Create InstaQuery
Update
CylanceOPTICS
InstaQuery resources for a specific tenant. Service endpoint | /instaqueries/v2 |
Optional query string parameters | — |
Example | https://protectapi.cylance.com/instaqueries/v2 |
Method | HTTP/1.1 POST |
Request headers |
|
Request
{ "name": "InstaQuery Name", "description": "Test InstaQuery", "artifact": "File", "match_value_type": "Path", "match_values": [ "exe" ], "case_sensitive": true, "match_type": "Fuzzy", "zones": [ "D27FF5C45C0D4F56A00DA1FB297E440F" ], "filters": [ { "aspect": "OS", "value": "Windows" } ], "relations": [ { "object": "/focus/focus_id", "relationship": "originated-from" } ] }
Response
Please see the Response status codes for more information.
Request JSON schema
Field Name | Description |
|---|---|
name | This is the name of the InstaQuery. |
description | This is the description of the InstaQuery. |
artifact | This is the type of artifact to search. Possible values are "File", "Process", "NetworkConnection", and "RegistryKey". |
match_value_type | This is the type of value (also known as a facet) to search. Possible values are dependent on the selected artifact type. Valid selections for each are as follows:
|
match_values | This is a list of strings to be matched against for the InstaQuery. |
case_sensitive | This determines whether to consider case sensitivity when matching values. |
match_type | This determines whether or not to use an exact or "fuzzy" match. The default behavior of InstaQuery is to use a "fuzzy" match. Possible values are:
|
zones | This is a list of zone IDs to perform the InstaQuery against. |
filters | This is a list of filters when performing the InstaQuery. |
aspect | This is the aspect (or type) of filters (for example, "OS"). |
value | This is the value to filter for (for example,. "Windows"). |
relations | This is a list of objects (for example, Focus View URLs) that are related to the InstaQuery. This is similar to the "Pivot Query" functionality in the Console. |
object | This is the URL of the focus view that the InstaQuery relates to. |
relationship | This is how the InstaQuery relates to the URL. This should almost always be "originated-from". |
Response JSON schema
Field Name | Description |
|---|---|
name | This is the name of the InstaQuery. |
description | This is the description of the InstaQuery. |
artifact | This is the type of artifact to search. Possible values are "File", "Process", "NetworkConnection", and "RegistryKey". |
match_value_type | This is the type of value (also known as a facet) to search. Possible values are dependent on the selected artifact type. Valid selections for each are as follows:
|
match_values | This is a list of strings to be matched against for the InstaQuery. |
case_sensitive | This determines whether to consider case sensitivity when matching values. |
match_type | This determines whether or not to use an exact or "fuzzy" match. The default behavior of InstaQuery is to use a "fuzzy" match. Possible values are:
|
zones | This is a list of zone IDs to perform the InstaQuery against. |
filters | This is a list of filters when performing the InstaQuery. |
aspect | This is the aspect (or type) of filters (for example, "OS"). |
value | This is the value to filter for (for example, "Windows"). |
relations | This is a list of objects (for example, Focus View URLs) that are related to the InstaQuery. This is similar to the "Pivot Query" functionality in the Console. |
object | This is the URL of the focus view that the InstaQuery relates to. |
relationship | This is how the InstaQuery relates to the URL. This should almost always be "originated-from". |
id | This is the unique identifier of the created InstaQuery. |
created_at | This is the date and time that the InstaQuery was created. |
progress | This is the progress of the InstaQuery. |