The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.
Filter results by this query. For more information on filtering, refer to the Assets Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.
curl -i -X GET \
'https://api.synqly.com/v1/assets/devices?cursor=string&filter=string&limit=0&meta=string&order=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name
attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.
ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
DeviceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 89 - ImagingEquipment: Equipment for processing optical data, such as a camera. 90 - PLC: A Programmable logic controller. 91 - SCADA: A supervisory control and data acquisition system. 92 - DCS: A distributed control system. 93 - CNC: A computer numerical control system, including computerized machine tools. 94 - ScientificEquipment: A piece of scientific equipment such as an oscilloscope or spectrometer. 95 - MedicalDevice: A medical device such as an MRI machine or infusion pump. 96 - LightingControls: A lighting control for internal or external applications. 97 - EnergyMonitoringSystem: An energy monitoring, security or safety system. 98 - TransportationDevice: A transportation device or transportation supporting device. 99 - Other: The type is not mapped. See the type
attribute, which contains a data source specific value.
A list of agent
objects associated with a device, endpoint, or resource.
The unique identifier of the cloud autoscale configuration.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the device was known to have been created.
The description of the device, ordinarily as reported by the operating system.
The network domain where the device resides. For example: work.example.com
.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The initial discovery time of the device.
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"]
.
Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com
.
The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.
The name of the hypervisor running on the device. For example, Xen
, VMware
, Hyper-V
, VirtualBox
, etc.
The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.
The International Mobile Station Equipment Identifier that is associated with the device.
Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24
or 2001:0db8:85a3:0000:0000:8a2e:0370:7334
.
A list of IP addresses available on the device
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The most recent discovery time of the device.
The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.
Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A
.
A list of MAC addresses available on the device
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the device was last known to have been modified.
The alternate device name, ordinarily as assigned by an administrator.
Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234
.
If running under a process namespace (such as in a container), the process identifier within that process namespace.
A list of NetBIOS names available on the device
The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.
Note: The first element of the array is the network information that pertains to the event.
DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.
The Organization object describes characteristics of an organization or company and its division if any.
The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The region where the virtual machine is located. For example, an AWS Region.
The risk level, normalized to the caption of the risk_level_id value.
DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level
attribute, which contains a data source specific value.
The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
The list of software contained on a device
The device type. For example: unknown
, server
, desktop
, laptop
, tablet
, mobile
, virtual
, browser
, plc
, scada
, dcs
, cnc
, scientific
, medical
, lighting
, energy
, transportation
other
.
The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
An alternate unique identifier of the device if any. For example the ActiveDirectory DN.
The Organization object describes characteristics of an organization or company and its division if any.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en
(English), de
(German), or fr
(French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe
.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name
attribute for core profiles, or extension/name
for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity
attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Discovery
.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status
attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time
is ahead or behind UTC, in the range -1,080 to +1,080.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name
attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.
ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
DeviceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 89 - ImagingEquipment: Equipment for processing optical data, such as a camera. 90 - PLC: A Programmable logic controller. 91 - SCADA: A supervisory control and data acquisition system. 92 - DCS: A distributed control system. 93 - CNC: A computer numerical control system, including computerized machine tools. 94 - ScientificEquipment: A piece of scientific equipment such as an oscilloscope or spectrometer. 95 - MedicalDevice: A medical device such as an MRI machine or infusion pump. 96 - LightingControls: A lighting control for internal or external applications. 97 - EnergyMonitoringSystem: An energy monitoring, security or safety system. 98 - TransportationDevice: A transportation device or transportation supporting device. 99 - Other: The type is not mapped. See the type
attribute, which contains a data source specific value.
A list of agent
objects associated with a device, endpoint, or resource.
The unique identifier of the cloud autoscale configuration.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the device was known to have been created.
The description of the device, ordinarily as reported by the operating system.
The network domain where the device resides. For example: work.example.com
.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The initial discovery time of the device.
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"]
.
Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com
.
The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.
The name of the hypervisor running on the device. For example, Xen
, VMware
, Hyper-V
, VirtualBox
, etc.
The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.
The International Mobile Station Equipment Identifier that is associated with the device.
Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24
or 2001:0db8:85a3:0000:0000:8a2e:0370:7334
.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The most recent discovery time of the device.
The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.
Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A
.
A list of MAC addresses available on the device
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the device was last known to have been modified.
