The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.
Select a field to order the results by. Defaults to name. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, name[asc] will sort the results by name in ascending order. The ordering defaults to asc if not specified.
Filter results by this query. For more information on filtering, refer to our Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.
curl -i -X GET \
https://api.synqly.com/v1/cloudsecurity/cloudresourcesinventory \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'List of cloud resources that match the query.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.
ClassUid is an enum, and the following values are allowed. 5023 - CloudResourcesInventoryInfo: Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.
The Metadata object describes the metadata associated with the event.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example:http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.
The Event ID, Code, or Name that the product uses to primarily identify the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of labels attached to the event. For example: ["sample", "dev"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
TypeUid is an enum, and the following values are allowed. 502300 - Unknown 502301 - Log: The discovered information is via a log. 502302 - Collect: The discovered information is via a collection process. 502399 - Other
ActionId is an enum, and the following values are allowed. 0 - Unknown: The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'. 1 - Allowed: The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc. 2 - Denied: The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc. 3 - Observed: The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc. 4 - Modified: The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'. 99 - Other: The action is not mapped. See the action attribute which contains a data source specific value.
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques.
Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.
The event category name, as defined by category_uid value: Discovery.
The Cloud object contains information about a cloud or Software-as-a-Service account or similar construct, such as AWS Account ID, regions, organizations, folders, compartments, tenants, etc.
The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.
The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.
The databucket object is a basic container that holds data, typically organized through the use of data partitions.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.
The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.
DispositionId is an enum, and the following values are allowed. 0 - Unknown: The disposition is unknown. 1 - Allowed: Granted access or allowed the action to the protected resource. 2 - Blocked: Denied access or blocked the action to the protected resource. 3 - Quarantined: A suspicious file or other content was moved to a benign location. 4 - Isolated: A session was isolated on the network or within a browser. 5 - Deleted: A file or other content was deleted. 6 - Dropped: The request was detected as a threat and resulted in the connection being dropped. 7 - CustomAction: A custom action was executed such as running of a command script. Use the message attribute of the base class for details. 8 - Approved: A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'. 9 - Restored: A quarantined file or other content was restored to its original location. 10 - Exonerated: A suspicious or risky entity was deemed to no longer be suspicious (re-scored). 11 - Corrected: A corrupt file or configuration was corrected. 12 - PartiallyCorrected: A corrupt file or configuration was partially corrected. 13 - Uncorrected: A corrupt file or configuration was not corrected. 14 - Delayed: An operation was delayed, for example if a restart was required to finish the operation. 15 - Detected: Suspicious activity or a policy violation was detected without further action. 16 - NoAction: The outcome of an operation had no action taken. 17 - Logged: The operation or action was logged without further action. 18 - Tagged: A file or other entity was marked with extended attributes. 19 - Alert: The request or activity was detected as a threat and resulted in a notification but request was not blocked. 20 - Count: Counted the request or activity but did not determine whether to allow it or block it. 21 - Reset: The request was detected as a threat and resulted in the connection being reset. 22 - Captcha: Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request. 23 - Challenge: Ran a silent challenge that required the client session to verify that it's a browser, and not a bot. 24 - AccessRevoked: The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class. 25 - Rejected: A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'. 26 - Unauthorized: An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail. 27 - Error: An error occurred during the processing of the activity or request. Use the message attribute of the base class for details. 99 - Other: The disposition is not mapped. See the disposition attribute, which contains a data source specific value.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.
The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications. An Identity Provider (IdP) serves as a trusted authority that verifies the identity of users and issues authentication tokens or assertions to enable secure access to applications or services.
Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.
A list of Malware objects, describing details about the identified malware.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The cloud region where the resource is located, e.g., us-isof-south-1, eastus2, us-central1, etc.
The cloud resource(s) that are being discovered by an inventory process. Use this object if there is not a direct object match in the class.
The risk level, normalized to the caption of the risk_level_id value.
RiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:1618524549901.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.
Select a field to order the results by. Defaults to name. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, name[asc] will sort the results by name in ascending order. The ordering defaults to asc if not specified.
curl -i -X GET \
https://api.synqly.com/v1/cloudsecurity/compliancefindings \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'List of compliance findings that match the query.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: A finding was created. 2 - Update: A finding was updated. 3 - Close: A finding was closed. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 2 - Findings: Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.
ClassUid is an enum, and the following values are allowed. 2003 - ComplianceFinding: Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc.
The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements.
Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001
A list of sources of information or tools that help organizations understand, interpret, and implement compliance standards. They provide guidance, best practices, and examples.
A list of established guidelines or criteria that define specific requirements an organization must follow.
A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.
A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10
The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The contextual description of the status, status_code values.
ComplianceStatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Pass: The compliance check passed for all the evaluated resources. 2 - Warning: The compliance check did not yield a result due to missing information. 3 - Fail: The compliance check failed for at least one of the evaluated resources. 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The Finding Information object describes metadata related to a security finding generated by a security tool or system.
A title or a brief phrase summarizing the reported finding.
The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
The MITRE ATT&CK® technique and associated tactics related to the finding.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was created.
A list of data sources utilized in generation of the finding.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was first observed. e.g. The time when a vulnerability was first observed.
It can differ from the created_time timestamp, which reflects the time this finding was created.
The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.
It can differ from the modified_time timestamp, which reflects the time this finding was last modified.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was last modified.
The unique identifier of the product that reported the finding.
Other analytics related to this finding.
Describes events and/or other findings related to the finding as identified by the security product.
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
TypeUid is an enum, and the following values are allowed. 200300 - Unknown 200301 - Create: A finding was created. 200302 - Update: A finding was updated. 200303 - Close: A finding was closed. 200399 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Findings.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time of the most recent event included in the finding.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The Remediation object describes the recommended remediation steps to address identified issue(s).
The Resource Details object describes details about resources that were affected by the activity/event.
Describes details about the resource/resouces that are the subject of the compliance check.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time of the least recent event included in the finding.
The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - New: The Finding is new and yet to be reviewed. 2 - InProgress: The Finding is under review. 3 - Suppressed: The Finding was reviewed, determined to be benign or a false positive and is now suppressed. 4 - Resolved: The Finding was reviewed, remediated and is now considered resolved. 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }