The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.
Select a field to order the results by. Defaults to name. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, name[asc] will sort the results by name in ascending order. The ordering defaults to asc if not specified.
Filter results by this query. For more information on filtering, refer to our Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.
curl -i -X GET \
https://api.synqly.com/v1/app-sec/applications \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'List of applications
An attribute that describes the type of the application's alternate unique identifier as defined by the provider. This may be used to help find the application in the provider's user interface.
The Object type is used to represent an object with arbitrary fields. The keys are strings and the values are any type.
The criticality of the application as defined by the event source.
A description or commentary for an application, usually retrieved from an upstream system.
The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization, including but not limited to purposes of access control.
Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com
The User object describes the characteristics of a user/person or a security principal.
A graph data structure representation with nodes and edges.
The risk level, normalized to the caption of the risk_level_id value.
ApplicationRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The Software Bill of Materials object describes characteristics of a generated SBOM.
The list of tags; {key:value} pairs associated to the application.
The type of application as defined by the event source, e.g., GitHub, Azure Logic App, or Amazon Elastic BeanStalk.
An alternative or contextual identifier for the application, such as a configuration, organization, or license UID.
The Uniform Resource Locator (URL) object describes the characteristics of a URL.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.
Select a field to order the results by. Defaults to name. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, name[asc] will sort the results by name in ascending order. The ordering defaults to asc if not specified.
Filter results by this query. For more information on filtering, refer to our Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.
curl -i -X GET \
'https://api.synqly.com/v1/app-sec/applications/{applicationId}/findings' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'List of application findings
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: A finding was created. 2 - Update: A finding was updated. 3 - Close: A finding was closed. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 2 - Findings: Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.
ClassUid is an enum, and the following values are allowed. 2007 - ApplicationSecurityPostureFinding: The Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems. Application Security Posture Findings typically involve reporting on the greater context including compliance, impacted resources, remediation guidance, specific code defects, and/or vulnerability metadata. Application Security Posture Findings can be reported by Threat & Vulnerability Management (TVM) tools, Application Security Posture Management (ASPM) tools, or other similar tools. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.
The Finding Information object describes metadata related to a security finding generated by a security tool or system.
The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
The MITRE ATT&CK® technique and associated tactics related to the finding.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was created.
A list of data sources utilized in generation of the finding.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was first observed. e.g. The time when a vulnerability was first observed.
It can differ from the created_time timestamp, which reflects the time this finding was created.
The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was last modified.
The Product object describes characteristics of a software product.
The unique identifier of the product that reported the finding.
Other analytics related to this finding.
Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.
Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe.
The list of tags; {key:value} pairs associated with the finding.
A title or a brief phrase summarizing the reported finding.
The Metadata object describes the metadata associated with the event.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.
The Event ID, Code, or Name that the product uses to primarily identify the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of labels attached to the event. For example: ["sample", "dev"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
The list of tags; {key:value} pairs associated to the event.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
TypeUid is an enum, and the following values are allowed. 200700 - Unknown 200701 - Create: A finding was created. 200702 - Update: A finding was updated. 200703 - Close: A finding was closed. 200799 - Other
ActionId is an enum, and the following values are allowed. 0 - Unknown: The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'. 1 - Allowed: The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc. 2 - Denied: The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc. 3 - Observed: The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc. 4 - Modified: The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'. 99 - Other: The action is not mapped. See the action attribute which contains a data source specific value.
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
An Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling. Applications can be defined as Kubernetes resources, Containerized resources, or application hosting-specific cloud sources such as AWS Elastic BeanStalk, AWS Lightsail, or Azure Logic Apps.
An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.
Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.
The event category name, as defined by category_uid value: Findings.
The Cloud object contains information about a cloud or Software-as-a-Service account or similar construct, such as AWS Account ID, regions, organizations, folders, compartments, tenants, etc.
The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements or details about custom assessments utilized in a compliance evaluation. Standards define broad security frameworks, controls represent specific security requirements within those frameworks, and checks are the testable verification points used to determine if controls are properly implemented.
The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.
The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.
DispositionId is an enum, and the following values are allowed. 0 - Unknown: The disposition is unknown. 1 - Allowed: Granted access or allowed the action to the protected resource. 2 - Blocked: Denied access or blocked the action to the protected resource. 3 - Quarantined: A suspicious file or other content was moved to a benign location. 4 - Isolated: A session was isolated on the network or within a browser. 5 - Deleted: A file or other content was deleted. 6 - Dropped: The request was detected as a threat and resulted in the connection being dropped. 7 - CustomAction: A custom action was executed such as running of a command script. Use the message attribute of the base class for details. 8 - Approved: A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'. 9 - Restored: A quarantined file or other content was restored to its original location. 10 - Exonerated: A suspicious or risky entity was deemed to no longer be suspicious (re-scored). 11 - Corrected: A corrupt file or configuration was corrected. 12 - PartiallyCorrected: A corrupt file or configuration was partially corrected. 13 - Uncorrected: A corrupt file or configuration was not corrected. 14 - Delayed: An operation was delayed, for example if a restart was required to finish the operation. 15 - Detected: Suspicious activity or a policy violation was detected without further action. 16 - NoAction: The outcome of an operation had no action taken. 17 - Logged: The operation or action was logged without further action. 18 - Tagged: A file or other entity was marked with extended attributes. 19 - Alert: The request or activity was detected as a threat and resulted in a notification but request was not blocked. 20 - Count: Counted the request or activity but did not determine whether to allow it or block it. 21 - Reset: The request was detected as a threat and resulted in the connection being reset. 22 - Captcha: Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request. 23 - Challenge: Ran a silent challenge that required the client session to verify that it's a browser, and not a bot. 24 - AccessRevoked: The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class. 25 - Rejected: A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'. 26 - Unauthorized: An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail. 27 - Error: An error occurred during the processing of the activity or request. Use the message attribute of the base class for details. 99 - Other: The disposition is not mapped. See the disposition attribute, which contains a data source specific value.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time of the most recent event included in the finding.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.
Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.
A list of Malware objects, describing details about the identified malware.
The malware scan information object describes characteristics, metadata of a malware scanning job.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The size of the raw data which was transformed into an OCSF event, in bytes.
The Remediation object describes the recommended remediation steps to address identified issue(s).
Describes details about the resource/resources that are affected by the vulnerability/vulnerabilities.
The risk level, normalized to the caption of the risk_level_id value.
RiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time of the least recent event included in the finding.
The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - New: The Finding is new and yet to be reviewed. 2 - InProgress: The Finding is under review. 3 - Suppressed: The Finding was reviewed, determined to be benign or a false positive and is now suppressed. 4 - Resolved: The Finding was reviewed, remediated and is now considered resolved. 5 - Archived: The Finding was archived. 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-prodvided values and consumer-updated values, of key attributes like severity_id.
The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
This operation is actively being developed. Breaking changes should be expected.
Please contact us before using this operation.
Returns a list of each findings details combined with the application details for all applications in the token-linked application security integration. This API may perform multiple provider API calls per executation so can be slower to respond.
curl -i -X GET \
https://api.synqly.com/v1/app-sec/findings \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'An Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling. Applications can be defined as Kubernetes resources, Containerized resources, or application hosting-specific cloud sources such as AWS Elastic BeanStalk, AWS Lightsail, or Azure Logic Apps.
An attribute that describes the type of the application's alternate unique identifier as defined by the provider. This may be used to help find the application in the provider's user interface.
The Object type is used to represent an object with arbitrary fields. The keys are strings and the values are any type.
The criticality of the application as defined by the event source.
A description or commentary for an application, usually retrieved from an upstream system.
The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization, including but not limited to purposes of access control.
Unique name assigned to a device connected to a computer network. It may be a fully qualified domain name (FQDN). For example:r2-d2.example.com.,mx.example.com
The list of labels associated to the application.
The User object describes the characteristics of a user/person or a security principal.
A graph data structure representation with nodes and edges.
The risk level, normalized to the caption of the risk_level_id value.
ApplicationRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The Software Bill of Materials object describes characteristics of a generated SBOM.
The list of tags; {key:value} pairs associated to the application.
The type of application as defined by the event source, e.g., GitHub, Azure Logic App, or Amazon Elastic BeanStalk.
An alternative or contextual identifier for the application, such as a configuration, organization, or license UID.
The Uniform Resource Locator (URL) object describes the characteristics of a URL.
The Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems. Application Security Posture Findings typically involve reporting on the greater context including compliance, impacted resources, remediation guidance, specific code defects, and/or vulnerability metadata. Application Security Posture Findings can be reported by Threat & Vulnerability Management (TVM) tools, Application Security Posture Management (ASPM) tools, or other similar tools. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: A finding was created. 2 - Update: A finding was updated. 3 - Close: A finding was closed. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 2 - Findings: Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.