The alternate device name, ordinarily as assigned by an administrator.
Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234
.
If running under a process namespace (such as in a container), the process identifier within that process namespace.
A list of NetBIOS names available on the device
The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.
Note: The first element of the array is the network information that pertains to the event.
DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.
The Organization object describes characteristics of an organization or company and its division if any.
The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The region where the virtual machine is located. For example, an AWS Region.
The risk level, normalized to the caption of the risk_level_id value.
DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level
attribute, which contains a data source specific value.
The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
The list of software contained on a device
The device type. For example: unknown
, server
, desktop
, laptop
, tablet
, mobile
, virtual
, browser
, plc
, scada
, dcs
, cnc
, scientific
, medical
, lighting
, energy
, transportation
other
.
The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
An alternate unique identifier of the device if any. For example the ActiveDirectory DN.
The Organization object describes characteristics of an organization or company and its division if any.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en
(English), de
(German), or fr
(French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe
.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name
attribute for core profiles, or extension/name
for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity
attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Discovery
.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status
attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time
is ahead or behind UTC, in the range -1,080 to +1,080.
curl -i -X POST \
https://api.synqly.com/v1/assets/devices \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"device": {
"activity_id": 0,
"activity_name": "string",
"actor": {
"app_name": "string",
"app_uid": "string",
"authorizations": [
{
"decision": "string",
"policy": {
"desc": "string",
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
null
],
"type": "string",
"uid": "string"
},
"is_applied": true,
"name": "string",
"uid": "string",
"version": "string"
}
}
],
"idp": {
"name": "string",
"uid": "string"
},
"invoked_by": "string",
"process": {
"auid": 0,
"cmd_line": "string",
"container": {
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"egid": 0,
"euid": 0,
"file": {
"accessed_time": 0,
"accessed_time_dt": "2019-08-24T14:15:22Z",
"accessor": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"attributes": 0,
"company_name": "string",
"confidentiality": "string",
"confidentiality_id": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"creator": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"desc": "string",
"ext": "string",
"hashes": [
{
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
}
],
"is_system": true,
"mime_type": "string",
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"modifier": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"name": "string",
"owner": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"parent_folder": "string",
"path": "string",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"security_descriptor": "string",
"signature": {
"algorithm": "string",
"algorithm_id": 0,
"certificate": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"fingerprints": [
null
],
"is_self_signed": true,
"issuer": "string",
"serial_number": "string",
"subject": "string",
"uid": "string",
"version": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"developer_uid": "string",
"digest": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"state": "string",
"state_id": 0
},
"size": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"version": "string",
"xattributes": {}
},
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
},
"integrity": "string",
"integrity_id": 0,
"lineage": [
"string"
],
"loaded_modules": [
"string"
],
"name": "string",
"namespace_pid": 0,
"parent_process": {},
"pid": 0,
"sandbox": "string",
"session": {
"count": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"credential_uid": "string",
"expiration_reason": "string",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"is_mfa": true,
"is_remote": true,
"is_vpn": true,
"issuer": "string",
"terminal": "string",
"uid": "string",
"uid_alt": "string",
"uuid": "string"
},
"terminated_time": 0,
"terminated_time_dt": "2019-08-24T14:15:22Z",
"tid": 0,
"uid": "string",
"user": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
null
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
null
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"xattributes": {}
},
"session": {
"count": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"credential_uid": "string",
"expiration_reason": "string",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"is_mfa": true,
"is_remote": true,
"is_vpn": true,
"issuer": "string",
"terminal": "string",
"uid": "string",
"uid_alt": "string",
"uuid": "string"
},
"user": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
}
},
"api": {
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
