Connector API

The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.

See the Synqly Overview for more information.

Download OpenAPI description
Languages
Servers
Synqly
https://api.synqly.com/

Assets

Operations

Cloudsecurity

Operations

Query Cloud Resource Inventory

Request

Returns a list of cloud resources that match the query from the cloud security provider.

Query
metaArray of strings or null

Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.

limitinteger or null

Number of cloud resources to return. Defaults to 500.

orderArray of strings or null

Select a field to order the results by. Defaults to name. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, name[asc] will sort the results by name in ascending order. The ordering defaults to asc if not specified.

filterArray of strings or null

Filter results by this query. For more information on filtering, refer to our Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.

cursorstring or null

Start search from cursor position.

curl -i -X GET \
  https://api.synqly.com/v1/cloudsecurity/cloudresourcesinventory \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultArray of objects(ocsfv1.4.0cloudresourcesinventoryinfoCloudResourcesInventoryInfo)required

List of cloud resources that match the query.

result[].​activity_idinteger(ocsfv1.4.0cloudresourcesinventoryinfoActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

result[].​category_uidinteger(ocsfv1.4.0cloudresourcesinventoryinfoCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.

result[].​class_uidinteger(ocsfv1.4.0cloudresourcesinventoryinfoClassUid)required

ClassUid is an enum, and the following values are allowed. 5023 - CloudResourcesInventoryInfo: Cloud Resources Inventory Info events report cloud asset inventory data that is either logged or proactively collected. For example, use this event class when creating an inventory of cloud resource information from a Configuration Management Database (CMDB), Cyber Asset Attack Surface Management (CAASM), direct public cloud service provider APIs, Software-as-a-Service (SaaS) APIs, or otherwise.

result[].​metadataobject(ocsfv1.4.0cloudresourcesinventoryinfoMetadata)required

The Metadata object describes the metadata associated with the event.

result[].​metadata.​productobject(ocsfv1.4.0cloudresourcesinventoryinfoProduct)required

The Product object describes characteristics of a software product.

result[].​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

result[].​metadata.​product.​featureobject(ocsfv1.4.0cloudresourcesinventoryinfoFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

result[].​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

result[].​metadata.​product.​namestring or null

The name of the product.

result[].​metadata.​product.​pathstring or null

The installation path of the product.

result[].​metadata.​product.​uidstring or null

The unique identifier of the product.

result[].​metadata.​product.​url_stringstring(ocsfv1.4.0cloudresourcesinventoryinfoURLString)

Uniform Resource Locator (URL) string. For example:
http://www.example.com/download/trouble.exe.

result[].​metadata.​product.​vendor_namestring or null

The name of the vendor of the product.

result[].​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

result[].​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

result[].​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

result[].​metadata.​debugArray of strings or null

Debug information about non-fatal issues with this OCSF event. Each issue is a line in this string array.

result[].​metadata.​event_codestring or null

The Event ID, Code, or Name that the product uses to primarily identify the event.

result[].​metadata.​extensionobject(ocsfv1.4.0cloudresourcesinventoryinfoExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

result[].​metadata.​extensionsArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoExtension)

The schema extensions used to create the event.

result[].​metadata.​labelsArray of strings or null

The list of labels attached to the event. For example: ["sample", "dev"]

result[].​metadata.​log_levelstring or null

The audit level at which an event was generated.

result[].​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

result[].​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

result[].​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

result[].​metadata.​logged_timeinteger(ocsfv1.4.0cloudresourcesinventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:
1618524549901.

result[].​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
result[].​metadata.​loggersArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

result[].​metadata.​modified_timeinteger(ocsfv1.4.0cloudresourcesinventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:
1618524549901.

result[].​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

result[].​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

result[].​metadata.​processed_timeinteger(ocsfv1.4.0cloudresourcesinventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:
1618524549901.

result[].​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

result[].​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

result[].​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

result[].​metadata.​tagsArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoKeyValueObject)

The list of tags; {key:value} pairs associated to the event.

result[].​metadata.​tenant_uidstring or null

The unique tenant identifier.

