Environment
- Carbon Black Cloud Enriched Events API: v1
- Carbon Black Cloud Server: 1.6
- Carbon Black Cloud Sensors: All versions
Symptoms
POST: https://defense-prod05.conferdeploy.net/api/investigate/v1/orgs/7QZF88ZP/enriched_events/aggregation_jobs/device_id
body:
{
"query": "netconn_ipv4:142.250.114.138",
"fields": ["device_name", "process_name", "process_product_version", "process_sha_256", "process_username", "device_os", "netconn_ipv4", "netconn_action", "netconn_count"],
"sort": [
{ "field": "device_name", "order": "asc" }
],
"time_range":
{ "window": "-1w" }
}
Response:
{ "job_id": "319cacc9-3783-40a6-9024-00471ccf3476" }
=======================
Running the POST above, where "fields" is specified, results in a "502 Gateway" error when running a GET for the returned job_id:
GET https://defense-prod05.conferdeploy.net/api/investigate/v1/orgs/7QZF88ZP/enriched_events/aggregation_jobs/319cacc9-3783-40a6-9024-00471ccf3476/results
<502 Gateway error>
Cause
This is server issue DSER-42569. As per the Enriched Events Search API, fields is a supported field in the Body Schema of the POST call. However, because this problem, in the API the GET API with the job id returned from above POST call fails with 502 error.
Resolution
- As a workaround, omit the "fields" section in the POST call as so:
POST: https://defense-prod05.conferdeploy.net/api/investigate/v1/orgs/7QZF88ZP/enriched_events/aggregation_jobs/device_id
{
"query": "netconn_ipv4:142.250.114.138",
"sort": [
{ "field": "device_name", "order": "asc" }
],
"time_range":
{ "window": "-1w" }
}
Results: "cc8c041d-ffd6-486e-ae05-5845a3dd7172"
Additional Notes
To see the 502 Gateway error, the GET actually needs to return some records (as to opposed to a null, empty list)
Related Content
