Connector API

The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.

See the Synqly Overview for more information.

Download OpenAPI description
Languages
Servers
Synqly
https://api.synqly.com/

Assets

Operations

Query Devices

Request

Query devices from an asset inventory system

Query
metaArray of strings or null

Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.

limitinteger or null

Number of finding reports to return. Defaults to 50.

cursorstring or null

Start search from cursor position.

filterArray of strings or null

Filter results by this query. For more information on filtering, refer to the Assets Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.

orderstring or null

Select a field to order the results by. Defaults to time. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, time[asc] will sort the results by time in ascending order. The ordering defaults to asc if not specified.

curl -i -X GET \
  'https://api.synqly.com/v1/assets/devices?cursor=string&filter=string&limit=0&meta=string&order=string' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultArray of objects(ocsfv1.3.0inventoryinfoInventoryInfo)required
result[].​activity_idinteger(ocsfv1.3.0inventoryinfoActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

result[].​category_uidinteger(ocsfv1.3.0inventoryinfoCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.

result[].​class_uidinteger(ocsfv1.3.0inventoryinfoClassUid)required

ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.

result[].​deviceobject(ocsfv1.3.0inventoryinfoDevice)required

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result[].​device.​type_idinteger(ocsfv1.3.0inventoryinfoDevice_TypeId)required
result[].​device.​agent_listArray of objects or null(ocsfv1.3.0inventoryinfoAgent)

A list of agent objects associated with a device, endpoint, or resource.

result[].​device.​autoscale_uidstring or null

The unique identifier of the cloud autoscale configuration.

result[].​device.​boot_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​device.​boot_time_dtstring or null(date-time)

The time the system was booted.

result[].​device.​containerobject(ocsfv1.3.0inventoryinfoContainer)

The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

result[].​device.​created_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​device.​created_time_dtstring or null(date-time)

The time when the device was known to have been created.

result[].​device.​descstring or null

The description of the device, ordinarily as reported by the operating system.

result[].​device.​domainstring or null

The network domain where the device resides. For example: work.example.com.

result[].​device.​first_seen_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​device.​first_seen_time_dtstring or null(date-time)

The initial discovery time of the device.

result[].​device.​groupsArray of objects or null(ocsfv1.3.0inventoryinfoGroup)

The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].

result[].​device.​hostnamestring(ocsfv1.3.0inventoryinfoHostname)

Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.

result[].​device.​hw_infoobject(ocsfv1.3.0inventoryinfoDeviceHwInfo)

The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.

result[].​device.​hypervisorstring or null

The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.

result[].​device.​imageobject(ocsfv1.3.0inventoryinfoImage)

The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.

result[].​device.​imeistring or null

The International Mobile Station Equipment Identifier that is associated with the device.

result[].​device.​instance_uidstring or null

The unique identifier of a VM instance.

result[].​device.​interface_namestring or null

The name of the network interface (e.g. eth2).

result[].​device.​interface_uidstring or null

The unique identifier of the network interface.

result[].​device.​ipstring(ocsfv1.3.0inventoryinfoIPAddress)

Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

result[].​device.​ip_addressesArray of strings or null

A list of IP addresses available on the device

result[].​device.​is_compliantboolean or null

The event occurred on a compliant device.

result[].​device.​is_managedboolean or null

The event occurred on a managed device.

result[].​device.​is_personalboolean or null

The event occurred on a personal device.

result[].​device.​is_trustedboolean or null

The event occurred on a trusted device.

result[].​device.​last_seen_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​device.​last_seen_time_dtstring or null(date-time)

The most recent discovery time of the device.

result[].​device.​locationobject(ocsfv1.3.0inventoryinfoLocation)

The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.

result[].​device.​macstring(ocsfv1.3.0inventoryinfoMACAddress)

Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.

result[].​device.​mac_addressesArray of strings or null

A list of MAC addresses available on the device

result[].​device.​modified_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​device.​modified_time_dtstring or null(date-time)

The time when the device was last known to have been modified.

result[].​device.​namestring or null

The alternate device name, ordinarily as assigned by an administrator.

Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.

result[].​device.​namespace_pidinteger or null

If running under a process namespace (such as in a container), the process identifier within that process namespace.

result[].​device.​netbios_namesArray of strings or null

A list of NetBIOS names available on the device

result[].​device.​network_interfacesArray of objects or null(ocsfv1.3.0inventoryinfoNetworkInterface)

The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.

Note: The first element of the array is the network information that pertains to the event.

result[].​device.​network_statusstring or null

The network isolation status of the endpoiint

result[].​device.​network_status_idinteger(ocsfv1.3.0inventoryinfoDevice_NetworkStatusId)

DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.

result[].​device.​orgobject(ocsfv1.3.0inventoryinfoOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

result[].​device.​osobject(ocsfv1.3.0inventoryinfoOs)

The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.

result[].​device.​ownerobject(ocsfv1.3.0inventoryinfoUser)

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

result[].​device.​regionstring or null

The region where the virtual machine is located. For example, an AWS Region.

result[].​device.​risk_levelstring or null

The risk level, normalized to the caption of the risk_level_id value.

result[].​device.​risk_level_idinteger(ocsfv1.3.0inventoryinfoDevice_RiskLevelId)

DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.

result[].​device.​risk_scoreinteger or null

The risk score as reported by the event source.

result[].​device.​subnetstring(ocsfv1.3.0inventoryinfoSubnet)

The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.

For example:
  • 192.168.1.0/24
  • 2001:0db8:85a3:0000::/64

result[].​device.​subnet_uidstring or null

The unique identifier of a virtual subnet.

result[].​device.​sw_infoArray of objects or null(ocsfv1.3.0inventoryinfoProduct)

The list of software contained on a device

result[].​device.​typestring or null

The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, plc, scada, dcs, cnc, scientific, medical, lighting, energy, transportation other.

result[].​device.​uidstring or null

The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.

result[].​device.​uid_altstring or null

An alternate unique identifier of the device if any. For example the ActiveDirectory DN.

result[].​device.​vendorobject(ocsfv1.3.0inventoryinfoOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

result[].​device.​vlan_uidstring or null

The Virtual LAN identifier.

result[].​device.​vpc_uidstring or null

The unique identifier of the Virtual Private Cloud (VPC).

result[].​device.​zonestring or null

The network zone or LAN segment.

result[].​metadataobject(ocsfv1.3.0inventoryinfoMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

result[].​metadata.​productobject(ocsfv1.3.0inventoryinfoProduct)required

The Product object describes characteristics of a software product.

result[].​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

result[].​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

result[].​metadata.​product.​featureobject(ocsfv1.3.0inventoryinfoFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

result[].​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

result[].​metadata.​product.​namestring or null

The name of the product.

result[].​metadata.​product.​pathstring or null

The installation path of the product.

result[].​metadata.​product.​uidstring or null

The unique identifier of the product.

result[].​metadata.​product.​url_stringstring(ocsfv1.3.0inventoryinfoURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

result[].​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

result[].​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

result[].​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

result[].​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

result[].​metadata.​extensionobject(ocsfv1.3.0inventoryinfoExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

result[].​metadata.​extensionsArray of objects or null(ocsfv1.3.0inventoryinfoExtension)

The schema extensions used to create the event.

result[].​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
result[].​metadata.​log_levelstring or null

The audit level at which an event was generated.

result[].​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

result[].​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

result[].​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

result[].​metadata.​logged_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
result[].​metadata.​loggersArray of objects or null(ocsfv1.3.0inventoryinfoLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

result[].​metadata.​modified_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

result[].​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

result[].​metadata.​processed_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

result[].​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

result[].​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

result[].​metadata.​tenant_uidstring or null

The unique tenant identifier.

result[].​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

result[].​severity_idinteger(ocsfv1.3.0inventoryinfoSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

result[].​timeinteger(ocsfv1.3.0inventoryinfoTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​type_uidinteger(ocsfv1.3.0inventoryinfoTypeUid)required

TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other

result[].​activity_namestring or null

The event activity name, as defined by the activity_id.

result[].​actorobject(ocsfv1.3.0inventoryinfoActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

result[].​apiobject(ocsfv1.3.0inventoryinfoApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

result[].​category_namestring or null

The event category name, as defined by category_uid value: Discovery.

