INPUT_OBJECT

StartThreatHuntInput

Description

The configuration to start a hunt, including which objects, indicators of compromise, and advanced parameters.

link GraphQL Schema definition

  • input StartThreatHuntInput {
  • # Notes to describe this threat hunt.
  • notes: String
  • # Criteria to restrict files to scan.
  • fileScanCriteria: MalwareScanFileCriteriaInput
  • # List of IOCs to scan for.
  • indicatorsOfCompromise: [IndicatorOfCompromiseInput!]!
  • # Maximum number of matches per shapshot, per IOC. Scanning for an Indicator Of
  • # Compromise within a snapshot will terminate once this many matches have been
  • # detected. Defaults to one.
  • maxMatchesPerSnapshot: Int
  • # Name of this threat hunt.
  • name: String!
  • # Object FIDs to scan for malware.
  • objectFids: [UUID!]!
  • # Additional information required for files with malware matches.
  • requestedMatchDetails: RequestedMatchDetailsInput
  • # Specifies whether features that rely on the accuracy of filesystem metadata,
  • # like creation time and modification time of files, are enabled or not. These
  • # features include backend optimizations to skip re-scanning files that have not
  • # changed across snapshots, as indicated by the unchanged timestamps of files.
  • # This flag also gates access to some filters that can be specified in this API.
  • # Note that this flag should be used with caution, as relying on file timestamps
  • # may make the system vulnerable to adversarial techniques such as timestamp
  • # manipulation.
  • shouldTrustFilesystemTimeInfo: Boolean
  • # Limit which snapshots to include in the threat hunt.
  • snapshotScanLimit: MalwareScanSnapshotLimitInput
  • # UUID used to identify the cluster the request goes to.
  • clusterUuid: UUID!
  • }

link Require by