},
"operation": "string",
"request": {
"containers": [
{
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
null
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
}
],
"data": null,
"flags": [
"string"
],
"uid": "string"
},
"response": {
"code": 0,
"containers": [
{
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
null
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
}
],
"data": null,
"error": "string",
"error_message": "string",
"flags": [
"string"
],
"message": "string"
},
"service": {
"labels": [
"string"
],
"name": "string",
"uid": "string",
"version": "string"
},
"version": "string"
},
"category_name": "string",
"category_uid": 0,
"class_uid": 0,
"cloud": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"project_uid": "string",
"provider": "string",
"region": "string",
"zone": "string"
},
"count": 0,
"custom_fields": {},
"device": {
"agent_list": [
{
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor_name": "string",
"version": "string"
}
],
"autoscale_uid": "string",
"boot_time": 0,
"boot_time_dt": "2019-08-24T14:15:22Z",
"container": {
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"desc": "string",
"domain": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
}
],
"hostname": "string",
"hw_info": {
"bios_date": "string",
"bios_manufacturer": "string",
"bios_uid": "string",
"bios_ver": "string",
"chassis": "string",
"cpu_bits": 0,
"cpu_cores": 0,
"cpu_count": 0,
"cpu_speed": 0,
"cpu_type": "string",
"desktop_display": {
"color_depth": 0,
"physical_height": 0,
"physical_orientation": 0,
"physical_width": 0,
"scale_factor": 0
},
"keyboard_info": {
"function_keys": 0,
"ime": "string",
"keyboard_layout": "string",
"keyboard_subtype": 0,
"keyboard_type": "string"
},
"ram_size": 0,
"serial_number": "string"
},
"hypervisor": "string",
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"imei": "string",
"instance_uid": "string",
"interface_name": "string",
"interface_uid": "string",
"ip": "string",
"ip_addresses": [
"string"
],
"is_compliant": true,
"is_managed": true,
"is_personal": true,
"is_trusted": true,
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"mac": "string",
"mac_addresses": [
"string"
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"namespace_pid": 0,
"netbios_names": [
"string"
],
"network_interfaces": [
{
"hostname": "string",
"ip": "string",
"ip_addresses": [
"string"
],
"mac": "string",
"mac_addresses": [
"string"
],
"name": "string",
"namespace": "string",
"subnet_prefix": 0,
"type": "string",
"type_id": 0,
"uid": "string"
}
],
"network_status": "string",
"network_status_id": 0,
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"os": {
"build": "string",
"country": "string",
"cpe_name": "string",
"cpu_bits": 0,
"edition": "string",
"lang": "string",
"name": "string",
"sp_name": "string",
"sp_ver": 0,
"type": "string",
"type_id": 0,
"version": "string"
},
"owner": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"region": "string",
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"subnet": "string",
"subnet_uid": "string",
"sw_info": [
{
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
}
],
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"vlan_uid": "string",
"vpc_uid": "string",
"zone": "string"
},
"duration": 0,
"end_time": 0,
"end_time_dt": "2019-08-24T14:15:22Z",
"enrichments": [
{
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"data": null,
"desc": "string",
"name": "string",
"provider": "string",
"reputation": {
"base_score": 0.1,
"provider": "string",
"score": "string",
"score_id": 0
},
"short_desc": "string",
"src_url": "string",
"type": "string",
"value": "string"
}
],
"message": "string",
"metadata": {
"correlation_uid": "string",
"event_code": "string",
"extension": {
"name": "string",
"uid": "string",
"version": "string"
},
"extensions": [
{
"name": "string",
"uid": "string",
"version": "string"
}
],
"labels": [
"string"
],
"log_level": "string",
"log_name": "string",
"log_provider": "string",
"log_version": "string",
"logged_time": 0,
"logged_time_dt": "2019-08-24T14:15:22Z",
"loggers": [
{
"device": {
"agent_list": [
{}
],
"autoscale_uid": "string",
"boot_time": 0,
"boot_time_dt": "2019-08-24T14:15:22Z",
"container": {
"hash": {},
"image": {
"labels": []
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"desc": "string",
"domain": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"groups": [
{
"privileges": []
}
],
"hostname": "string",
"hw_info": {
"bios_date": "string",
"bios_manufacturer": "string",
"bios_uid": "string",
"bios_ver": "string",
"chassis": "string",
"cpu_bits": 0,
"cpu_cores": 0,
"cpu_count": 0,
"cpu_speed": 0,
"cpu_type": "string",
"desktop_display": {},
"keyboard_info": {},
"ram_size": 0,
"serial_number": "string"
},
"hypervisor": "string",
"image": {
"labels": [
null
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"imei": "string",
"instance_uid": "string",
"interface_name": "string",
"interface_uid": "string",
"ip": "string",
"ip_addresses": [
"string"
],
"is_compliant": true,
"is_managed": true,
"is_personal": true,
"is_trusted": true,
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
null
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"mac": "string",
"mac_addresses": [
"string"
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"namespace_pid": 0,
"netbios_names": [
"string"
],
"network_interfaces": [
{
"ip_addresses": [],
"mac_addresses": []