result[].​cloudobject(ocsfv1.3.0inventoryinfoCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

result[].​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

result[].​custom_fieldsobject(ocsfv1.3.0inventoryinfoObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result[].​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

result[].​end_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

result[].​enrichmentsArray of objects or null(ocsfv1.3.0inventoryinfoEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

result[].​messagestring or null

The description of the event/finding, as defined by the source.

result[].​observablesArray of objects or null(ocsfv1.3.0inventoryinfoObservable)

The observables associated with the event or a finding.

result[].​osintArray of objects or null(ocsfv1.3.0inventoryinfoOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

result[].​raw_datastring or null

The raw event/finding data as received from the source.

result[].​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

result[].​start_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

result[].​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

result[].​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

result[].​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

result[].​status_idinteger(ocsfv1.3.0inventoryinfoStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result[].​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

result[].​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

result[].​type_namestring or null

The event/finding type name, as defined by the type_uid.

result[].​unmappedobject(ocsfv1.3.0inventoryinfoObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

cursorstringrequired

Cursor to use to retrieve the next page of results

metaobject(MetaResponse)
Response
application/json
{ "result": [ {} ], "cursor": "string", "meta": { "stats": {}, "api": {} } }

Create Devices

Request

Creates a Device object in the token-linked Integration.

Bodyapplication/jsonrequired
deviceobject(ocsfv1.3.0inventoryinfoInventoryInfo)required

Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.

device.​activity_idinteger(ocsfv1.3.0inventoryinfoActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

device.​category_uidinteger(ocsfv1.3.0inventoryinfoCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.

device.​class_uidinteger(ocsfv1.3.0inventoryinfoClassUid)required

ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.

device.​deviceobject(ocsfv1.3.0inventoryinfoDevice)required

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

device.​device.​type_idinteger(ocsfv1.3.0inventoryinfoDevice_TypeId)required
device.​device.​agent_listArray of objects or null(ocsfv1.3.0inventoryinfoAgent)

A list of agent objects associated with a device, endpoint, or resource.

device.​device.​autoscale_uidstring or null

The unique identifier of the cloud autoscale configuration.

device.​device.​boot_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​boot_time_dtstring or null(date-time)

The time the system was booted.

device.​device.​containerobject(ocsfv1.3.0inventoryinfoContainer)

The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

device.​device.​created_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​created_time_dtstring or null(date-time)

The time when the device was known to have been created.

device.​device.​descstring or null

The description of the device, ordinarily as reported by the operating system.

device.​device.​domainstring or null

The network domain where the device resides. For example: work.example.com.

device.​device.​first_seen_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​first_seen_time_dtstring or null(date-time)

The initial discovery time of the device.

device.​device.​groupsArray of objects or null(ocsfv1.3.0inventoryinfoGroup)

The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].

device.​device.​hostnamestring(ocsfv1.3.0inventoryinfoHostname)

Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.

device.​device.​hw_infoobject(ocsfv1.3.0inventoryinfoDeviceHwInfo)

The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.

device.​device.​hypervisorstring or null

The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.

device.​device.​imageobject(ocsfv1.3.0inventoryinfoImage)

The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.

device.​device.​imeistring or null

The International Mobile Station Equipment Identifier that is associated with the device.

device.​device.​instance_uidstring or null

The unique identifier of a VM instance.

device.​device.​interface_namestring or null

The name of the network interface (e.g. eth2).

device.​device.​interface_uidstring or null

The unique identifier of the network interface.

device.​device.​ipstring(ocsfv1.3.0inventoryinfoIPAddress)

Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

device.​device.​ip_addressesArray of strings or null

A list of IP addresses available on the device

device.​device.​is_compliantboolean or null

The event occurred on a compliant device.

device.​device.​is_managedboolean or null

The event occurred on a managed device.

device.​device.​is_personalboolean or null

The event occurred on a personal device.

device.​device.​is_trustedboolean or null

The event occurred on a trusted device.

device.​device.​last_seen_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​last_seen_time_dtstring or null(date-time)

The most recent discovery time of the device.

device.​device.​locationobject(ocsfv1.3.0inventoryinfoLocation)

The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.

device.​device.​macstring(ocsfv1.3.0inventoryinfoMACAddress)

Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.

device.​device.​mac_addressesArray of strings or null

A list of MAC addresses available on the device

device.​device.​modified_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​modified_time_dtstring or null(date-time)

The time when the device was last known to have been modified.

device.​device.​namestring or null

The alternate device name, ordinarily as assigned by an administrator.

Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.

device.​device.​namespace_pidinteger or null

If running under a process namespace (such as in a container), the process identifier within that process namespace.

device.​device.​netbios_namesArray of strings or null

A list of NetBIOS names available on the device

device.​device.​network_interfacesArray of objects or null(ocsfv1.3.0inventoryinfoNetworkInterface)

The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.

Note: The first element of the array is the network information that pertains to the event.

device.​device.​network_statusstring or null

The network isolation status of the endpoiint

device.​device.​network_status_idinteger(ocsfv1.3.0inventoryinfoDevice_NetworkStatusId)

DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.

device.​device.​orgobject(ocsfv1.3.0inventoryinfoOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

device.​device.​osobject(ocsfv1.3.0inventoryinfoOs)

The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.

device.​device.​ownerobject(ocsfv1.3.0inventoryinfoUser)

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

device.​device.​regionstring or null

The region where the virtual machine is located. For example, an AWS Region.

device.​device.​risk_levelstring or null

The risk level, normalized to the caption of the risk_level_id value.

device.​device.​risk_level_idinteger(ocsfv1.3.0inventoryinfoDevice_RiskLevelId)

DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.

device.​device.​risk_scoreinteger or null

The risk score as reported by the event source.

device.​device.​subnetstring(ocsfv1.3.0inventoryinfoSubnet)

The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.

For example:
  • 192.168.1.0/24
  • 2001:0db8:85a3:0000::/64

device.​device.​subnet_uidstring or null

The unique identifier of a virtual subnet.

device.​device.​sw_infoArray of objects or null(ocsfv1.3.0inventoryinfoProduct)

The list of software contained on a device

device.​device.​typestring or null

The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, plc, scada, dcs, cnc, scientific, medical, lighting, energy, transportation other.

device.​device.​uidstring or null

The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.

device.​device.​uid_altstring or null

An alternate unique identifier of the device if any. For example the ActiveDirectory DN.

device.​device.​vendorobject(ocsfv1.3.0inventoryinfoOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

device.​device.​vlan_uidstring or null

The Virtual LAN identifier.

device.​device.​vpc_uidstring or null

The unique identifier of the Virtual Private Cloud (VPC).

device.​device.​zonestring or null

The network zone or LAN segment.

device.​metadataobject(ocsfv1.3.0inventoryinfoMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

device.​metadata.​productobject(ocsfv1.3.0inventoryinfoProduct)required

The Product object describes characteristics of a software product.

device.​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

device.​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

device.​metadata.​product.​featureobject(ocsfv1.3.0inventoryinfoFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

device.​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

device.​metadata.​product.​namestring or null

The name of the product.

device.​metadata.​product.​pathstring or null

The installation path of the product.

device.​metadata.​product.​uidstring or null

The unique identifier of the product.

device.​metadata.​product.​url_stringstring(ocsfv1.3.0inventoryinfoURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

device.​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

device.​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

device.​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

device.​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

device.​metadata.​extensionobject(ocsfv1.3.0inventoryinfoExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

device.​metadata.​extensionsArray of objects or null(ocsfv1.3.0inventoryinfoExtension)

The schema extensions used to create the event.

device.​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
device.​metadata.​log_levelstring or null

The audit level at which an event was generated.

device.​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

device.​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

device.​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

device.​metadata.​logged_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
device.​metadata.​loggersArray of objects or null(ocsfv1.3.0inventoryinfoLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

device.​metadata.​modified_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

device.​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

device.​metadata.​processed_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

device.​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

device.​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

device.​metadata.​tenant_uidstring or null

The unique tenant identifier.

device.​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

device.​severity_idinteger(ocsfv1.3.0inventoryinfoSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

device.​timeinteger(ocsfv1.3.0inventoryinfoTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​type_uidinteger(ocsfv1.3.0inventoryinfoTypeUid)required

TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other

device.​activity_namestring or null

The event activity name, as defined by the activity_id.

device.​actorobject(ocsfv1.3.0inventoryinfoActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

device.​apiobject(ocsfv1.3.0inventoryinfoApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

device.​category_namestring or null

The event category name, as defined by category_uid value: Discovery.

device.​cloudobject(ocsfv1.3.0inventoryinfoCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

device.​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

device.​custom_fieldsobject(ocsfv1.3.0inventoryinfoObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

device.​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

device.​end_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

device.​enrichmentsArray of objects or null(ocsfv1.3.0inventoryinfoEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

device.​messagestring or null

The description of the event/finding, as defined by the source.

device.​observablesArray of objects or null(ocsfv1.3.0inventoryinfoObservable)

The observables associated with the event or a finding.

device.​osintArray of objects or null(ocsfv1.3.0inventoryinfoOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

device.​raw_datastring or null

The raw event/finding data as received from the source.

device.​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

device.​start_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

device.​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

device.​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

device.​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

device.​status_idinteger(ocsfv1.3.0inventoryinfoStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

device.​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

device.​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

device.​type_namestring or null

The event/finding type name, as defined by the type_uid.

device.​unmappedobject(ocsfv1.3.0inventoryinfoObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

curl -i -X POST \
  https://api.synqly.com/v1/assets/devices \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "device": {
      "activity_id": 0,
      "activity_name": "string",
      "actor": {
        "app_name": "string",
        "app_uid": "string",
        "authorizations": [
          {
            "decision": "string",
            "policy": {
              "desc": "string",
              "group": {
                "desc": "string",
                "domain": "string",
                "name": "string",
                "privileges": [
                  null
                ],
                "type": "string",
                "uid": "string"
              },
              "is_applied": true,
              "name": "string",
              "uid": "string",
              "version": "string"
            }
          }
        ],
        "idp": {
          "name": "string",
          "uid": "string"
        },
        "invoked_by": "string",
        "process": {
          "auid": 0,
          "cmd_line": "string",
          "container": {
            "hash": {
              "algorithm": "string",
              "algorithm_id": 0,
              "value": "string"
            },
            "image": {
              "labels": [
                "string"
              ],
              "name": "string",
              "path": "string",
              "tag": "string",
              "uid": "string"
            },
            "name": "string",
            "network_driver": "string",
            "orchestrator": "string",
            "pod_uuid": "string",
            "runtime": "string",
            "size": 0,
            "tag": "string",
            "uid": "string"
          },
          "created_time": 0,
          "created_time_dt": "2019-08-24T14:15:22Z",
          "egid": 0,
          "euid": 0,
          "file": {
            "accessed_time": 0,
            "accessed_time_dt": "2019-08-24T14:15:22Z",
            "accessor": {
              "account": {
                "labels": [
                  null
                ],
                "name": "string",
                "type": "string",
                "type_id": 0,
                "uid": "string"
              },
              "credential_uid": "string",
              "domain": "string",
              "email_addr": "string",
              "full_name": "string",
              "groups": [
                {
                  "privileges": []
                }
              ],
              "ldap_person": {
                "cost_center": "string",
                "created_time": 0,
                "created_time_dt": "2019-08-24T14:15:22Z",
                "deleted_time": 0,
                "deleted_time_dt": "2019-08-24T14:15:22Z",
                "email_addrs": [
                  null
                ],
                "employee_uid": "string",
                "given_name": "string",
                "hire_time": 0,
                "hire_time_dt": "2019-08-24T14:15:22Z",
                "job_title": "string",
                "labels": [
                  null
                ],
                "last_login_time": 0,
                "last_login_time_dt": "2019-08-24T14:15:22Z",
                "ldap_cn": "string",
                "ldap_dn": "string",
                "leave_time": 0,
                "leave_time_dt": "2019-08-24T14:15:22Z",
                "location": {
                  "coordinates": []
                },
                "manager": {},
                "modified_time": 0,
                "modified_time_dt": "2019-08-24T14:15:22Z",
                "office_location": "string",
                "surname": "string"
              },
              "mfa_status": "string",
              "mfa_status_id": 0,
              "name": "string",
              "org": {
                "name": "string",
                "ou_name": "string",
                "ou_uid": "string",
                "uid": "string"
              },
              "privileges": [
                "string"
              ],
              "risk_level": "string",
              "risk_level_id": 0,
              "risk_score": 0,
              "type": "string",
              "type_id": 0,
              "uid": "string",
              "uid_alt": "string",
              "user_status": "string",
              "user_status_id": 0
            },
            "attributes": 0,
            "company_name": "string",
            "confidentiality": "string",
            "confidentiality_id": 0,
            "created_time": 0,
            "created_time_dt": "2019-08-24T14:15:22Z",
            "creator": {
              "account": {
                "labels": [
                  null
                ],
                "name": "string",
                "type": "string",
                "type_id": 0,
                "uid": "string"
              },
              "credential_uid": "string",
              "domain": "string",
              "email_addr": "string",
              "full_name": "string",
              "groups": [
                {
                  "privileges": []
                }
              ],
              "ldap_person": {
                "cost_center": "string",
                "created_time": 0,
                "created_time_dt": "2019-08-24T14:15:22Z",
                "deleted_time": 0,
                "deleted_time_dt": "2019-08-24T14:15:22Z",
                "email_addrs": [
                  null
                ],
                "employee_uid": "string",
                "given_name": "string",
                "hire_time": 0,
                "hire_time_dt": "2019-08-24T14:15:22Z",
                "job_title": "string",
                "labels": [
                  null
                ],
                "last_login_time": 0,
                "last_login_time_dt": "2019-08-24T14:15:22Z",
                "ldap_cn": "string",
                "ldap_dn": "string",
                "leave_time": 0,
                "leave_time_dt": "2019-08-24T14:15:22Z",
                "location": {
                  "coordinates": []
                },
                "manager": {},
                "modified_time": 0,
                "modified_time_dt": "2019-08-24T14:15:22Z",
                "office_location": "string",
                "surname": "string"
              },
              "mfa_status": "string",
              "mfa_status_id": 0,
              "name": "string",
              "org": {
                "name": "string",
                "ou_name": "string",
                "ou_uid": "string",
                "uid": "string"
              },
              "privileges": [
                "string"
              ],
              "risk_level": "string",
              "risk_level_id": 0,
              "risk_score": 0,
              "type": "string",
              "type_id": 0,
              "uid": "string",
              "uid_alt": "string",
              "user_status": "string",
              "user_status_id": 0
            },
            "desc": "string",
            "ext": "string",
            "hashes": [
              {
                "algorithm": "string",
                "algorithm_id": 0,
                "value": "string"
              }
            ],
            "is_system": true,
            "mime_type": "string",
            "modified_time": 0,
            "modified_time_dt": "2019-08-24T14:15:22Z",
            "modifier": {
              "account": {
                "labels": [
                  null
                ],
                "name": "string",
                "type": "string",
                "type_id": 0,
                "uid": "string"
              },
              "credential_uid": "string",
              "domain": "string",
              "email_addr": "string",
              "full_name": "string",
              "groups": [
                {
                  "privileges": []
                }
              ],
              "ldap_person": {
                "cost_center": "string",
                "created_time": 0,
                "created_time_dt": "2019-08-24T14:15:22Z",
                "deleted_time": 0,
                "deleted_time_dt": "2019-08-24T14:15:22Z",
                "email_addrs": [
                  null