ClassUid is an enum, and the following values are allowed. 2007 - ApplicationSecurityPostureFinding: The Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems. Application Security Posture Findings typically involve reporting on the greater context including compliance, impacted resources, remediation guidance, specific code defects, and/or vulnerability metadata. Application Security Posture Findings can be reported by Threat & Vulnerability Management (TVM) tools, Application Security Posture Management (ASPM) tools, or other similar tools. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.
The Finding Information object describes metadata related to a security finding generated by a security tool or system.
The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
The MITRE ATT&CK® technique and associated tactics related to the finding.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was created.
A list of data sources utilized in generation of the finding.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was first observed. e.g. The time when a vulnerability was first observed.
It can differ from the created_time timestamp, which reflects the time this finding was created.
The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was last modified.
The Product object describes characteristics of a software product.
The unique identifier of the product that reported the finding.
Other analytics related to this finding.
Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.
Number of related events or findings.
Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe.
The list of tags; {key:value} pairs associated with the finding.
A title or a brief phrase summarizing the reported finding.
The list of key traits or characteristics extracted from the finding.
One or more types of the reported finding.
The Metadata object describes the metadata associated with the event.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe.
The name of the vendor of the product.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The unique identifier used to correlate events.
Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.
The Event ID, Code, or Name that the product uses to primarily identify the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of labels attached to the event. For example: ["sample", "dev"]
The audit level at which an event was generated.
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
The list of tags; {key:value} pairs associated to the event.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
TypeUid is an enum, and the following values are allowed. 200700 - Unknown 200701 - Create: A finding was created. 200702 - Update: A finding was updated. 200703 - Close: A finding was closed. 200799 - Other
ActionId is an enum, and the following values are allowed. 0 - Unknown: The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'. 1 - Allowed: The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc. 2 - Denied: The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc. 3 - Observed: The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc. 4 - Modified: The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'. 99 - Other: The action is not mapped. See the action attribute which contains a data source specific value.
The finding activity name, as defined by the activity_id.
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
An Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling. Applications can be defined as Kubernetes resources, Containerized resources, or application hosting-specific cloud sources such as AWS Elastic BeanStalk, AWS Lightsail, or Azure Logic Apps.
An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.
Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.
The event category name, as defined by category_uid value: Findings.
The Cloud object contains information about a cloud or Software-as-a-Service account or similar construct, such as AWS Account ID, regions, organizations, folders, compartments, tenants, etc.
The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements or details about custom assessments utilized in a compliance evaluation. Standards define broad security frameworks, controls represent specific security requirements within those frameworks, and checks are the testable verification points used to determine if controls are properly implemented.
The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.
The confidence score as reported by the event source.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.
The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.
DispositionId is an enum, and the following values are allowed. 0 - Unknown: The disposition is unknown. 1 - Allowed: Granted access or allowed the action to the protected resource. 2 - Blocked: Denied access or blocked the action to the protected resource. 3 - Quarantined: A suspicious file or other content was moved to a benign location. 4 - Isolated: A session was isolated on the network or within a browser. 5 - Deleted: A file or other content was deleted. 6 - Dropped: The request was detected as a threat and resulted in the connection being dropped. 7 - CustomAction: A custom action was executed such as running of a command script. Use the message attribute of the base class for details. 8 - Approved: A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'. 9 - Restored: A quarantined file or other content was restored to its original location. 10 - Exonerated: A suspicious or risky entity was deemed to no longer be suspicious (re-scored). 11 - Corrected: A corrupt file or configuration was corrected. 12 - PartiallyCorrected: A corrupt file or configuration was partially corrected. 13 - Uncorrected: A corrupt file or configuration was not corrected. 14 - Delayed: An operation was delayed, for example if a restart was required to finish the operation. 15 - Detected: Suspicious activity or a policy violation was detected without further action. 16 - NoAction: The outcome of an operation had no action taken. 17 - Logged: The operation or action was logged without further action. 18 - Tagged: A file or other entity was marked with extended attributes. 19 - Alert: The request or activity was detected as a threat and resulted in a notification but request was not blocked. 20 - Count: Counted the request or activity but did not determine whether to allow it or block it. 21 - Reset: The request was detected as a threat and resulted in the connection being reset. 22 - Captcha: Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request. 23 - Challenge: Ran a silent challenge that required the client session to verify that it's a browser, and not a bot. 24 - AccessRevoked: The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class. 25 - Rejected: A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'. 26 - Unauthorized: An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail. 27 - Error: An error occurred during the processing of the activity or request. Use the message attribute of the base class for details. 99 - Other: The disposition is not mapped. See the disposition attribute, which contains a data source specific value.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time of the most recent event included in the finding.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.
Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.
A list of Malware objects, describing details about the identified malware.
The malware scan information object describes characteristics, metadata of a malware scanning job.
The description of the event/finding, as defined by the source.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The size of the raw data which was transformed into an OCSF event, in bytes.
The Remediation object describes the recommended remediation steps to address identified issue(s).
Describes details about the resource/resources that are affected by the vulnerability/vulnerabilities.
The risk level, normalized to the caption of the risk_level_id value.
RiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time of the least recent event included in the finding.
The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - New: The Finding is new and yet to be reviewed. 2 - InProgress: The Finding is under review. 3 - Suppressed: The Finding was reviewed, determined to be benign or a false positive and is now suppressed. 4 - Resolved: The Finding was reviewed, remediated and is now considered resolved. 5 - Archived: The Finding was archived. 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-prodvided values and consumer-updated values, of key attributes like severity_id.
The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
This operation is actively being developed. Breaking changes should be expected.
Please contact us before using this operation.
Returns the details of the finding matching {findingId} where the finding belongs to the application matching {applicationId} from the token-linked application security integration.
curl -i -X GET \
'https://api.synqly.com/v1/app-sec/applications/{applicationId}/findings/{findingId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'The Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems. Application Security Posture Findings typically involve reporting on the greater context including compliance, impacted resources, remediation guidance, specific code defects, and/or vulnerability metadata. Application Security Posture Findings can be reported by Threat & Vulnerability Management (TVM) tools, Application Security Posture Management (ASPM) tools, or other similar tools. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: A finding was created. 2 - Update: A finding was updated. 3 - Close: A finding was closed. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 2 - Findings: Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.
ClassUid is an enum, and the following values are allowed. 2007 - ApplicationSecurityPostureFinding: The Application Security Posture Finding event is a notification about any bug, defect, deficiency, exploit, vulnerability, weakness or any other issue with software and related systems. Application Security Posture Findings typically involve reporting on the greater context including compliance, impacted resources, remediation guidance, specific code defects, and/or vulnerability metadata. Application Security Posture Findings can be reported by Threat & Vulnerability Management (TVM) tools, Application Security Posture Management (ASPM) tools, or other similar tools. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.
The Finding Information object describes metadata related to a security finding generated by a security tool or system.
The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
The MITRE ATT&CK® technique and associated tactics related to the finding.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was created.
A list of data sources utilized in generation of the finding.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was first observed. e.g. The time when a vulnerability was first observed.
It can differ from the created_time timestamp, which reflects the time this finding was created.
The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the finding was last modified.
The Product object describes characteristics of a software product.
The unique identifier of the product that reported the finding.
Other analytics related to this finding.
Describes events and/or other findings related to the finding as identified by the security product. Note that these events may or may not be in OCSF.
Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe.
The list of tags; {key:value} pairs associated with the finding.
A title or a brief phrase summarizing the reported finding.
The Metadata object describes the metadata associated with the event.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.
The Event ID, Code, or Name that the product uses to primarily identify the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of labels attached to the event. For example: ["sample", "dev"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
The list of tags; {key:value} pairs associated to the event.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
TypeUid is an enum, and the following values are allowed. 200700 - Unknown 200701 - Create: A finding was created. 200702 - Update: A finding was updated. 200703 - Close: A finding was closed. 200799 - Other
ActionId is an enum, and the following values are allowed. 0 - Unknown: The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'. 1 - Allowed: The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc. 2 - Denied: The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc. 3 - Observed: The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc. 4 - Modified: The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'. 99 - Other: The action is not mapped. See the action attribute which contains a data source specific value.
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
An Application describes the details for an inventoried application as reported by an Application Security tool or other Developer-centric tooling. Applications can be defined as Kubernetes resources, Containerized resources, or application hosting-specific cloud sources such as AWS Elastic BeanStalk, AWS Lightsail, or Azure Logic Apps.
An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques. The objects are compatible with MITRE ATLAS™ tactics, techniques & sub-techniques.
Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.
The event category name, as defined by category_uid value: Findings.
The Cloud object contains information about a cloud or Software-as-a-Service account or similar construct, such as AWS Account ID, regions, organizations, folders, compartments, tenants, etc.
The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements or details about custom assessments utilized in a compliance evaluation. Standards define broad security frameworks, controls represent specific security requirements within those frameworks, and checks are the testable verification points used to determine if controls are properly implemented.
The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.
The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.
