API Reference
/
Connector API
/
Identity

Connector API

The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.

See the Synqly Overview for more information.

Download OpenAPI description
connectors.json
connectors.yaml
Languages
Servers
Synqly
https://api.synqly.com/

Assets

Operations

Edr

Operations

Hooks

Operations

Identity

Operations

Query Audit Log

Request

Returns a list of Event objects from the token-linked audit log.

Query
metaArray of strings or null

Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.

limitinteger or null

Number of events to return. Defaults to 100.

cursorstring or null

Start search from cursor position.

orderArray of strings or null

Select a field to order the results by. Defaults to time. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, time[asc] will sort the results by time in ascending order. The ordering defaults to asc if not specified.

filterArray of strings or null

Filter results by this query. For more information on filtering, refer to our Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.

curl -i -X GET \
  'https://api.synqly.com/v1/identity/audit?cursor=string&filter=string&limit=0&meta=string&order=string' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultArray of ocsfv1.3.0accountchangeAccountChange (object) or ocsfv1.3.0apiactivityApiActivity (object) or ocsfv1.3.0authenticationAuthentication (object) or ocsfv1.3.0authorizesessionAuthorizeSession (object) or ocsfv1.3.0baseeventBaseEvent (object) or ocsfv1.3.0compliancefindingComplianceFinding (object) or ocsfv1.3.0configstateConfigState (object) or ocsfv1.3.0detectionfindingDetectionFinding (object) or ocsfv1.3.0fileactivityFileActivity (object) or ocsfv1.3.0groupmanagementGroupManagement (object) or ocsfv1.3.0incidentfindingIncidentFinding (object) or ocsfv1.3.0inventoryinfoInventoryInfo (object) or ocsfv1.3.0moduleactivityModuleActivity (object) or ocsfv1.3.0networkactivityNetworkActivity (object) or ocsfv1.3.0processactivityProcessActivity (object) or ocsfv1.3.0scanactivityScanActivity (object) or ocsfv1.3.0scheduledjobactivityScheduledJobActivity (object) or ocsfv1.3.0securityfindingSecurityFinding (object) or ocsfv1.3.0softwareinfoSoftwareInfo (object) or ocsfv1.3.0useraccessmanagementUserAccess (object) or ocsfv1.3.0vulnerabilityfindingVulnerabilityFinding (object) or ocsfv1.3.0webresourceaccessactivityWebResourceAccessActivity (object)(Event)required

List of events from the audit log. Each event will be one of the OCSF Types Account Change, Authentication, or Group Management.

One of:

Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.

result[].​class_namestringrequired
Value"Account Change"
result[].​activity_idinteger(ocsfv1.3.0accountchangeActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: A user/role was created. 2 - Enable: A user/role was enabled. 3 - PasswordChange: An attempt was made to change an account's password. 4 - PasswordReset: An attempt was made to reset an account's password. 5 - Disable: A user/role was disabled. 6 - Delete: A user/role was deleted. 7 - AttachPolicy: An IAM Policy was attached to a user/role. 8 - DetachPolicy: An IAM Policy was detached from a user/role. 9 - Lock: A user account was locked out. 10 - MFAFactorEnable: An authentication factor was enabled for an account. 11 - MFAFactorDisable: An authentication factor was disabled for an account. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

result[].​category_uidinteger(ocsfv1.3.0accountchangeCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.

result[].​class_uidinteger(ocsfv1.3.0accountchangeClassUid)required

ClassUid is an enum, and the following values are allowed. 3001 - AccountChange: Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.

result[].​metadataobject(ocsfv1.3.0accountchangeMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

result[].​metadata.​productobject(ocsfv1.3.0accountchangeProduct)required

The Product object describes characteristics of a software product.

result[].​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

result[].​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

result[].​metadata.​product.​featureobject(ocsfv1.3.0accountchangeFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

result[].​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

result[].​metadata.​product.​namestring or null

The name of the product.

result[].​metadata.​product.​pathstring or null

The installation path of the product.

result[].​metadata.​product.​uidstring or null

The unique identifier of the product.

result[].​metadata.​product.​url_stringstring(ocsfv1.3.0accountchangeURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

result[].​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

result[].​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

result[].​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

result[].​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

result[].​metadata.​extensionobject(ocsfv1.3.0accountchangeExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

result[].​metadata.​extensionsArray of objects or null(ocsfv1.3.0accountchangeExtension)

The schema extensions used to create the event.

result[].​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
result[].​metadata.​log_levelstring or null

The audit level at which an event was generated.

result[].​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

result[].​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

result[].​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

result[].​metadata.​logged_timeinteger(ocsfv1.3.0accountchangeTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
result[].​metadata.​loggersArray of objects or null(ocsfv1.3.0accountchangeLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

result[].​metadata.​modified_timeinteger(ocsfv1.3.0accountchangeTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

result[].​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

result[].​metadata.​processed_timeinteger(ocsfv1.3.0accountchangeTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

result[].​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

result[].​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

result[].​metadata.​tenant_uidstring or null

The unique tenant identifier.

result[].​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

result[].​severity_idinteger(ocsfv1.3.0accountchangeSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

result[].​timeinteger(ocsfv1.3.0accountchangeTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​type_uidinteger(ocsfv1.3.0accountchangeTypeUid)required