                ],
                "employee_uid": "string",
                "given_name": "string",
                "hire_time": 0,
                "hire_time_dt": "2019-08-24T14:15:22Z",
                "job_title": "string",
                "labels": [
                  null
                ],
                "last_login_time": 0,
                "last_login_time_dt": "2019-08-24T14:15:22Z",
                "ldap_cn": "string",
                "ldap_dn": "string",
                "leave_time": 0,
                "leave_time_dt": "2019-08-24T14:15:22Z",
                "location": {
                  "coordinates": []
                },
                "manager": {},
                "modified_time": 0,
                "modified_time_dt": "2019-08-24T14:15:22Z",
                "office_location": "string",
                "surname": "string"
              },
              "mfa_status": "string",
              "mfa_status_id": 0,
              "name": "string",
              "org": {
                "name": "string",
                "ou_name": "string",
                "ou_uid": "string",
                "uid": "string"
              },
              "privileges": [
                "string"
              ],
              "risk_level": "string",
              "risk_level_id": 0,
              "risk_score": 0,
              "type": "string",
              "type_id": 0,
              "uid": "string",
              "uid_alt": "string",
              "user_status": "string",
              "user_status_id": 0
            },
            "name": "string",
            "owner": {
              "account": {
                "labels": [
                  null
                ],
                "name": "string",
                "type": "string",
                "type_id": 0,
                "uid": "string"
              },
              "credential_uid": "string",
              "domain": "string",
              "email_addr": "string",
              "full_name": "string",
              "groups": [
                {
                  "privileges": []
                }
              ],
              "ldap_person": {
                "cost_center": "string",
                "created_time": 0,
                "created_time_dt": "2019-08-24T14:15:22Z",
                "deleted_time": 0,
                "deleted_time_dt": "2019-08-24T14:15:22Z",
                "email_addrs": [
                  null
                ],
                "employee_uid": "string",
                "given_name": "string",
                "hire_time": 0,
                "hire_time_dt": "2019-08-24T14:15:22Z",
                "job_title": "string",
                "labels": [
                  null
                ],
                "last_login_time": 0,
                "last_login_time_dt": "2019-08-24T14:15:22Z",
                "ldap_cn": "string",
                "ldap_dn": "string",
                "leave_time": 0,
                "leave_time_dt": "2019-08-24T14:15:22Z",
                "location": {
                  "coordinates": []
                },
                "manager": {},
                "modified_time": 0,
                "modified_time_dt": "2019-08-24T14:15:22Z",
                "office_location": "string",
                "surname": "string"
              },
              "mfa_status": "string",
              "mfa_status_id": 0,
              "name": "string",
              "org": {
                "name": "string",
                "ou_name": "string",
                "ou_uid": "string",
                "uid": "string"
              },
              "privileges": [
                "string"
              ],
              "risk_level": "string",
              "risk_level_id": 0,
              "risk_score": 0,
              "type": "string",
              "type_id": 0,
              "uid": "string",
              "uid_alt": "string",
              "user_status": "string",
              "user_status_id": 0
            },
            "parent_folder": "string",
            "path": "string",
            "product": {
              "cpe_name": "string",
              "feature": {
                "name": "string",
                "uid": "string",
                "version": "string"
              },
              "lang": "string",
              "name": "string",
              "path": "string",
              "uid": "string",
              "url_string": "string",
              "vendor_name": "string",
              "version": "string"
            },
            "security_descriptor": "string",
            "signature": {
              "algorithm": "string",
              "algorithm_id": 0,
              "certificate": {
                "created_time": 0,
                "created_time_dt": "2019-08-24T14:15:22Z",
                "expiration_time": 0,
                "expiration_time_dt": "2019-08-24T14:15:22Z",
                "fingerprints": [
                  null
                ],
                "is_self_signed": true,
                "issuer": "string",
                "serial_number": "string",
                "subject": "string",
                "uid": "string",
                "version": "string"
              },
              "created_time": 0,
              "created_time_dt": "2019-08-24T14:15:22Z",
              "developer_uid": "string",
              "digest": {
                "algorithm": "string",
                "algorithm_id": 0,
                "value": "string"
              },
              "state": "string",
              "state_id": 0
            },
            "size": 0,
            "type": "string",
            "type_id": 0,
            "uid": "string",
            "version": "string",
            "xattributes": {}
          },
          "group": {
            "desc": "string",
            "domain": "string",
            "name": "string",
            "privileges": [
              "string"
            ],
            "type": "string",
            "uid": "string"
          },
          "integrity": "string",
          "integrity_id": 0,
          "lineage": [
            "string"
          ],
          "loaded_modules": [
            "string"
          ],
          "name": "string",
          "namespace_pid": 0,
          "parent_process": {},
          "pid": 0,
          "sandbox": "string",
          "session": {
            "count": 0,
            "created_time": 0,
            "created_time_dt": "2019-08-24T14:15:22Z",
            "credential_uid": "string",
            "expiration_reason": "string",
            "expiration_time": 0,
            "expiration_time_dt": "2019-08-24T14:15:22Z",
            "is_mfa": true,
            "is_remote": true,
            "is_vpn": true,
            "issuer": "string",
            "terminal": "string",
            "uid": "string",
            "uid_alt": "string",
            "uuid": "string"
          },
          "terminated_time": 0,
          "terminated_time_dt": "2019-08-24T14:15:22Z",
          "tid": 0,
          "uid": "string",
          "user": {
            "account": {
              "labels": [
                "string"
              ],
              "name": "string",
              "type": "string",
              "type_id": 0,
              "uid": "string"
            },
            "credential_uid": "string",
            "domain": "string",
            "email_addr": "string",
            "full_name": "string",
            "groups": [
              {
                "desc": "string",
                "domain": "string",
                "name": "string",
                "privileges": [
                  null
                ],
                "type": "string",
                "uid": "string"
              }
            ],
            "ldap_person": {
              "cost_center": "string",
              "created_time": 0,
              "created_time_dt": "2019-08-24T14:15:22Z",
              "deleted_time": 0,
              "deleted_time_dt": "2019-08-24T14:15:22Z",
              "email_addrs": [
                "string"
              ],
              "employee_uid": "string",
              "given_name": "string",
              "hire_time": 0,
              "hire_time_dt": "2019-08-24T14:15:22Z",
              "job_title": "string",
              "labels": [
                "string"
              ],
              "last_login_time": 0,
              "last_login_time_dt": "2019-08-24T14:15:22Z",
              "ldap_cn": "string",
              "ldap_dn": "string",
              "leave_time": 0,
              "leave_time_dt": "2019-08-24T14:15:22Z",
              "location": {
                "city": "string",
                "continent": "string",
                "coordinates": [
                  null
                ],
                "country": "string",
                "desc": "string",
                "geohash": "string",
                "is_on_premises": true,
                "isp": "string",
                "lat": 0.1,
                "long": 0.1,
                "postal_code": "string",
                "provider": "string",
                "region": "string"
              },
              "manager": {},
              "modified_time": 0,
              "modified_time_dt": "2019-08-24T14:15:22Z",
              "office_location": "string",
              "surname": "string"
            },
            "mfa_status": "string",
            "mfa_status_id": 0,
            "name": "string",
            "org": {
              "name": "string",
              "ou_name": "string",
              "ou_uid": "string",
              "uid": "string"
            },
            "privileges": [
              "string"
            ],
            "risk_level": "string",
            "risk_level_id": 0,
            "risk_score": 0,
            "type": "string",
            "type_id": 0,
            "uid": "string",
            "uid_alt": "string",
            "user_status": "string",
            "user_status_id": 0
          },
          "xattributes": {}
        },
        "session": {
          "count": 0,
          "created_time": 0,
          "created_time_dt": "2019-08-24T14:15:22Z",
          "credential_uid": "string",
          "expiration_reason": "string",
          "expiration_time": 0,
          "expiration_time_dt": "2019-08-24T14:15:22Z",
          "is_mfa": true,
          "is_remote": true,
          "is_vpn": true,