result[].​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

result[].​severity_idinteger(ocsfv1.4.0cloudresourcesinventoryinfoSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

result[].​timeinteger(ocsfv1.4.0cloudresourcesinventoryinfoTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:
1618524549901.

result[].​type_uidinteger(ocsfv1.4.0cloudresourcesinventoryinfoTypeUid)required

TypeUid is an enum, and the following values are allowed. 502300 - Unknown 502301 - Log: The discovered information is via a log. 502302 - Collect: The discovered information is via a collection process. 502399 - Other

result[].​actionstring or null

The normalized caption of action_id.

result[].​action_idinteger(ocsfv1.4.0cloudresourcesinventoryinfoActionId)

ActionId is an enum, and the following values are allowed. 0 - Unknown: The action was unknown. The disposition_id attribute may still be set to a non-unknown value, for example 'Custom Action', 'Challenge'. 1 - Allowed: The activity was allowed. The disposition_id attribute should be set to a value that conforms to this action, for example 'Allowed', 'Approved', 'Delayed', 'No Action', 'Count' etc. 2 - Denied: The attempted activity was denied. The disposition_id attribute should be set to a value that conforms to this action, for example 'Blocked', 'Rejected', 'Quarantined', 'Isolated', 'Dropped', 'Access Revoked, etc. 3 - Observed: The activity was observed, but neither explicitly allowed nor denied. This is common with IDS and EDR controls that report additional information on observed behavior such as TTPs. The disposition_id attribute should be set to a value that conforms to this action, for example 'Logged', 'Alert', 'Detected', 'Count', etc. 4 - Modified: The activity was modified, adjusted, or corrected. The disposition_id attribute should be set appropriately, for example 'Restored', 'Corrected', 'Delayed', 'Captcha', 'Tagged'. 99 - Other: The action is not mapped. See the action attribute which contains a data source specific value.

result[].​activity_namestring or null

The event activity name, as defined by the activity_id.

result[].​actorobject(ocsfv1.4.0cloudresourcesinventoryinfoActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity. Note that Actor is not the threat actor of a campaign but may be part of a campaign.

result[].​apiobject(ocsfv1.4.0cloudresourcesinventoryinfoApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

result[].​attacksArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoAttack)

An array of MITRE ATT&CK® objects describing identified tactics, techniques & sub-techniques.

result[].​authorizationsArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoAuthorization)

Provides details about an authorization, such as authorization outcome, and any associated policies related to the activity/event.

result[].​category_namestring or null

The event category name, as defined by category_uid value: Discovery.

result[].​cloudobject(ocsfv1.4.0cloudresourcesinventoryinfoCloud)

The Cloud object contains information about a cloud or Software-as-a-Service account or similar construct, such as AWS Account ID, regions, organizations, folders, compartments, tenants, etc.

result[].​confidencestring or null

The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.

result[].​confidence_idinteger(ocsfv1.4.0cloudresourcesinventoryinfoConfidenceId)

ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.

result[].​confidence_scoreinteger or null

The confidence score as reported by the event source.

result[].​containerobject(ocsfv1.4.0cloudresourcesinventoryinfoContainer)

The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.

result[].​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

result[].​custom_fieldsobject(ocsfv1.4.0cloudresourcesinventoryinfoObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result[].​databaseobject(ocsfv1.4.0cloudresourcesinventoryinfoDatabase)

The database object is used for databases which are typically datastore services that contain an organized collection of structured and unstructured data or a types of data.

result[].​databucketobject(ocsfv1.4.0cloudresourcesinventoryinfoDatabucket)

The databucket object is a basic container that holds data, typically organized through the use of data partitions.

result[].​deviceobject(ocsfv1.4.0cloudresourcesinventoryinfoDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network.

result[].​dispositionstring or null

The disposition name, normalized to the caption of the disposition_id value. In the case of 'Other', it is defined by the event source.

result[].​disposition_idinteger(ocsfv1.4.0cloudresourcesinventoryinfoDispositionId)

