Which of the following will show all artifacts that have the term results in a filePath CEF value?

Which of the following will show all artifacts that have the term results in a filePath CEF value?
A . …/rest/artifact?_filter_cef_filePath_icontain=”results”
B . …rest/artifacts/filePath=”%results%”
C . …/result/artifacts/cef/filePath= ‘%results%”
D . …/result/artifact?_query_cef_filepath_icontains=”results

View Answer

Answer: A

Explanation:

The correct answer is A because the _filter parameter is used to filter the results based on a field value, and the icontain operator is used to perform a case-insensitive substring match.

The filePath field is part of the Common Event Format (CEF) standard, and the cef_ prefix is used to access CEF fields in the REST API. The answer B is incorrect because it uses the wrong syntax for the REST API. The answer C is incorrect because it uses the wrong endpoint (result instead of artifact) and the wrong syntax for the REST API. The answer D is incorrect because it uses the wrong syntax for the REST API and the wrong spelling for the icontains operator.

Reference: Splunk SOAR REST API Guide, page 18.

To query and display all artifacts that contain the term "results" in a filePath CEF (Common Event Format) value, using the REST API endpoint with a filter parameter is effective. The filter _filter_cef_filePath_icontain="results" is applied to search within the artifact data for filePath fields that contain the term "results", disregarding case sensitivity. This method allows users to precisely locate and work with artifacts that meet specific criteria, aiding in the investigation and analysis processes within Splunk SOAR.