          "issuer": "string",
          "terminal": "string",
          "uid": "string",
          "uid_alt": "string",
          "uuid": "string"
        },
        "user": {
          "account": {
            "labels": [
              "string"
            ],
            "name": "string",
            "type": "string",
            "type_id": 0,
            "uid": "string"
          },
          "credential_uid": "string",
          "domain": "string",
          "email_addr": "string",
          "full_name": "string",
          "groups": [
            {
              "desc": "string",
              "domain": "string",
              "name": "string",
              "privileges": [
                "string"
              ],
              "type": "string",
              "uid": "string"
            }
          ],
          "ldap_person": {
            "cost_center": "string",
            "created_time": 0,
            "created_time_dt": "2019-08-24T14:15:22Z",
            "deleted_time": 0,
            "deleted_time_dt": "2019-08-24T14:15:22Z",
            "email_addrs": [
              "string"
            ],
            "employee_uid": "string",
            "given_name": "string",
            "hire_time": 0,
            "hire_time_dt": "2019-08-24T14:15:22Z",
            "job_title": "string",
            "labels": [
              "string"
            ],
            "last_login_time": 0,
            "last_login_time_dt": "2019-08-24T14:15:22Z",
            "ldap_cn": "string",
            "ldap_dn": "string",
            "leave_time": 0,
            "leave_time_dt": "2019-08-24T14:15:22Z",
            "location": {
              "city": "string",
              "continent": "string",
              "coordinates": [
                0.1
              ],
              "country": "string",
              "desc": "string",
              "geohash": "string",
              "is_on_premises": true,
              "isp": "string",
              "lat": 0.1,
              "long": 0.1,
              "postal_code": "string",
              "provider": "string",
              "region": "string"
            },
            "manager": {},
            "modified_time": 0,
            "modified_time_dt": "2019-08-24T14:15:22Z",
            "office_location": "string",
            "surname": "string"
          },
          "mfa_status": "string",
          "mfa_status_id": 0,
          "name": "string",
          "org": {
            "name": "string",
            "ou_name": "string",
            "ou_uid": "string",
            "uid": "string"
          },
          "privileges": [
            "string"
          ],
          "risk_level": "string",
          "risk_level_id": 0,
          "risk_score": 0,
          "type": "string",
          "type_id": 0,
          "uid": "string",
          "uid_alt": "string",
          "user_status": "string",
          "user_status_id": 0
        }
      },
      "api": {
        "group": {
          "desc": "string",
          "domain": "string",
          "name": "string",
          "privileges": [
            "string"
          ],
          "type": "string",
          "uid": "string"
        },
        "operation": "string",
        "request": {
          "containers": [
            {
              "hash": {
                "algorithm": "string",
                "algorithm_id": 0,
                "value": "string"
              },
              "image": {
                "labels": [
                  null
                ],
                "name": "string",
                "path": "string",
                "tag": "string",
                "uid": "string"
              },
              "name": "string",
              "network_driver": "string",
              "orchestrator": "string",
              "pod_uuid": "string",
              "runtime": "string",
              "size": 0,
              "tag": "string",
              "uid": "string"
            }
          ],
          "data": null,
          "flags": [
            "string"
          ],
          "uid": "string"
        },
        "response": {
          "code": 0,
          "containers": [
            {
              "hash": {
                "algorithm": "string",
                "algorithm_id": 0,
                "value": "string"
              },
              "image": {
                "labels": [
                  null
                ],
                "name": "string",
                "path": "string",
                "tag": "string",
                "uid": "string"
              },
              "name": "string",
              "network_driver": "string",
              "orchestrator": "string",
              "pod_uuid": "string",
              "runtime": "string",
              "size": 0,
              "tag": "string",
              "uid": "string"
            }
          ],
          "data": null,
          "error": "string",
          "error_message": "string",
          "flags": [
            "string"
          ],
          "message": "string"
        },
        "service": {
          "labels": [
            "string"
          ],
          "name": "string",
          "uid": "string",
          "version": "string"
        },
        "version": "string"
      },
      "category_name": "string",
      "category_uid": 0,
      "class_uid": 0,
      "cloud": {
        "account": {
          "labels": [
            "string"
          ],
          "name": "string",
          "type": "string",
          "type_id": 0,
          "uid": "string"
        },
        "org": {
          "name": "string",
          "ou_name": "string",
          "ou_uid": "string",
          "uid": "string"
        },
        "project_uid": "string",
        "provider": "string",
        "region": "string",
        "zone": "string"
      },
      "count": 0,
      "custom_fields": {},
      "device": {
        "agent_list": [
          {
            "name": "string",
            "type": "string",
            "type_id": 0,
            "uid": "string",
            "uid_alt": "string",
            "vendor_name": "string",
            "version": "string"
          }
        ],
        "autoscale_uid": "string",
        "boot_time": 0,
        "boot_time_dt": "2019-08-24T14:15:22Z",
        "container": {
          "hash": {
            "algorithm": "string",
            "algorithm_id": 0,
            "value": "string"
          },
          "image": {
            "labels": [
              "string"
            ],
            "name": "string",
            "path": "string",
            "tag": "string",
            "uid": "string"
          },
          "name": "string",
          "network_driver": "string",
          "orchestrator": "string",
          "pod_uuid": "string",
          "runtime": "string",
          "size": 0,
          "tag": "string",
          "uid": "string"
        },
        "created_time": 0,
        "created_time_dt": "2019-08-24T14:15:22Z",
        "desc": "string",
        "domain": "string",
        "first_seen_time": 0,
        "first_seen_time_dt": "2019-08-24T14:15:22Z",
        "groups": [
          {
            "desc": "string",
            "domain": "string",
            "name": "string",
            "privileges": [
              "string"
            ],
            "type": "string",
            "uid": "string"
          }
        ],
        "hostname": "string",
        "hw_info": {
          "bios_date": "string",
          "bios_manufacturer": "string",
          "bios_uid": "string",
          "bios_ver": "string",
          "chassis": "string",
          "cpu_bits": 0,
          "cpu_cores": 0,
          "cpu_count": 0,
          "cpu_speed": 0,
          "cpu_type": "string",
          "desktop_display": {
            "color_depth": 0,
            "physical_height": 0,
            "physical_orientation": 0,
            "physical_width": 0,
            "scale_factor": 0
          },
          "keyboard_info": {
            "function_keys": 0,
            "ime": "string",
            "keyboard_layout": "string",
            "keyboard_subtype": 0,
            "keyboard_type": "string"
          },
          "ram_size": 0,
          "serial_number": "string"
        },
        "hypervisor": "string",
        "image": {
          "labels": [
            "string"
          ],
          "name": "string",
          "path": "string",
          "tag": "string",
          "uid": "string"
        },
        "imei": "string",
        "instance_uid": "string",
        "interface_name": "string",
        "interface_uid": "string",
        "ip": "string",
        "ip_addresses": [
          "string"
        ],
        "is_compliant": true,
        "is_managed": true,
        "is_personal": true,
        "is_trusted": true,
        "last_seen_time": 0,
        "last_seen_time_dt": "2019-08-24T14:15:22Z",
        "location": {
          "city": "string",
          "continent": "string",
          "coordinates": [
            0.1
          ],
          "country": "string",
          "desc": "string",
          "geohash": "string",
          "is_on_premises": true,
          "isp": "string",
          "lat": 0.1,
          "long": 0.1,
          "postal_code": "string",
          "provider": "string",
          "region": "string"
        },
        "mac": "string",
        "mac_addresses": [
          "string"
        ],
        "modified_time": 0,
        "modified_time_dt": "2019-08-24T14:15:22Z",
        "name": "string",
        "namespace_pid": 0,
        "netbios_names": [
          "string"
        ],
        "network_interfaces": [
          {
            "hostname": "string",
            "ip": "string",
            "ip_addresses": [
              "string"
            ],
            "mac": "string",
            "mac_addresses": [
              "string"
            ],
            "name": "string",
            "namespace": "string",
            "subnet_prefix": 0,
            "type": "string",
            "type_id": 0,
            "uid": "string"
          }
        ],
        "network_status": "string",
        "network_status_id": 0,
        "org": {
          "name": "string",
          "ou_name": "string",
          "ou_uid": "string",
          "uid": "string"
        },
        "os": {
          "build": "string",
          "country": "string",
          "cpe_name": "string",
          "cpu_bits": 0,