DispositionId is an enum, and the following values are allowed. 0 - Unknown: The disposition is unknown. 1 - Allowed: Granted access or allowed the action to the protected resource. 2 - Blocked: Denied access or blocked the action to the protected resource. 3 - Quarantined: A suspicious file or other content was moved to a benign location. 4 - Isolated: A session was isolated on the network or within a browser. 5 - Deleted: A file or other content was deleted. 6 - Dropped: The request was detected as a threat and resulted in the connection being dropped. 7 - CustomAction: A custom action was executed such as running of a command script. Use the message attribute of the base class for details. 8 - Approved: A request or submission was approved. For example, when a form was properly filled out and submitted. This is distinct from 1 'Allowed'. 9 - Restored: A quarantined file or other content was restored to its original location. 10 - Exonerated: A suspicious or risky entity was deemed to no longer be suspicious (re-scored). 11 - Corrected: A corrupt file or configuration was corrected. 12 - PartiallyCorrected: A corrupt file or configuration was partially corrected. 13 - Uncorrected: A corrupt file or configuration was not corrected. 14 - Delayed: An operation was delayed, for example if a restart was required to finish the operation. 15 - Detected: Suspicious activity or a policy violation was detected without further action. 16 - NoAction: The outcome of an operation had no action taken. 17 - Logged: The operation or action was logged without further action. 18 - Tagged: A file or other entity was marked with extended attributes. 19 - Alert: The request or activity was detected as a threat and resulted in a notification but request was not blocked. 20 - Count: Counted the request or activity but did not determine whether to allow it or block it. 21 - Reset: The request was detected as a threat and resulted in the connection being reset. 22 - Captcha: Required the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request. 23 - Challenge: Ran a silent challenge that required the client session to verify that it's a browser, and not a bot. 24 - AccessRevoked: The requestor's access has been revoked due to security policy enforcements. Note: use the Host profile if the User or Actor requestor is not present in the event class. 25 - Rejected: A request or submission was rejected. For example, when a form was improperly filled out and submitted. This is distinct from 2 'Blocked'. 26 - Unauthorized: An attempt to access a resource was denied due to an authorization check that failed. This is a more specific disposition than 2 'Blocked' and can be complemented with the authorizations attribute for more detail. 27 - Error: An error occurred during the processing of the activity or request. Use the message attribute of the base class for details. 99 - Other: The disposition is not mapped. See the disposition attribute, which contains a data source specific value.

result[].​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

result[].​end_timeinteger(ocsfv1.4.0cloudresourcesinventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:
1618524549901.

result[].​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

result[].​enrichmentsArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

result[].​firewall_ruleobject(ocsfv1.4.0cloudresourcesinventoryinfoFirewallRule)

The Firewall Rule object represents a specific rule within a firewall policy or event. It contains information about a rule's configuration, properties, and associated actions that define how network traffic is handled by the firewall.

result[].​idpobject(ocsfv1.4.0cloudresourcesinventoryinfoIdp)

The Identity Provider object contains detailed information about a provider responsible for creating, maintaining, and managing identity information while offering authentication services to applications. An Identity Provider (IdP) serves as a trusted authority that verifies the identity of users and issues authentication tokens or assertions to enable secure access to applications or services.

result[].​is_alertboolean or null

Indicates that the event is considered to be an alertable signal. Should be set to true if disposition_id = Alert among other dispositions, and/or risk_level_id or severity_id of the event is elevated. Not all control events will be alertable, for example if disposition_id = Exonerated or disposition_id = Allowed.

result[].​malwareArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoMalware)

A list of Malware objects, describing details about the identified malware.

result[].​messagestring or null

The description of the event/finding, as defined by the source.

result[].​observablesArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoObservable)

The observables associated with the event or a finding.

result[].​osintArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

result[].​policyobject(ocsfv1.4.0cloudresourcesinventoryinfoPolicy)

The Policy object describes the policies that are applicable.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

result[].​raw_datastring or null

The raw event/finding data as received from the source.

result[].​regionstring or null

The cloud region where the resource is located, e.g., us-isof-south-1, eastus2, us-central1, etc.

result[].​resourcesArray of objects or null(ocsfv1.4.0cloudresourcesinventoryinfoResourceDetails)

The cloud resource(s) that are being discovered by an inventory process. Use this object if there is not a direct object match in the class.

result[].​risk_detailsstring or null

Describes the risk associated with the finding.

result[].​risk_levelstring or null

The risk level, normalized to the caption of the risk_level_id value.

result[].​risk_level_idinteger(ocsfv1.4.0cloudresourcesinventoryinfoRiskLevelId)

RiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.

result[].​risk_scoreinteger or null

The risk score as reported by the event source.

result[].​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

result[].​start_timeinteger(ocsfv1.4.0cloudresourcesinventoryinfoTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example:
1618524549901.

result[].​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

result[].​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

result[].​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

result[].​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

result[].​status_idinteger(ocsfv1.4.0cloudresourcesinventoryinfoStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result[].​tableobject(ocsfv1.4.0cloudresourcesinventoryinfoTable)

The table object represents a table within a structured relational database or datastore, which contains columns and rows of data that are able to be create, updated, deleted and queried.

result[].​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

result[].​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

result[].​type_namestring or null

The event/finding type name, as defined by the type_uid.

result[].​unmappedobject(ocsfv1.4.0cloudresourcesinventoryinfoObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

cursorstringrequired

Cursor to use to retrieve the next page of results

metaobject(MetaResponse)
Response
application/json
{ "result": [ {} ], "cursor": "string", "meta": { "stats": {}, "api": {} } }

Query Compliance Findings

Request

Returns a list of compliance findings matching the query from the cloud security provider.

Query
metaArray of strings or null

Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.

limitinteger or null

Number of compliance findings to return. Defaults to 50.

cursorstring or null

Start search from cursor position.

orderArray of strings or null

Select a field to order the results by. Defaults to name. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, name[asc] will sort the results by name in ascending order. The ordering defaults to asc if not specified.

filterArray of strings or null

Filter results by this query. For more information on filtering, refer to our Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.

curl -i -X GET \
  https://api.synqly.com/v1/cloudsecurity/compliancefindings \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultArray of objects(ocsfv1.3.0compliancefindingComplianceFinding)required

List of compliance findings that match the query.

result[].​activity_idinteger(ocsfv1.3.0compliancefindingActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: A finding was created. 2 - Update: A finding was updated. 3 - Close: A finding was closed. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

result[].​category_uidinteger(ocsfv1.3.0compliancefindingCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 2 - Findings: Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.

result[].​class_uidinteger(ocsfv1.3.0compliancefindingClassUid)required

ClassUid is an enum, and the following values are allowed. 2003 - ComplianceFinding: Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc.

result[].​complianceobject(ocsfv1.3.0compliancefindingCompliance)required

The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements.

result[].​compliance.​standardsArray of stringsrequired

Security standards are a set of criteria organizations can follow to protect sensitive and confidential information. e.g. NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001

result[].​compliance.​compliance_referencesArray of objects or null(ocsfv1.3.0compliancefindingKbArticle)

A list of sources of information or tools that help organizations understand, interpret, and implement compliance standards. They provide guidance, best practices, and examples.

result[].​compliance.​compliance_standardsArray of objects or null(ocsfv1.3.0compliancefindingKbArticle)

A list of established guidelines or criteria that define specific requirements an organization must follow.

result[].​compliance.​controlstring or null

A Control is prescriptive, prioritized, and simplified set of best practices that one can use to strengthen their cybersecurity posture. e.g. AWS SecurityHub Controls, CIS Controls.

result[].​compliance.​requirementsArray of strings or null

A list of requirements associated to a specific control in an industry or regulatory framework. e.g. NIST.800-53.r5 AU-10

result[].​compliance.​statusstring or null

The resultant status of the compliance check normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

result[].​compliance.​status_codestring or null

The resultant status code of the compliance check.

result[].​compliance.​status_detailstring or null

The contextual description of the status, status_code values.

result[].​compliance.​status_idinteger(ocsfv1.3.0compliancefindingCompliance_StatusId)

ComplianceStatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Pass: The compliance check passed for all the evaluated resources. 2 - Warning: The compliance check did not yield a result due to missing information. 3 - Fail: The compliance check failed for at least one of the evaluated resources. 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result[].​finding_infoobject(ocsfv1.3.0compliancefindingFindingInfo)required

The Finding Information object describes metadata related to a security finding generated by a security tool or system.

result[].​finding_info.​titlestringrequired

A title or a brief phrase summarizing the reported finding.

result[].​finding_info.​uidstringrequired

The unique identifier of the reported finding.

result[].​finding_info.​analyticobject(ocsfv1.3.0compliancefindingAnalytic)

The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.

result[].​finding_info.​attacksArray of objects or null(ocsfv1.3.0compliancefindingAttack)

The MITRE ATT&CK® technique and associated tactics related to the finding.

result[].​finding_info.​created_timeinteger(ocsfv1.3.0compliancefindingTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​finding_info.​created_time_dtstring or null(date-time)

The time when the finding was created.

result[].​finding_info.​data_sourcesArray of strings or null

A list of data sources utilized in generation of the finding.

result[].​finding_info.​descstring or null

The description of the reported finding.

result[].​finding_info.​first_seen_timeinteger(ocsfv1.3.0compliancefindingTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​finding_info.​first_seen_time_dtstring or null(date-time)

The time when the finding was first observed. e.g. The time when a vulnerability was first observed.

It can differ from the created_time timestamp, which reflects the time this finding was created.

result[].​finding_info.​kill_chainArray of objects or null(ocsfv1.3.0compliancefindingKillChainPhase)

The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.

result[].​finding_info.​last_seen_timeinteger(ocsfv1.3.0compliancefindingTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​finding_info.​last_seen_time_dtstring or null(date-time)

The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed.

It can differ from the modified_time timestamp, which reflects the time this finding was last modified.

result[].​finding_info.​modified_timeinteger(ocsfv1.3.0compliancefindingTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​finding_info.​modified_time_dtstring or null(date-time)

The time when the finding was last modified.

result[].​finding_info.​product_uidstring or null

The unique identifier of the product that reported the finding.

result[].​finding_info.​related_analyticsArray of objects or null(ocsfv1.3.0compliancefindingAnalytic)

Other analytics related to this finding.

result[].​finding_info.​related_eventsArray of objects or null(ocsfv1.3.0compliancefindingRelatedEvent)

Describes events and/or other findings related to the finding as identified by the security product.

result[].​finding_info.​src_urlstring(ocsfv1.3.0compliancefindingURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

result[].​finding_info.​typesArray of strings or null

One or more types of the reported finding.

result[].​metadataobject(ocsfv1.3.0compliancefindingMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

result[].​metadata.​productobject(ocsfv1.3.0compliancefindingProduct)required

The Product object describes characteristics of a software product.

result[].​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

result[].​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

result[].​metadata.​product.​featureobject(ocsfv1.3.0compliancefindingFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

result[].​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

result[].​metadata.​product.​namestring or null

The name of the product.

result[].​metadata.​product.​pathstring or null

The installation path of the product.

result[].​metadata.​product.​uidstring or null

The unique identifier of the product.

result[].​metadata.​product.​url_stringstring(ocsfv1.3.0compliancefindingURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

result[].​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

result[].​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

result[].​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

result[].​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

result[].​metadata.​extensionobject(ocsfv1.3.0compliancefindingExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

result[].​metadata.​extensionsArray of objects or null(ocsfv1.3.0compliancefindingExtension)

The schema extensions used to create the event.

result[].​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
result[].​metadata.​log_levelstring or null

The audit level at which an event was generated.

result[].​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

result[].​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

result[].​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

result[].​metadata.​logged_timeinteger(ocsfv1.3.0compliancefindingTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
result[].​metadata.​loggersArray of objects or null(ocsfv1.3.0compliancefindingLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

result[].​metadata.​modified_timeinteger(ocsfv1.3.0compliancefindingTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

result[].​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

result[].​metadata.​processed_timeinteger(ocsfv1.3.0compliancefindingTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

result[].​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

result[].​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

result[].​metadata.​tenant_uidstring or null

The unique tenant identifier.

result[].​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

result[].​severity_idinteger(ocsfv1.3.0compliancefindingSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

result[].​timeinteger(ocsfv1.3.0compliancefindingTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​type_uidinteger(ocsfv1.3.0compliancefindingTypeUid)required

TypeUid is an enum, and the following values are allowed. 200300 - Unknown 200301 - Create: A finding was created. 200302 - Update: A finding was updated. 200303 - Close: A finding was closed. 200399 - Other

result[].​activity_namestring or null

The finding activity name, as defined by the activity_id.

result[].​actorobject(ocsfv1.3.0compliancefindingActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

result[].​apiobject(ocsfv1.3.0compliancefindingApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

result[].​category_namestring or null

The event category name, as defined by category_uid value: Findings.

result[].​cloudobject(ocsfv1.3.0compliancefindingCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

result[].​commentstring or null

A user provided comment about the finding.

result[].​confidencestring or null

The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.

result[].​confidence_idinteger(ocsfv1.3.0compliancefindingConfidenceId)

ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.

result[].​confidence_scoreinteger or null

The confidence score as reported by the event source.

result[].​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

result[].​custom_fieldsobject(ocsfv1.3.0compliancefindingObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result[].​deviceobject(ocsfv1.3.0compliancefindingDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result[].​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

result[].​end_timeinteger(ocsfv1.3.0compliancefindingTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​end_time_dtstring or null(date-time)

The time of the most recent event included in the finding.

result[].​enrichmentsArray of objects or null(ocsfv1.3.0compliancefindingEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

result[].​messagestring or null

The description of the event/finding, as defined by the source.

result[].​observablesArray of objects or null(ocsfv1.3.0compliancefindingObservable)

The observables associated with the event or a finding.

result[].​osintArray of objects or null(ocsfv1.3.0compliancefindingOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

result[].​raw_datastring or null

The raw event/finding data as received from the source.

result[].​remediationobject(ocsfv1.3.0compliancefindingRemediation)

The Remediation object describes the recommended remediation steps to address identified issue(s).

result[].​resourceobject(ocsfv1.3.0compliancefindingResourceDetails)

The Resource Details object describes details about resources that were affected by the activity/event.

result[].​resourcesArray of objects or null(ocsfv1.3.0compliancefindingResourceDetails)

Describes details about the resource/resouces that are the subject of the compliance check.

result[].​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

result[].​start_timeinteger(ocsfv1.3.0compliancefindingTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​start_time_dtstring or null(date-time)

The time of the least recent event included in the finding.

result[].​statusstring or null

The normalized status of the Finding set by the consumer normalized to the caption of the status_id value. In the case of 'Other', it is defined by the source.

result[].​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

result[].​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

result[].​status_idinteger(ocsfv1.3.0compliancefindingStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - New: The Finding is new and yet to be reviewed. 2 - InProgress: The Finding is under review. 3 - Suppressed: The Finding was reviewed, determined to be benign or a false positive and is now suppressed. 4 - Resolved: The Finding was reviewed, remediated and is now considered resolved. 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result[].​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

result[].​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

result[].​type_namestring or null

The event/finding type name, as defined by the type_uid.

result[].​unmappedobject(ocsfv1.3.0compliancefindingObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

cursorstringrequired

Cursor to use to retrieve the next page of results

metaobject(MetaResponse)
Response
application/json
{ "result": [ {} ], "cursor": "string", "meta": { "stats": {}, "api": {} } }

Edr

Operations

Hooks

Operations

Identity

Operations

Integration Webhooks

Operations

Notifications

Operations

Operations (In Development)

In Development

This feature is actively being developed. Breaking changes should be expected.

Please contact us before using this feature.

Operations

Siem

Operations

Sink

Operations

Storage

Operations

Ticketing

Operations

Vulnerabilities

Operations