search

This REST API is a wrapper for Solr queries, which are used in the Investigation Dashboard.

Note: The quick_search REST API provides similar capabilities to this command, but provides more flexibility.
Note: The search API returns codes that represent the titles of the columns (fields) in the returned tables. For example, search might return the following rows:
"15": "Failed Login - Alert and Quarantine if Repeated",
        "16": "5",
To map the codes ("15" and "16", in this case) to the actual column names, use the getFieldsTitles API.

This API is available in Guardium V9.5 and later.

REST API syntax

This API is available only as a REST service with the GET method. Call this API as follows:
GET https://[Guardium hostname or IP address]:8443/restAPI/search

Parameters

Parameter Value type Description
CATEGORY String The Guardium Solr collections. The categories generally map to the categories that are shown in the Investigation dashboard UI. For valid values, call search from the command line with --help=true.
COUNT Integer The number of records to return.

Default = 50.

END_TIME String Search for records that were created before the specified END_TIME. The time must be specified in the format:YYYYMMDD+HH:MM:SS.
QUERY String A Solr query.
START Integer The record on which to start searching.

Default = 0.

START_TIME String Search for records that were created after the specified START_TIME. The time must be specified in the format:YYYYMMDD+HH:MM:SS.
SUMMARY_BY String Group results by the selected field code. You can specify up to 2 field title codes to group by.
Note: To map the field codes to column names, use the getFieldsTitles API.
WITH_FACETS String Include facets in the search. For more information, see Investigation dashboard for data or Investigation dashboard for files. Valid values are:
  • 0 (Off: Do not include facets)
  • 1 (On: Include facets )

Default = 0.

api_target_host String

Specifies the target hosts where the API executes. Valid values:
  • all_managed: execute on all managed units but not the central manager
  • all: execute on all managed units and the central manager
  • group:<group name>: execute on all managed units identified by <group name>
  • host name or IP address of a managed unit: specified from the central manager to execute on a managed unit.  For example, api_target_host=10.0.1.123.
  • host name or IP address of the central manager: specified from a managed unit to execute on the central manager. For example, api_target_host=10.0.1.123.

IP addresses must conform to the IP mode of your network. For dual IP mode, use the same IP protocol with which the managed unit is registered with the central manager. For example, if the registration uses IPv6, specify an IPv6 address. The hostname is independent of IP mode and can be used with any mode.

Examples

Use the START and COUNT parameters to specify the starting record and the number of records to return. The following example returns 20 records from the Violation category, starting with the 10th record:

curl -k --header "Authorization: Bearer 3499f352-aa98-4046-89d8-aba3d8c12345" 
"https://xxx.xxx.xxx.xxx:8443/restAPI/search?CATEGORY=VIOLATION
&START_TIME=20190115+03:59:00&END_TIME=20190215+15:39:39&START=10&COUNT=20”
Returns the following information.
{
    "totalHits": 5,
    "numRows": 5,
    "partialResults": false,
    "count": 5,
    "start": 0,
    "maxLengthMapByOrder": [
      {
        "6": -1
      },
      {
        "10": -1
      },
      {
        "7": -1
      },
      {
        "4": -1
      },
      {
        "2": -1
      },
 ...
    ],
    "items": [
      {
        "15": "Failed Login - Alert and Quarantine if Repeated",
        "16": "5",
        "13": "",
        "id": "0",
        "3": "10.10.9.56",
        "2": "JOAN",
        "1": "ORACLE",
 ...
      },
      {
        "15": "Privileged Users Access to Sensitive Objects -- TERMINATE",
        "16": "10",
        "13": "select * from joe.creditcard",
        "id": "1",
        "3": "10.10.9.56",
        "2": "RODRIGO",
        "1": "ORACLE",
...
      },
      {
        "15": "DML on SOX Financial Objects -- Terminate",
        "16": "10",
        "13": "insert into creditcard (custid",
        "id": "2",
        "3": "10.10.9.56",
        "2": "CASSANDRA",
        "1": "",
  ...
      },
      {
        "15": "Privileged Users Access to Sensitive Objects -- TERMINATE",
        "16": "10",
        "13": "select * from db2inst1.US_CUST",
        "id": "3",
        "3": "10.10.9.56",
        "2": "DB2INST1",
        "1": "DB2INST1",
 ...
      },
      {
        "15": "Privileged Users Access to Sensitive Objects -- TERMINATE",
        "16": "10",
        "13": "select * from joe.ssn",
        "id": "4",
        "3": "10.10.9.56",
        "2": "SYSTEM",
        "1": "ORACLE",
 ...
      }
    ],
    "facets": [],
    "searchArgs": {
      "start": 0,
      "count": 50,
      "isFam": false,
      "isFamGUI": false,
      "withFacets": false,
      "category": "VIOLATION",
      "startTime": "20190115 03:59:00",
      "endTime": "20190215 15:39:39",
      "intStartTime": 1445988306,
      "intEndTime": 1484512779,
      "maxResultsNum": 50,
      "summaryTotalsOnly": false,
      "partialSummary": false,
      "timeResolution": {
        "units": 0,
        "scale": "NA",
        "difference": 0
      },
      "summarySortedBy": "COUNT",
      "localSearch": false,
      "fullSearch": false,
      "changeDashboardSettings": false,
      "sortOrder": "desc"
    },
    "searchSolr": false
  }
]