}
],
"network_status": "string",
"network_status_id": 0,
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"os": {
"build": "string",
"country": "string",
"cpe_name": "string",
"cpu_bits": 0,
"edition": "string",
"lang": "string",
"name": "string",
"sp_name": "string",
"sp_ver": 0,
"type": "string",
"type_id": 0,
"version": "string"
},
"owner": {
"account": {
"labels": []
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
null
],
"ldap_person": {
"email_addrs": [],
"labels": []
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {},
"privileges": [
null
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"region": "string",
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"subnet": "string",
"subnet_uid": "string",
"sw_info": [
{}
],
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"vlan_uid": "string",
"vpc_uid": "string",
"zone": "string"
},
"log_level": "string",
"log_name": "string",
"log_provider": "string",
"log_version": "string",
"logged_time": 0,
"logged_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"transmit_time": 0,
"transmit_time_dt": "2019-08-24T14:15:22Z",
"uid": "string",
"version": "string"
}
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"original_time": "string",
"processed_time": 0,
"processed_time_dt": "2019-08-24T14:15:22Z",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"profiles": [
"string"
],
"sequence": 0,
"tenant_uid": "string",
"uid": "string",
"version": "string"
},
"observables": [
{
"name": "string",
"reputation": {
"base_score": 0.1,
"provider": "string",
"score": "string",
"score_id": 0
},
"type": "string",
"type_id": 0,
"value": "string"
}
],
"osint": [
{
"answers": [
{
"class": "string",
"flag_ids": [
0
],
"flags": [
"string"
],
"packet_uid": 0,
"rdata": "string",
"ttl": 0,
"type": "string"
}
],
"attacks": [
{
"sub_technique": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"tactic": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"tactics": [
{}
],
"technique": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"version": "string"
}
],
"autonomous_system": {
"name": "string",
"number": 0
},
"comment": "string",
"confidence": "string",
"confidence_id": 0,
"email": {
"cc": [
"string"
],
"delivered_to": "string",
"from": "string",
"message_uid": "string",
"raw_header": "string",
"reply_to": "string",
"size": 0,
"smtp_from": "string",
"smtp_to": [
"string"
],
"subject": "string",
"to": [
"string"
],
"uid": "string",
"x_originating_ip": [
"string"
]
},
"email_auth": {
"dkim": "string",
"dkim_domain": "string",
"dkim_signature": "string",
"dmarc": "string",
"dmarc_override": "string",
"dmarc_policy": "string",
"spf": "string"
},
"kill_chain": [
{
"phase": "string",
"phase_id": 0
}
],
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"name": "string",
"signatures": [
{
"algorithm": "string",
"algorithm_id": 0,
"certificate": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"fingerprints": [
null
],
"is_self_signed": true,
"issuer": "string",
"serial_number": "string",
"subject": "string",
"uid": "string",
"version": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"developer_uid": "string",
"digest": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"state": "string",
"state_id": 0
}
],
"src_url": "string",
"subdomains": [
"string"
],
"tlp": "string",
"type": "string",
"type_id": 0,
"uid": "string",
"value": "string",
"vendor_name": "string",
"vulnerabilities": [
{
"affected_code": [
{}
],
"affected_packages": [
{}
],
"cve": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"cvss": [
null
],
"cwe": {},
"cwe_uid": "string",
"cwe_url": "string",
"desc": "string",
"epss": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"product": {},
"references": [
null
],
"title": "string",
"type": "string",
"uid": "string"
},
"cwe": {
"caption": "string",
"src_url": "string",
"uid": "string"
},
"desc": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"fix_available": true,
"is_exploit_available": true,
"is_fix_available": true,
"kb_article_list": [
{}
],
"kb_articles": [
"string"
],
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"packages": [
{}
],
"references": [
"string"
],
"related_vulnerabilities": [
"string"
],
"remediation": {
"desc": "string",
"kb_article_list": [
null
],
"kb_articles": [
null
],
"references": [
null
]
},
"severity": "string",
"title": "string",
"vendor_name": "string"
}
],
"whois": {
"autonomous_system": {
"name": "string",
"number": 0
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"dnssec_status": "string",
"dnssec_status_id": 0,
"domain": "string",
"domain_contacts": [
{
"email_addr": "string",
"location": {
"coordinates": []
},
"name": "string",
"phone_number": "string",
"type": "string",
"type_id": 0,
"uid": "string"
}
],
"email_addr": "string",
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"name_servers": [
"string"
],
"phone_number": "string",
"registrar": "string",
"status": "string",
"subdomains": [
"string"
],
"subnet": "string"
}
}
],
"raw_data": "string",
"severity": "string",
"severity_id": 0,
"start_time": 0,
"start_time_dt": "2019-08-24T14:15:22Z",
"status": "string",
"status_code": "string",
"status_detail": "string",
"status_id": 0,
"time": 0,
"time_dt": "2019-08-24T14:15:22Z",
"timezone_offset": 0,
"type_name": "string",
"type_uid": 0,
"unmapped": {}
}
}'
Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name
attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.
ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
DeviceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 89 - ImagingEquipment: Equipment for processing optical data, such as a camera. 90 - PLC: A Programmable logic controller. 91 - SCADA: A supervisory control and data acquisition system. 92 - DCS: A distributed control system. 93 - CNC: A computer numerical control system, including computerized machine tools. 94 - ScientificEquipment: A piece of scientific equipment such as an oscilloscope or spectrometer. 95 - MedicalDevice: A medical device such as an MRI machine or infusion pump. 96 - LightingControls: A lighting control for internal or external applications. 97 - EnergyMonitoringSystem: An energy monitoring, security or safety system. 98 - TransportationDevice: A transportation device or transportation supporting device. 99 - Other: The type is not mapped. See the type
attribute, which contains a data source specific value.
A list of agent
objects associated with a device, endpoint, or resource.
The unique identifier of the cloud autoscale configuration.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the device was known to have been created.
The description of the device, ordinarily as reported by the operating system.
The network domain where the device resides. For example: work.example.com
.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The initial discovery time of the device.
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"]
.
Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com
.
The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.
The name of the hypervisor running on the device. For example, Xen
, VMware
, Hyper-V
, VirtualBox
, etc.
The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.
The International Mobile Station Equipment Identifier that is associated with the device.
Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24
or 2001:0db8:85a3:0000:0000:8a2e:0370:7334
.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The most recent discovery time of the device.
The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.
Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A
.
A list of MAC addresses available on the device
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the device was last known to have been modified.
The alternate device name, ordinarily as assigned by an administrator.
Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234
.
If running under a process namespace (such as in a container), the process identifier within that process namespace.
A list of NetBIOS names available on the device
The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.
Note: The first element of the array is the network information that pertains to the event.
DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.
The Organization object describes characteristics of an organization or company and its division if any.
The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The region where the virtual machine is located. For example, an AWS Region.
The risk level, normalized to the caption of the risk_level_id value.
DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level
attribute, which contains a data source specific value.
The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
The list of software contained on a device
The device type. For example: unknown
, server
, desktop
, laptop
, tablet
, mobile
, virtual
, browser
, plc
, scada
, dcs
, cnc
, scientific
, medical
, lighting
, energy
, transportation
other
.
The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
An alternate unique identifier of the device if any. For example the ActiveDirectory DN.
The Organization object describes characteristics of an organization or company and its division if any.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en
(English), de
(German), or fr
(French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe
.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name
attribute for core profiles, or extension/name
for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity
attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Discovery
.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status
attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time
is ahead or behind UTC, in the range -1,080 to +1,080.
{ "device": { "activity_id": 0, "activity_name": "string", "actor": { … }, "api": { … }, "category_name": "string", "category_uid": 0, "class_uid": 0, "cloud": { … }, "count": 0, "custom_fields": {}, "device": { … }, "duration": 0, "end_time": 0, "end_time_dt": "2019-08-24T14:15:22Z", "enrichments": [ … ], "message": "string", "metadata": { … }, "observables": [ … ], "osint": [ … ], "raw_data": "string", "severity": "string", "severity_id": 0, "start_time": 0, "start_time_dt": "2019-08-24T14:15:22Z", "status": "string", "status_code": "string", "status_detail": "string", "status_id": 0, "time": 0, "time_dt": "2019-08-24T14:15:22Z", "timezone_offset": 0, "type_name": "string", "type_uid": 0, "unmapped": {} }, "meta": { "stats": { … }, "api": { … } } }