          "edition": "string",
          "lang": "string",
          "name": "string",
          "sp_name": "string",
          "sp_ver": 0,
          "type": "string",
          "type_id": 0,
          "version": "string"
        },
        "owner": {
          "account": {
            "labels": [
              "string"
            ],
            "name": "string",
            "type": "string",
            "type_id": 0,
            "uid": "string"
          },
          "credential_uid": "string",
          "domain": "string",
          "email_addr": "string",
          "full_name": "string",
          "groups": [
            {
              "desc": "string",
              "domain": "string",
              "name": "string",
              "privileges": [
                "string"
              ],
              "type": "string",
              "uid": "string"
            }
          ],
          "ldap_person": {
            "cost_center": "string",
            "created_time": 0,
            "created_time_dt": "2019-08-24T14:15:22Z",
            "deleted_time": 0,
            "deleted_time_dt": "2019-08-24T14:15:22Z",
            "email_addrs": [
              "string"
            ],
            "employee_uid": "string",
            "given_name": "string",
            "hire_time": 0,
            "hire_time_dt": "2019-08-24T14:15:22Z",
            "job_title": "string",
            "labels": [
              "string"
            ],
            "last_login_time": 0,
            "last_login_time_dt": "2019-08-24T14:15:22Z",
            "ldap_cn": "string",
            "ldap_dn": "string",
            "leave_time": 0,
            "leave_time_dt": "2019-08-24T14:15:22Z",
            "location": {
              "city": "string",
              "continent": "string",
              "coordinates": [
                0.1
              ],
              "country": "string",
              "desc": "string",
              "geohash": "string",
              "is_on_premises": true,
              "isp": "string",
              "lat": 0.1,
              "long": 0.1,
              "postal_code": "string",
              "provider": "string",
              "region": "string"
            },
            "manager": {},
            "modified_time": 0,
            "modified_time_dt": "2019-08-24T14:15:22Z",
            "office_location": "string",
            "surname": "string"
          },
          "mfa_status": "string",
          "mfa_status_id": 0,
          "name": "string",
          "org": {
            "name": "string",
            "ou_name": "string",
            "ou_uid": "string",
            "uid": "string"
          },
          "privileges": [
            "string"
          ],
          "risk_level": "string",
          "risk_level_id": 0,
          "risk_score": 0,
          "type": "string",
          "type_id": 0,
          "uid": "string",
          "uid_alt": "string",
          "user_status": "string",
          "user_status_id": 0
        },
        "region": "string",
        "risk_level": "string",
        "risk_level_id": 0,
        "risk_score": 0,
        "subnet": "string",
        "subnet_uid": "string",
        "sw_info": [
          {
            "cpe_name": "string",
            "feature": {
              "name": "string",
              "uid": "string",
              "version": "string"
            },
            "lang": "string",
            "name": "string",
            "path": "string",
            "uid": "string",
            "url_string": "string",
            "vendor_name": "string",
            "version": "string"
          }
        ],
        "type": "string",
        "type_id": 0,
        "uid": "string",
        "uid_alt": "string",
        "vendor": {
          "name": "string",
          "ou_name": "string",
          "ou_uid": "string",
          "uid": "string"
        },
        "vlan_uid": "string",
        "vpc_uid": "string",
        "zone": "string"
      },
      "duration": 0,
      "end_time": 0,
      "end_time_dt": "2019-08-24T14:15:22Z",
      "enrichments": [
        {
          "created_time": 0,
          "created_time_dt": "2019-08-24T14:15:22Z",
          "data": null,
          "desc": "string",
          "name": "string",
          "provider": "string",
          "reputation": {
            "base_score": 0.1,
            "provider": "string",
            "score": "string",
            "score_id": 0
          },
          "short_desc": "string",
          "src_url": "string",
          "type": "string",
          "value": "string"
        }
      ],
      "message": "string",
      "metadata": {
        "correlation_uid": "string",
        "event_code": "string",
        "extension": {
          "name": "string",
          "uid": "string",
          "version": "string"
        },
        "extensions": [
          {
            "name": "string",
            "uid": "string",
            "version": "string"
          }
        ],
        "labels": [
          "string"
        ],
        "log_level": "string",
        "log_name": "string",
        "log_provider": "string",
        "log_version": "string",
        "logged_time": 0,
        "logged_time_dt": "2019-08-24T14:15:22Z",
        "loggers": [
          {
            "device": {
              "agent_list": [
                {}
              ],
              "autoscale_uid": "string",
              "boot_time": 0,
              "boot_time_dt": "2019-08-24T14:15:22Z",
              "container": {
                "hash": {},
                "image": {
                  "labels": []
                },
                "name": "string",
                "network_driver": "string",
                "orchestrator": "string",
                "pod_uuid": "string",
                "runtime": "string",
                "size": 0,
                "tag": "string",
                "uid": "string"
              },
              "created_time": 0,
              "created_time_dt": "2019-08-24T14:15:22Z",
              "desc": "string",
              "domain": "string",
              "first_seen_time": 0,
              "first_seen_time_dt": "2019-08-24T14:15:22Z",
              "groups": [
                {
                  "privileges": []
                }
              ],
              "hostname": "string",
              "hw_info": {
                "bios_date": "string",
                "bios_manufacturer": "string",
                "bios_uid": "string",
                "bios_ver": "string",
                "chassis": "string",
                "cpu_bits": 0,
                "cpu_cores": 0,
                "cpu_count": 0,
                "cpu_speed": 0,
                "cpu_type": "string",
                "desktop_display": {},
                "keyboard_info": {},
                "ram_size": 0,
                "serial_number": "string"
              },
              "hypervisor": "string",
              "image": {
                "labels": [
                  null
                ],
                "name": "string",
                "path": "string",
                "tag": "string",
                "uid": "string"
              },
              "imei": "string",
              "instance_uid": "string",
              "interface_name": "string",
              "interface_uid": "string",
              "ip": "string",
              "ip_addresses": [
                "string"
              ],
              "is_compliant": true,
              "is_managed": true,
              "is_personal": true,
              "is_trusted": true,
              "last_seen_time": 0,
              "last_seen_time_dt": "2019-08-24T14:15:22Z",
              "location": {
                "city": "string",
                "continent": "string",
                "coordinates": [
                  null
                ],
                "country": "string",
                "desc": "string",
                "geohash": "string",
                "is_on_premises": true,
                "isp": "string",
                "lat": 0.1,
                "long": 0.1,
                "postal_code": "string",
                "provider": "string",
                "region": "string"
              },
              "mac": "string",
              "mac_addresses": [
                "string"
              ],
              "modified_time": 0,
              "modified_time_dt": "2019-08-24T14:15:22Z",
              "name": "string",
              "namespace_pid": 0,
              "netbios_names": [
                "string"
              ],
              "network_interfaces": [
                {
                  "ip_addresses": [],
                  "mac_addresses": []
                }
              ],
              "network_status": "string",
              "network_status_id": 0,
              "org": {
                "name": "string",
                "ou_name": "string",
                "ou_uid": "string",
                "uid": "string"
              },
              "os": {
                "build": "string",
                "country": "string",
                "cpe_name": "string",
                "cpu_bits": 0,
                "edition": "string",
                "lang": "string",
                "name": "string",
                "sp_name": "string",
                "sp_ver": 0,
                "type": "string",
                "type_id": 0,
                "version": "string"
              },
              "owner": {
                "account": {
                  "labels": []
                },
                "credential_uid": "string",
                "domain": "string",
                "email_addr": "string",
                "full_name": "string",
                "groups": [
                  null
                ],
                "ldap_person": {
                  "email_addrs": [],
                  "labels": []
                },
                "mfa_status": "string",
                "mfa_status_id": 0,
                "name": "string",
                "org": {},
                "privileges": [
                  null
                ],
                "risk_level": "string",
                "risk_level_id": 0,
                "risk_score": 0,
                "type": "string",
                "type_id": 0,
                "uid": "string",
                "uid_alt": "string",
                "user_status": "string",
                "user_status_id": 0
