Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud Enriched Events API: 502 Gateway error when using a query specifies "fields"

Carbon Black Cloud Enriched Events API: 502 Gateway error when using a query specifies "fields"

Environment

  • Carbon Black Cloud Enriched Events API: v1
  • Carbon Black Cloud Server: 1.6
  • Carbon Black Cloud Sensors: All versions

Symptoms

POST: https://defense-prod05.conferdeploy.net/api/investigate/v1/orgs/7QZF88ZP/enriched_events/aggregation_jobs/device_id
body:
{
"query": "netconn_ipv4:142.250.114.138",
"fields": ["device_name", "process_name", "process_product_version", "process_sha_256", "process_username", "device_os", "netconn_ipv4", "netconn_action", "netconn_count"],
"sort": [

{ "field": "device_name", "order": "asc" }
],
"time_range":

{ "window": "-1w" }
}
Response:

{ "job_id": "319cacc9-3783-40a6-9024-00471ccf3476" }
=======================

Running the POST above, where "fields" is specified, results in a "502 Gateway" error when running a GET for the returned job_id:

GET https://defense-prod05.conferdeploy.net/api/investigate/v1/orgs/7QZF88ZP/enriched_events/aggregation_jobs/319cacc9-3783-40a6-9024-00471ccf3476/results

<502 Gateway error>

Cause

This is server issue DSER-42569. As per the Enriched Events Search API, fields is a supported field in the Body Schema of the POST call. However, because this problem, in the API the GET API with the job id returned from above POST call fails with 502 error.

Resolution

  1. As a workaround, omit the "fields" section in the POST call as so:
POST: https://defense-prod05.conferdeploy.net/api/investigate/v1/orgs/7QZF88ZP/enriched_events/aggregation_jobs/device_id

{
"query": "netconn_ipv4:142.250.114.138",
"sort": [

{ "field": "device_name", "order": "asc" }
],
"time_range":

{ "window": "-1w" }
}

Results: "cc8c041d-ffd6-486e-ae05-5845a3dd7172"


 

Additional Notes

To see the 502 Gateway error, the GET actually needs to return some records (as to opposed to a null, empty list)

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-22-2022
Views:
95
Contributors