DispositionId is an enum, and the following values are allowed. 0 - Unknown: The disposition is unknown. 1 - Allowed: Granted access or allowed the action to the protected resource. 2 - Blocked: Denied access or blocked the action to the protected resource. 3 - Quarantined: A suspicious file or other content was moved to a benign location. 4 - Isolated: A session was isolated on the network or within a browser. 5 - Deleted: A file or other content was deleted. 6 - Dropped: The request was detected as a threat and resulted in the connection being dropped. 7 - CustomAction: A custom action was executed such as running of a command script. Use the message attribute of the base class for details. 8 - Approved: A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'. 9 - Restored: A quarantined file or other content was restored to its original location. 10 - Exonerated: A suspicious or risky entity was deemed to no longer be suspicious (re-scored). 11 - Corrected: A corrupt file or configuration was corrected. 12 - PartiallyCorrected: A corrupt file or configuration was partially corrected. 13 - Uncorrected: A corrupt file or configuration was not corrected. 14 - Delayed: An operation was delayed, for example if a restart was required to finish the operation. 15 - Detected: Suspicious activity or a policy violation was detected without further action. 16 - NoAction: The outcome of an operation had no action taken. 17 - Logged: The operation or action was logged without further action. 18 - Tagged: A file or other entity was marked with extended attributes. 19 - Alert: The request or activity was detected as a threat and resulted in a notification but request was not blocked. 20 - Count: Counted the request or activity but did not determine whether to allow it or block it. 21 - Reset: The request was detected as a threat and resulted in the connection being reset. 22 - Captcha: Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request. 23 - Challenge: Ran a silent challenge that required the client session to verify that it's a browser, and not a bot. 24 - AccessRevoked: The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class. 25 - Rejected: A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'. 26 - Unauthorized: An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail. 27 - Error: An error occurred during the processing of the activity or request. Use the message attribute of the base class for details. 99 - Other: The disposition is not mapped. See the disposition attribute, which contains a data source specific value.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time of the most recent event included in the finding.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.
Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.
A list of Malware objects, describing details about the identified malware.
The malware scan information object describes characteristics, metadata of a malware scanning job.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The size of the raw data which was transformed into an OCSF event, in bytes.
The Remediation object describes the recommended remediation steps to address identified issue(s).
Describes details about the resource/resources that are affected by the vulnerability/vulnerabilities.
The risk level, normalized to the caption of the risk_level_id value.
RiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time of the least recent event included in the finding.
The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - New: The Finding is new and yet to be reviewed. 2 - InProgress: The Finding is under review. 3 - Suppressed: The Finding was reviewed, determined to be benign or a false positive and is now suppressed. 4 - Resolved: The Finding was reviewed, remediated and is now considered resolved. 5 - Archived: The Finding was archived. 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Vendor Attributes object can be used to represent values of attributes populated by the Vendor/Finding Provider. It can help distinguish between the vendor-prodvided values and consumer-updated values, of key attributes like severity_id.
The original finding producer should not populate this object. It should be populated by consuming systems that support data mutability.
{ "result": { "action": "string", "action_id": 0, "activity_id": 0, "activity_name": "string", "actor": { … }, "api": { … }, "application": { … }, "attacks": [ … ], "authorizations": [ … ], "category_name": "string", "category_uid": 0, "class_uid": 0, "cloud": { … }, "comment": "string", "compliance": { … }, "confidence": "string", "confidence_id": 0, "confidence_score": 0, "count": 0, "custom_fields": {}, "device": { … }, "disposition": "string", "disposition_id": 0, "duration": 0, "end_time": 0, "end_time_dt": "2019-08-24T14:15:22Z", "enrichments": [ … ], "finding_info": { … }, "firewall_rule": { … }, "is_alert": true, "malware": [ … ], "malware_scan_info": { … }, "message": "string", "metadata": { … }, "observables": [ … ], "osint": [ … ], "policy": { … }, "raw_data": "string", "raw_data_size": 0, "remediation": { … }, "resources": [ … ], "risk_details": "string", "risk_level": "string", "risk_level_id": 0, "risk_score": 0, "severity": "string", "severity_id": 0, "start_time": 0, "start_time_dt": "2019-08-24T14:15:22Z", "status": "string", "status_code": "string", "status_detail": "string", "status_id": 0, "time": 0, "time_dt": "2019-08-24T14:15:22Z", "timezone_offset": 0, "type_name": "string", "type_uid": 0, "unmapped": {}, "vendor_attributes": { … }, "vulnerabilities": [ … ] }, "cursor": "string", "meta": { "stats": { … }, "api": { … } } }