
SCORE_POSSIBLY_MALICIOUS: The reputation score is Possibly malicious.
SCORE_PROBABLY_MALICIOUS: The reputation score is Probably malicious.
SCORE_MALICIOUS: The reputation score is Malicious.
SCORE_OTHER: The reputation score is not mapped.

Valid values[ "SCORE_UNKNOWN", "SCORE_VERY_SAFE", "SCORE_SAFE", "SCORE_PROBABLY_SAFE", "SCORE_LEANS_SAFE", "SCORE_MAY_NOT_BE_SAFE", "SCORE_EXERCISE_CAUTION", "SCORE_SUSPICIOUS_OR_RISKY", "SCORE_POSSIBLY_MALICIOUS", "SCORE_PROBABLY_MALICIOUS", "SCORE_MALICIOUS", "SCORE_OTHER" ]

Default"SCORE_UNKNOWN"

first_observed_at

object (case_managementobservablesv1TimeRangeFilter)

start_time

string (date-time)

The start time for the filter.

end_time

string (date-time)

The end time for the filter.

last_observed_at

object (case_managementobservablesv1TimeRangeFilter)

start_time

string (date-time)

The start time for the filter.

end_time

string (date-time)

The end time for the filter.

sub_types

Array of object (v1ObservableSubType)

The sub types of the observables to be retrieved.

object

string

The sub type of the observable value.

SUB_TYPE_ID_UNKNOWN: The observable sub type is unknown.
SUB_TYPE_ID_HOSTNAME_FQDN: The observable type is Hostname and the sub type is FQDN.
SUB_TYPE_ID_HOSTNAME_NETBIOS: The observable type is hostname and the sub type is NetBIOS.
SUB_TYPE_ID_IP_ADDRESS_IPV4: The observable type is IP address and the sub type is IPv4.
SUB_TYPE_ID_IP_ADDRESS_IPV6: The observable type is IP address and the sub type is IPv6.
SUB_TYPE_ID_FILE_HASH_MD5: The observable type is File hash and the sub type is MD5.
SUB_TYPE_ID_FILE_HASH_SHA1: The observable type is File hash and the sub type is SHA1.
SUB_TYPE_ID_FILE_HASH_SHA256: The observable type is File hash and the sub type is SHA256.
SUB_TYPE_ID_USERNAME_UPN: The observable type is User name and the sub type is UPN.
SUB_TYPE_ID_USERNAME_DOMAIN: The observable type is User name and the sub type is Down-level Logon name.
SUB_TYPE_ID_OTHER: The observable type is Other.

Valid values[ "SUB_TYPE_ID_UNKNOWN", "SUB_TYPE_ID_HOSTNAME_FQDN", "SUB_TYPE_ID_HOSTNAME_NETBIOS", "SUB_TYPE_ID_IP_ADDRESS_IPV4", "SUB_TYPE_ID_IP_ADDRESS_IPV6", "SUB_TYPE_ID_FILE_HASH_MD5", "SUB_TYPE_ID_FILE_HASH_SHA1", "SUB_TYPE_ID_FILE_HASH_SHA256", "SUB_TYPE_ID_USERNAME_UPN", "SUB_TYPE_ID_USERNAME_DOMAIN", "SUB_TYPE_ID_OTHER" ]

Default"SUB_TYPE_ID_UNKNOWN"

page_size

integer (int32)

The maximum number of observables to retrieve per page. Default is 100. Maximum is 500. If the number of results exceeds the defined page size, use pagination to retrieve the next page of results.

page_token

string

The token received from a previous List observables request. Provide this to retrieve the next page of results.

Responses

200

A successful response.

Expand All

object

observables

Array of object (v1Observable)

The list of observables.

object

integer (int32)

The unique identifier of the observable. This field value is automatically generated and shouldn't be provided when creating or updating an observable.

Example28

value

object (v1ObservableValue)

unknown

string

The observable value type is unknown. Only applicable when the observable type is TYPE_ID_UNKNOWN.

hostname

string

The observable value is a hostname. Only applicable when the observable type is TYPE_ID_HOSTNAME. The hostname represents a unique name assigned to a device connected to a computer network, as defined by RFC 1034.

Examplemachine-1

string

The observable value is an IP address. Only applicable when the observable type is TYPE_ID_IP_ADDRESS. An IP address is an Internet Protocol address, in either IPv4 or IPv6 format.

Example127.0.0.1

mac_address

string

The observable value is a MAC (media access control) address. Only applicable when the observable type is TYPE_ID_MAC_ADDRESS.

Example00-B0-D0-63-C2-26

username

string

The observable value is a user name. Only applicable when the observable type is TYPE_ID_USER_NAME.

Examplejohn_dough_35

email_address

string

The observable value is an email. Only applicable when the observable type is TYPE_ID_EMAIL_ADDRESS. The email address is validated with RFC 5322.

Examplejohn@torq.io

url

string

The observable value is a URL (Uniform Resource Locator). Only applicable when the observable type is TYPE_ID_URL.

Examplehttps://app.torq.io

file_name

string

The observable value is a file name. Only applicable when the observable type is TYPE_ID_FILE_NAME.

Examplesuspicious.exe

file_hash

string

The observable value is a file hash. Only applicable when the observable type is TYPE_ID_FILE_HASH.

Example64e6df0ee478868b42d5eb7d443430283b0ddc0c

process_name

string

The observable value is a process name. Only applicable when the observable type is TYPE_ID_PROCESS_NAME.