              },
              "region": "string",
              "risk_level": "string",
              "risk_level_id": 0,
              "risk_score": 0,
              "subnet": "string",
              "subnet_uid": "string",
              "sw_info": [
                {}
              ],
              "type": "string",
              "type_id": 0,
              "uid": "string",
              "uid_alt": "string",
              "vendor": {
                "name": "string",
                "ou_name": "string",
                "ou_uid": "string",
                "uid": "string"
              },
              "vlan_uid": "string",
              "vpc_uid": "string",
              "zone": "string"
            },
            "log_level": "string",
            "log_name": "string",
            "log_provider": "string",
            "log_version": "string",
            "logged_time": 0,
            "logged_time_dt": "2019-08-24T14:15:22Z",
            "name": "string",
            "product": {
              "cpe_name": "string",
              "feature": {
                "name": "string",
                "uid": "string",
                "version": "string"
              },
              "lang": "string",
              "name": "string",
              "path": "string",
              "uid": "string",
              "url_string": "string",
              "vendor_name": "string",
              "version": "string"
            },
            "transmit_time": 0,
            "transmit_time_dt": "2019-08-24T14:15:22Z",
            "uid": "string",
            "version": "string"
          }
        ],
        "modified_time": 0,
        "modified_time_dt": "2019-08-24T14:15:22Z",
        "original_time": "string",
        "processed_time": 0,
        "processed_time_dt": "2019-08-24T14:15:22Z",
        "product": {
          "cpe_name": "string",
          "feature": {
            "name": "string",
            "uid": "string",
            "version": "string"
          },
          "lang": "string",
          "name": "string",
          "path": "string",
          "uid": "string",
          "url_string": "string",
          "vendor_name": "string",
          "version": "string"
        },
        "profiles": [
          "string"
        ],
        "sequence": 0,
        "tenant_uid": "string",
        "uid": "string",
        "version": "string"
      },
      "observables": [
        {
          "name": "string",
          "reputation": {
            "base_score": 0.1,
            "provider": "string",
            "score": "string",
            "score_id": 0
          },
          "type": "string",
          "type_id": 0,
          "value": "string"
        }
      ],
      "osint": [
        {
          "answers": [
            {
              "class": "string",
              "flag_ids": [
                0
              ],
              "flags": [
                "string"
              ],
              "packet_uid": 0,
              "rdata": "string",
              "ttl": 0,
              "type": "string"
            }
          ],
          "attacks": [
            {
              "sub_technique": {
                "name": "string",
                "src_url": "string",
                "uid": "string"
              },
              "tactic": {
                "name": "string",
                "src_url": "string",
                "uid": "string"
              },
              "tactics": [
                {}
              ],
              "technique": {
                "name": "string",
                "src_url": "string",
                "uid": "string"
              },
              "version": "string"
            }
          ],
          "autonomous_system": {
            "name": "string",
            "number": 0
          },
          "comment": "string",
          "confidence": "string",
          "confidence_id": 0,
          "email": {
            "cc": [
              "string"
            ],
            "delivered_to": "string",
            "from": "string",
            "message_uid": "string",
            "raw_header": "string",
            "reply_to": "string",
            "size": 0,
            "smtp_from": "string",
            "smtp_to": [
              "string"
            ],
            "subject": "string",
            "to": [
              "string"
            ],
            "uid": "string",
            "x_originating_ip": [
              "string"
            ]
          },
          "email_auth": {
            "dkim": "string",
            "dkim_domain": "string",
            "dkim_signature": "string",
            "dmarc": "string",
            "dmarc_override": "string",
            "dmarc_policy": "string",
            "spf": "string"
          },
          "kill_chain": [
            {
              "phase": "string",
              "phase_id": 0
            }
          ],
          "location": {
            "city": "string",
            "continent": "string",
            "coordinates": [
              0.1
            ],
            "country": "string",
            "desc": "string",
            "geohash": "string",
            "is_on_premises": true,
            "isp": "string",
            "lat": 0.1,
            "long": 0.1,
            "postal_code": "string",
            "provider": "string",
            "region": "string"
          },
          "name": "string",
          "signatures": [
            {
              "algorithm": "string",
              "algorithm_id": 0,
              "certificate": {
                "created_time": 0,
                "created_time_dt": "2019-08-24T14:15:22Z",
                "expiration_time": 0,
                "expiration_time_dt": "2019-08-24T14:15:22Z",
                "fingerprints": [
                  null
                ],
                "is_self_signed": true,
                "issuer": "string",
                "serial_number": "string",
                "subject": "string",
                "uid": "string",
                "version": "string"
              },
              "created_time": 0,
              "created_time_dt": "2019-08-24T14:15:22Z",
              "developer_uid": "string",
              "digest": {
                "algorithm": "string",
                "algorithm_id": 0,
                "value": "string"
              },
              "state": "string",
              "state_id": 0
            }
          ],
          "src_url": "string",
          "subdomains": [
            "string"
          ],
          "tlp": "string",
          "type": "string",
          "type_id": 0,
          "uid": "string",
          "value": "string",
          "vendor_name": "string",
          "vulnerabilities": [
            {
              "affected_code": [
                {}
              ],
              "affected_packages": [
                {}
              ],
              "cve": {
                "created_time": 0,
                "created_time_dt": "2019-08-24T14:15:22Z",
                "cvss": [
                  null
                ],
                "cwe": {},
                "cwe_uid": "string",
                "cwe_url": "string",
                "desc": "string",
                "epss": {},
                "modified_time": 0,
                "modified_time_dt": "2019-08-24T14:15:22Z",
                "product": {},
                "references": [
                  null
                ],
                "title": "string",
                "type": "string",
                "uid": "string"
              },
              "cwe": {
                "caption": "string",
                "src_url": "string",
                "uid": "string"
              },
              "desc": "string",
              "first_seen_time": 0,
              "first_seen_time_dt": "2019-08-24T14:15:22Z",
              "fix_available": true,
              "is_exploit_available": true,
              "is_fix_available": true,
              "kb_article_list": [
                {}
              ],
              "kb_articles": [
                "string"
              ],
              "last_seen_time": 0,
              "last_seen_time_dt": "2019-08-24T14:15:22Z",
              "packages": [
                {}
              ],
              "references": [
                "string"
              ],
              "related_vulnerabilities": [
                "string"
              ],
              "remediation": {
                "desc": "string",
                "kb_article_list": [
                  null
                ],
                "kb_articles": [
                  null
                ],
                "references": [
                  null
                ]
              },
              "severity": "string",
              "title": "string",
              "vendor_name": "string"
            }
          ],
          "whois": {
            "autonomous_system": {
              "name": "string",
              "number": 0
            },
            "created_time": 0,
            "created_time_dt": "2019-08-24T14:15:22Z",
            "dnssec_status": "string",
            "dnssec_status_id": 0,
            "domain": "string",
            "domain_contacts": [
              {
                "email_addr": "string",
                "location": {
                  "coordinates": []
                },
                "name": "string",
                "phone_number": "string",
                "type": "string",
                "type_id": 0,
                "uid": "string"
              }
            ],
            "email_addr": "string",
            "last_seen_time": 0,
            "last_seen_time_dt": "2019-08-24T14:15:22Z",
            "name_servers": [
              "string"
            ],
            "phone_number": "string",
            "registrar": "string",
            "status": "string",
            "subdomains": [
              "string"
            ],
            "subnet": "string"
          }
        }
      ],
      "raw_data": "string",
      "severity": "string",
      "severity_id": 0,
      "start_time": 0,
      "start_time_dt": "2019-08-24T14:15:22Z",
      "status": "string",
      "status_code": "string",
      "status_detail": "string",
      "status_id": 0,
      "time": 0,
      "time_dt": "2019-08-24T14:15:22Z",
      "timezone_offset": 0,
      "type_name": "string",
      "type_uid": 0,
      "unmapped": {}
    }
  }'

