search
This REST API is a wrapper for Solr queries, which are used in the Investigation Dashboard.
Note: The quick_search REST API provides similar capabilities
to this command, but provides more flexibility.
Note: The search API returns codes that represent the titles of the columns (fields) in the returned
tables. For example, search might return the following
rows:
"15": "Failed Login - Alert and Quarantine if Repeated", "16": "5",To map the codes ("15" and "16", in this case) to the actual column names, use the getFieldsTitles API.
This API is available in Guardium V9.5 and later.
REST API syntax
This API is available only as a REST service with the
GET
method. Call this API
as follows: GET https://[Guardium hostname or IP address]:8443/restAPI/search
Parameters
Parameter | Value type | Description |
---|---|---|
CATEGORY | String | The Guardium Solr collections. The categories generally map to the categories that are shown
in the Investigation dashboard UI. For valid values, call
search from the command line with --help=true .
|
COUNT | Integer | The number of records to return. Default = 50. |
END_TIME | String | Search for records that were created before the specified END_TIME. The time must be
specified in the format:YYYYMMDD+HH:MM:SS . |
QUERY | String | A Solr query. |
START | Integer | The record on which to start searching. Default = 0. |
START_TIME | String | Search for records that were created after the specified START_TIME. The time must be
specified in the format:YYYYMMDD+HH:MM:SS . |
SUMMARY_BY | String | Group results by the selected field code. You can specify up to 2 field title codes to group
by. Note: To map the field codes to column names, use the getFieldsTitles
API.
|
WITH_FACETS | String | Include facets in the search. For more information, see Investigation dashboard
for data or Investigation dashboard for files. Valid values are:
Default = 0. |
api_target_host | String |
Specifies the target hosts where the API executes. Valid values:
IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode. |
Examples
Use the START and COUNT parameters to specify the starting record and the number of records to return. The following example returns 20 records from the Violation category, starting with the 10th record:
curl -k --header "Authorization: Bearer 3499f352-aa98-4046-89d8-aba3d8c12345"
"https://xxx.xxx.xxx.xxx:8443/restAPI/search?CATEGORY=VIOLATION
&START_TIME=20190115+03:59:00&END_TIME=20190215+15:39:39&START=10&COUNT=20”
Returns the following information.
{ "totalHits": 5, "numRows": 5, "partialResults": false, "count": 5, "start": 0, "maxLengthMapByOrder": [ { "6": -1 }, { "10": -1 }, { "7": -1 }, { "4": -1 }, { "2": -1 }, ... ], "items": [ { "15": "Failed Login - Alert and Quarantine if Repeated", "16": "5", "13": "", "id": "0", "3": "10.10.9.56", "2": "JOAN", "1": "ORACLE", ... }, { "15": "Privileged Users Access to Sensitive Objects -- TERMINATE", "16": "10", "13": "select * from joe.creditcard", "id": "1", "3": "10.10.9.56", "2": "RODRIGO", "1": "ORACLE", ... }, { "15": "DML on SOX Financial Objects -- Terminate", "16": "10", "13": "insert into creditcard (custid", "id": "2", "3": "10.10.9.56", "2": "CASSANDRA", "1": "", ... }, { "15": "Privileged Users Access to Sensitive Objects -- TERMINATE", "16": "10", "13": "select * from db2inst1.US_CUST", "id": "3", "3": "10.10.9.56", "2": "DB2INST1", "1": "DB2INST1", ... }, { "15": "Privileged Users Access to Sensitive Objects -- TERMINATE", "16": "10", "13": "select * from joe.ssn", "id": "4", "3": "10.10.9.56", "2": "SYSTEM", "1": "ORACLE", ... } ], "facets": [], "searchArgs": { "start": 0, "count": 50, "isFam": false, "isFamGUI": false, "withFacets": false, "category": "VIOLATION", "startTime": "20190115 03:59:00", "endTime": "20190215 15:39:39", "intStartTime": 1445988306, "intEndTime": 1484512779, "maxResultsNum": 50, "summaryTotalsOnly": false, "partialSummary": false, "timeResolution": { "units": 0, "scale": "NA", "difference": 0 }, "summarySortedBy": "COUNT", "localSearch": false, "fullSearch": false, "changeDashboardSettings": false, "sortOrder": "desc" }, "searchSolr": false } ]