Exampledoom.exe

resource_uid

string

The observable value is a resource UID. Only applicable when the observable type is TYPE_ID_RESOURCE_UID. Examples: S3 bucket name or an EC2 instance ID.

Example09e516de-65c9-45af-a6b2-02828fbabf67

other_type

string

The observable value type is Other. Only applicable when the observable type is TYPE_ID_OTHER.

type

object (v1ObservableType)

string

TYPE_ID_UNKNOWN: The observable type is unknown.
TYPE_ID_HOSTNAME: The observable type is Hostname.
TYPE_ID_IP_ADDRESS: The observable type is IP address.
TYPE_ID_MAC_ADDRESS: The observable type is MAC address.
TYPE_ID_USER_NAME: The observable type is User name.
TYPE_ID_EMAIL_ADDRESS: The observable type is Email.
TYPE_ID_URL: The observable type is URL.
TYPE_ID_FILE_NAME: The observable type is File name.
TYPE_ID_FILE_HASH: The observable type is File hash.
TYPE_ID_PROCESS_NAME: The observable type is Process name.
TYPE_ID_RESOURCE_UID: The observable type is Resource UID.
TYPE_ID_OTHER: The observable type is Other.

Default"TYPE_ID_UNKNOWN"

name

string

The name of the observable type. The name is automatically derived from the type ID.

reputation

object (v1Reputation)

string

SCORE_UNKNOWN: The reputation score is unknown.
SCORE_VERY_SAFE: The reputation score is Very safe.
SCORE_SAFE: The reputation score is Safe.
SCORE_PROBABLY_SAFE: The reputation score is Probably safe.
SCORE_LEANS_SAFE: The reputation score is Leans safe.
SCORE_MAY_NOT_BE_SAFE: The reputation score is May not be safe.
SCORE_EXERCISE_CAUTION: The reputation score is Exercise caution.
SCORE_SUSPICIOUS_OR_RISKY: The reputation score is Suspicious or risky.
SCORE_POSSIBLY_MALICIOUS: The reputation score is Possibly malicious.
SCORE_PROBABLY_MALICIOUS: The reputation score is Probably malicious.
SCORE_MALICIOUS: The reputation score is Malicious.
SCORE_OTHER: The reputation score is not mapped.

Default"SCORE_UNKNOWN"

name

string

The reputation name. The name is automatically derived from the reputation ID.

first_observed_at

string (date-time)

The time when the observable was first observed. This field value is automatically generated and shouldn't be provided when creating or updating an observable.

last_observed_at

string (date-time)

The time when the observable was last observed. This field value is automatically generated and shouldn't be provided when creating or updating an observable.

description

string

The observable description.

Examplea files suspected as malicious

sub_type

object (v1ObservableSubType)

string

The sub type of the observable value.

SUB_TYPE_ID_UNKNOWN: The observable sub type is unknown.
SUB_TYPE_ID_HOSTNAME_FQDN: The observable type is Hostname and the sub type is FQDN.
SUB_TYPE_ID_HOSTNAME_NETBIOS: The observable type is hostname and the sub type is NetBIOS.
SUB_TYPE_ID_IP_ADDRESS_IPV4: The observable type is IP address and the sub type is IPv4.
SUB_TYPE_ID_IP_ADDRESS_IPV6: The observable type is IP address and the sub type is IPv6.
SUB_TYPE_ID_FILE_HASH_MD5: The observable type is File hash and the sub type is MD5.
SUB_TYPE_ID_FILE_HASH_SHA1: The observable type is File hash and the sub type is SHA1.
SUB_TYPE_ID_FILE_HASH_SHA256: The observable type is File hash and the sub type is SHA256.
SUB_TYPE_ID_USERNAME_UPN: The observable type is User name and the sub type is UPN.
SUB_TYPE_ID_USERNAME_DOMAIN: The observable type is User name and the sub type is Down-level Logon name.
SUB_TYPE_ID_OTHER: The observable type is Other.

Default"SUB_TYPE_ID_UNKNOWN"

name

string

The name of the observable sub type. The name is automatically derived from the sub type ID.

next_page_token

string

When a token is returned it indicates there is another page of results to retrieve. Pass this token in the page_token parameter in a subsequent List observables request to retrieve the next page of results. If this field isn't returned it means there are no additional pages to retrieve.

401

Invalid bearer token. If you receive this message more than once try creating a new Client ID/Client Secret or generating a new bearer token.

object

403

You don't have permission to access this resource.

object

default

An unexpected error response.

Expand All

object

code

integer (int32)

message

string

details

Array of object (protobufAny)

object

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++.

Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo))

Example 2: Pack and unpack a message in Java.

Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) // or ... if (any.isSameTypeAs(Foo.getDefaultInstance()))

Example 3: Pack and unpack a message in Python.

foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ...

Example 4: Pack and unpack a message in Go

foo := &pb.Foo any, err := anypb.New(foo) if err != nil ... foo := &pb.Foo if err := any.UnmarshalTo(foo); err != nil

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

JSON

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example:

package google.profile; message Person

{ "@type": "type.googleapis.com/google.profile.Person", "firstName": , "lastName": }

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]):

{ "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" }

@type

string

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one "/" character. The last segment of the URL's path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading "." is not accepted).

In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows:

If no scheme is provided, https is assumed.
An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error.
Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.)

Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one.

Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

property*

object additionalProperties

Was this article helpful?