Responses

Bodyapplication/json
deviceobject(ocsfv1.3.0inventoryinfoInventoryInfo)required

Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.

device.​activity_idinteger(ocsfv1.3.0inventoryinfoActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

device.​category_uidinteger(ocsfv1.3.0inventoryinfoCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.

device.​class_uidinteger(ocsfv1.3.0inventoryinfoClassUid)required

ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.

device.​deviceobject(ocsfv1.3.0inventoryinfoDevice)required

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

device.​device.​type_idinteger(ocsfv1.3.0inventoryinfoDevice_TypeId)required
device.​device.​agent_listArray of objects or null(ocsfv1.3.0inventoryinfoAgent)

A list of agent objects associated with a device, endpoint, or resource.

device.​device.​autoscale_uidstring or null

The unique identifier of the cloud autoscale configuration.

device.​device.​boot_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​boot_time_dtstring or null(date-time)

The time the system was booted.

device.​device.​containerobject(ocsfv1.3.0inventoryinfoContainer)

The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

device.​device.​created_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​created_time_dtstring or null(date-time)

The time when the device was known to have been created.

device.​device.​descstring or null

The description of the device, ordinarily as reported by the operating system.

device.​device.​domainstring or null

The network domain where the device resides. For example: work.example.com.

device.​device.​first_seen_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​first_seen_time_dtstring or null(date-time)

The initial discovery time of the device.

device.​device.​groupsArray of objects or null(ocsfv1.3.0inventoryinfoGroup)

The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].

device.​device.​hostnamestring(ocsfv1.3.0inventoryinfoHostname)

Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.

device.​device.​hw_infoobject(ocsfv1.3.0inventoryinfoDeviceHwInfo)

The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.

device.​device.​hypervisorstring or null

The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.

device.​device.​imageobject(ocsfv1.3.0inventoryinfoImage)

The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.

device.​device.​imeistring or null

The International Mobile Station Equipment Identifier that is associated with the device.

device.​device.​instance_uidstring or null

The unique identifier of a VM instance.

device.​device.​interface_namestring or null

The name of the network interface (e.g. eth2).

device.​device.​interface_uidstring or null

The unique identifier of the network interface.

device.​device.​ipstring(ocsfv1.3.0inventoryinfoIPAddress)

Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

device.​device.​ip_addressesArray of strings or null

A list of IP addresses available on the device

device.​device.​is_compliantboolean or null

The event occurred on a compliant device.

device.​device.​is_managedboolean or null

The event occurred on a managed device.

device.​device.​is_personalboolean or null

The event occurred on a personal device.

device.​device.​is_trustedboolean or null

The event occurred on a trusted device.

device.​device.​last_seen_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​last_seen_time_dtstring or null(date-time)

The most recent discovery time of the device.

device.​device.​locationobject(ocsfv1.3.0inventoryinfoLocation)

The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.

device.​device.​macstring(ocsfv1.3.0inventoryinfoMACAddress)

Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.

device.​device.​mac_addressesArray of strings or null

A list of MAC addresses available on the device

device.​device.​modified_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​device.​modified_time_dtstring or null(date-time)

The time when the device was last known to have been modified.

device.​device.​namestring or null

The alternate device name, ordinarily as assigned by an administrator.

Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.

device.​device.​namespace_pidinteger or null

If running under a process namespace (such as in a container), the process identifier within that process namespace.

device.​device.​netbios_namesArray of strings or null

A list of NetBIOS names available on the device

device.​device.​network_interfacesArray of objects or null(ocsfv1.3.0inventoryinfoNetworkInterface)

The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.

Note: The first element of the array is the network information that pertains to the event.

device.​device.​network_statusstring or null

The network isolation status of the endpoiint

device.​device.​network_status_idinteger(ocsfv1.3.0inventoryinfoDevice_NetworkStatusId)

DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.

device.​device.​orgobject(ocsfv1.3.0inventoryinfoOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

device.​device.​osobject(ocsfv1.3.0inventoryinfoOs)

The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.

device.​device.​ownerobject(ocsfv1.3.0inventoryinfoUser)

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

device.​device.​regionstring or null

The region where the virtual machine is located. For example, an AWS Region.

device.​device.​risk_levelstring or null

The risk level, normalized to the caption of the risk_level_id value.

device.​device.​risk_level_idinteger(ocsfv1.3.0inventoryinfoDevice_RiskLevelId)

DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.

device.​device.​risk_scoreinteger or null

The risk score as reported by the event source.

device.​device.​subnetstring(ocsfv1.3.0inventoryinfoSubnet)

The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.

For example:
  • 192.168.1.0/24
  • 2001:0db8:85a3:0000::/64

device.​device.​subnet_uidstring or null

The unique identifier of a virtual subnet.

device.​device.​sw_infoArray of objects or null(ocsfv1.3.0inventoryinfoProduct)

The list of software contained on a device

device.​device.​typestring or null

The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, plc, scada, dcs, cnc, scientific, medical, lighting, energy, transportation other.

device.​device.​uidstring or null

The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.

device.​device.​uid_altstring or null

An alternate unique identifier of the device if any. For example the ActiveDirectory DN.

device.​device.​vendorobject(ocsfv1.3.0inventoryinfoOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

device.​device.​vlan_uidstring or null

The Virtual LAN identifier.

device.​device.​vpc_uidstring or null

The unique identifier of the Virtual Private Cloud (VPC).

device.​device.​zonestring or null

The network zone or LAN segment.

device.​metadataobject(ocsfv1.3.0inventoryinfoMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

device.​metadata.​productobject(ocsfv1.3.0inventoryinfoProduct)required

The Product object describes characteristics of a software product.

device.​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

device.​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

device.​metadata.​product.​featureobject(ocsfv1.3.0inventoryinfoFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

device.​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

device.​metadata.​product.​namestring or null

The name of the product.

device.​metadata.​product.​pathstring or null

The installation path of the product.

device.​metadata.​product.​uidstring or null

The unique identifier of the product.

device.​metadata.​product.​url_stringstring(ocsfv1.3.0inventoryinfoURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

device.​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

device.​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

device.​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

device.​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

device.​metadata.​extensionobject(ocsfv1.3.0inventoryinfoExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

device.​metadata.​extensionsArray of objects or null(ocsfv1.3.0inventoryinfoExtension)

The schema extensions used to create the event.

device.​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
device.​metadata.​log_levelstring or null

The audit level at which an event was generated.

device.​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

device.​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

device.​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

device.​metadata.​logged_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
device.​metadata.​loggersArray of objects or null(ocsfv1.3.0inventoryinfoLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

device.​metadata.​modified_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

device.​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

device.​metadata.​processed_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

device.​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

device.​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

device.​metadata.​tenant_uidstring or null

The unique tenant identifier.

device.​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

device.​severity_idinteger(ocsfv1.3.0inventoryinfoSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

device.​timeinteger(ocsfv1.3.0inventoryinfoTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​type_uidinteger(ocsfv1.3.0inventoryinfoTypeUid)required

TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other

device.​activity_namestring or null

The event activity name, as defined by the activity_id.

device.​actorobject(ocsfv1.3.0inventoryinfoActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

device.​apiobject(ocsfv1.3.0inventoryinfoApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

device.​category_namestring or null

The event category name, as defined by category_uid value: Discovery.

device.​cloudobject(ocsfv1.3.0inventoryinfoCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

device.​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

device.​custom_fieldsobject(ocsfv1.3.0inventoryinfoObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

device.​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

device.​end_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

device.​enrichmentsArray of objects or null(ocsfv1.3.0inventoryinfoEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

device.​messagestring or null

The description of the event/finding, as defined by the source.

device.​observablesArray of objects or null(ocsfv1.3.0inventoryinfoObservable)

The observables associated with the event or a finding.

device.​osintArray of objects or null(ocsfv1.3.0inventoryinfoOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

device.​raw_datastring or null

The raw event/finding data as received from the source.

device.​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

device.​start_timeinteger(ocsfv1.3.0inventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

device.​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

device.​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

device.​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

device.​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

device.​status_idinteger(ocsfv1.3.0inventoryinfoStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

device.​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

device.​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

device.​type_namestring or null

The event/finding type name, as defined by the type_uid.

device.​unmappedobject(ocsfv1.3.0inventoryinfoObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

metaobject(MetaResponse)
Response
application/json
{ "device": { "activity_id": 0, "activity_name": "string", "actor": {}, "api": {}, "category_name": "string", "category_uid": 0, "class_uid": 0, "cloud": {}, "count": 0, "custom_fields": {}, "device": {}, "duration": 0, "end_time": 0, "end_time_dt": "2019-08-24T14:15:22Z", "enrichments": [], "message": "string", "metadata": {}, "observables": [], "osint": [], "raw_data": "string", "severity": "string", "severity_id": 0, "start_time": 0, "start_time_dt": "2019-08-24T14:15:22Z", "status": "string", "status_code": "string", "status_detail": "string", "status_id": 0, "time": 0, "time_dt": "2019-08-24T14:15:22Z", "timezone_offset": 0, "type_name": "string", "type_uid": 0, "unmapped": {} }, "meta": { "stats": {}, "api": {} } }

Edr

Operations

Hooks

Operations

Identity

Operations

Notifications

Operations

Operations (In Development)

In Development

This feature is actively being developed. Breaking changes should be expected.

Please contact us before using this feature.

Operations

Siem

Operations

Sink

Operations

Storage

Operations

Ticketing

Operations

Vulnerabilities

Operations