Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Cylance User API guide
  4. InstaQuery API
  5. Get InstaQuery results

Get InstaQuery results

Request a
CylanceOPTICS
 InstaQuery resource results belonging to a tenant.
Service endpoint
/instaqueries/v2{queryID}/results
Optional query string parameters
Example
https://protectapi.cylance.com/instaqueries/v2/AF593F38EDC1B743BDC0A6FCC53A03CE/results
Method
HTTP/1.1 GET
Request headers
  • Accept: application/json
  • Authorization: Bearer
    JWT Token returned by Auth API
     with the opticssurvey:read scope encoded

Request

None

Response

Please see the Response status codes for more information.

Response JSON schema

Field Name
Description
Id
This is the unique ID of the InstaQuery.
Status
This is the status of the InstaQuery.
Result
This is the list of responses to the InstaQuery.
@timestamp
This is the timestamp that the result was reported in Unix epoch time.
HostName
This is the hostname of the device that returned the result.
DeviceID
This is the unique ID of the device that returned the result.
@version
This is the version format of the result.
CorrelationID
This is the unique correlation ID of the result object.
Result
This is the object containing response data.
FirstObservedTime
This is the timestamp that the result was first observed on the system (for example, when a file was first observed on the system as in a file being created)
.
LastObservedTime
This is the timestamp that the result was last observed on the system (for example, when a file was last observed as in the last time a file was interacted with).
This value will be the same as the FirstObservedTimestamp for NetworkConnection and process artifacts.
Uid
This is the unique ID of the result.
Type
This is the type of artifact that the result's "properties" contain.
Properties
This is the object containing the individual elements of the result. This will vary depending on the artifact and type that was queried. The following 4 cells outline the possible property values:
File
  • Path: This is the full path to the file.
  • CreationDateTime: This is the timestamp (in UTC) of when the file was created on the responding system.
  • Md5: This is the MD5 hash of the file result (where applicable).
  • Sha256: This is the SHA256 hash of the file result (where applicable).
  • Owner: This is the owner of the file.
  • SuspectedFileType: This is the suspected file type of the file object (where applicable).
  • FileSignature: This is a set of information derived about the file's signature status.
  • Size: This is the size of the file object (in bytes).
  • OwnerUid: This is the unique ID of the owner of the file.
Process
  • Name: This is the name of the process.
  • CommandLine: This is the command line arguments that the process was executed with.
  • StartDateTime: This is the timestamp (in UTC) of when the process was executed on the responding system.
  • PrimaryImagePath: This is the image file path of the process.
  • PrimaryImageMd5: This is the MD5 hash of the image file of the process.
  • PrimaryImageSha256: This is the SHA256 hash of the image file of the process.
  • PrimaryImageUid: This is the unique ID of the image file of the process.
  • Owner: This is the user who owns the process.
  • OwnerUid: This is the unique ID of the user who owns the process.
  • SuspectedFileType: This is the suspected file type of the image file of the process.
  • FileSignature: This is a set of information derived about the image file's siganture status.
  • IsBeingDebugged: This is a Boolean value to determine if the process has a debugger attached to it.
Network
  • DestinationAddress: This is the IP address that the connection was destined to.
  • DestinationPort: This is the port associated with the remote IP address.
  • ProcessName: This is the process name that was associated with the connection.
  • ProcessPrimaryImageUid: This is the unique ID of the process associated with the connection.
  • ProcessPrimaryImagePath: This is the image file path of the process associated with the connection.
  • ProcessImageMd5: This is the MD5 hash of the image file of the process associated with the connection.
  • ProcessImageSha256: This is the SHA256 hash of the image file of the process associated with the connection.
  • SuspectedFileType: This is the suspected file type of the image file of the process associated with the connection.
Registry
  • IsPersistencePoint: This is a binary value (1 or 0) to determine if the resulting Registry item is a common persistence location.
  • ValueName: This is the name of the Registry Value that was interacted with.
  • Path: This is the full path of the Registry Key.
  • FilePath: This is the full path of the file referenced in the Registry Value (where applicable).
  • FileMd5: This is the MD5 hash of the file referenced in the Registry Value (where applicable).
  • FileSha256: This is the SHA256 hash of the file referenced in the Registry Value (where applicable).
  • FileUid: This is the unique ID of the file referenced in the Registry Value (where applicable).
  • SuspectedFileType: This is the suspected file type of the file referenced in the Registry Value (where applicable).
  • FileSignature: This is a set of information derived about a file's signature status that is referenced in the Registry Value (where applicable).