TypeUid is an enum, and the following values are allowed. 300100 - Unknown 300101 - Create: A user/role was created. 300102 - Enable: A user/role was enabled. 300103 - PasswordChange: An attempt was made to change an account's password. 300104 - PasswordReset: An attempt was made to reset an account's password. 300105 - Disable: A user/role was disabled. 300106 - Delete: A user/role was deleted. 300107 - AttachPolicy: An IAM Policy was attached to a user/role. 300108 - DetachPolicy: An IAM Policy was detached from a user/role. 300109 - Lock: A user account was locked out. 300110 - MFAFactorEnable: An authentication factor was enabled for an account. 300111 - MFAFactorDisable: An authentication factor was disabled for an account. 300199 - Other

result[].​userobject(ocsfv1.3.0accountchangeUser)required

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

result[].​user.​accountobject(ocsfv1.3.0accountchangeAccount)

The Account object contains details about the account that initiated or performed a specific activity within a system or application.

result[].​user.​credential_uidstring or null

The unique identifier of the user's credential. For example, AWS Access Key ID.

result[].​user.​domainstring or null

The domain where the user is defined. For example: the LDAP or Active Directory domain.

result[].​user.​email_addrstring(ocsfv1.3.0accountchangeEmailAddress)

Email address. For example: john_doe@example.com.

result[].​user.​full_namestring or null

The full name of the person, as per the LDAP Common Name attribute (cn).

result[].​user.​groupsArray of objects or null(ocsfv1.3.0accountchangeGroup)

The administrative groups to which the user belongs.

result[].​user.​ldap_personobject(ocsfv1.3.0accountchangeLdapPerson)

The additional LDAP attributes that describe a person.

result[].​user.​mfa_statusstring or null

The multi-factor authentication status, normalized to the caption of the mfa_status_id value. In the case of 'Other', it is defined by the data source.

result[].​user.​mfa_status_idinteger(ocsfv1.3.0accountchangeUser_MfaStatusId)

UserMfaStatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Enabled: Multi-factor authentication is on for this user. 2 - NotEnabled: TMulti-factor authentication is off for this user. 99 - Other: The event status is not mapped. See the user_status attribute, which contains a data source specific value.

result[].​user.​namestring(ocsfv1.3.0accountchangeUserName)

User name. For example: john_doe.

result[].​user.​orgobject(ocsfv1.3.0accountchangeOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

result[].​user.​privilegesArray of strings or null

The user's privileges.

result[].​user.​risk_levelstring or null

The risk level, normalized to the caption of the risk_level_id value.

result[].​user.​risk_level_idinteger(ocsfv1.3.0accountchangeUser_RiskLevelId)

UserRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.

result[].​user.​risk_scoreinteger or null

The risk score as reported by the event source.

result[].​user.​typestring or null

The type of the user. For example, System, AWS IAM User, etc.

result[].​user.​type_idinteger(ocsfv1.3.0accountchangeUser_TypeId)

UserTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - User: Regular user account. 2 - Admin: Admin/root user account. 3 - System: System account. For example, Windows computer accounts with a trailing dollar sign ($). 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.

result[].​user.​uidstring or null

The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.

result[].​user.​uid_altstring or null

The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.

result[].​user.​user_statusstring or null

The user status, normalized to the caption of the user_status_id value. In the case of 'Other', it is defined by the data source.

result[].​user.​user_status_idinteger(ocsfv1.3.0accountchangeUser_UserStatusId)

UserUserStatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Active: The user is active. 2 - Pending: The user is not active, pending either user or admin action. 3 - Locked: The user account is locked requiring either time or intervention to unlock. 4 - Suspended: The user account is suspended. 5 - Deprovisioned: The user account has been deprovisioned and is pending removal. 99 - Other: The event status is not mapped. See the user_status attribute, which contains a data source specific value.

result[].​activity_namestring or null

The event activity name, as defined by the activity_id.

result[].​actorobject(ocsfv1.3.0accountchangeActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

result[].​apiobject(ocsfv1.3.0accountchangeApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

result[].​category_namestring or null

The event category name, as defined by category_uid value: Identity & Access Management.

result[].​cloudobject(ocsfv1.3.0accountchangeCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

result[].​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

result[].​custom_fieldsobject(ocsfv1.3.0accountchangeObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result[].​deviceobject(ocsfv1.3.0accountchangeDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result[].​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

result[].​end_timeinteger(ocsfv1.3.0accountchangeTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

result[].​enrichmentsArray of objects or null(ocsfv1.3.0accountchangeEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

result[].​http_requestobject(ocsfv1.3.0accountchangeHttpRequest)

The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.

result[].​messagestring or null

The description of the event/finding, as defined by the source.

result[].​observablesArray of objects or null(ocsfv1.3.0accountchangeObservable)

The observables associated with the event or a finding.

result[].​osintArray of objects or null(ocsfv1.3.0accountchangeOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

result[].​policyobject(ocsfv1.3.0accountchangePolicy)

The Policy object describes the policies that are applicable.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

result[].​raw_datastring or null

The raw event/finding data as received from the source.

result[].​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

result[].​src_endpointobject(ocsfv1.3.0accountchangeNetworkEndpoint)

The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.

result[].​start_timeinteger(ocsfv1.3.0accountchangeTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

result[].​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

result[].​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

result[].​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

result[].​status_idinteger(ocsfv1.3.0accountchangeStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result[].​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

result[].​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

result[].​type_namestring or null

The event/finding type name, as defined by the type_uid.

result[].​unmappedobject(ocsfv1.3.0accountchangeObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result[].​user_resultobject(ocsfv1.3.0accountchangeUser)

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

cursorstringrequired

Cursor to use to retrieve the next page of results

metaobject(MetaResponse)
Response
application/json
{
  "result": [
    {}
  ],
  "cursor": "string",
  "meta": {
    "stats": {},
    "api": {}
  }
}

Query Users

Request

Returns a list of User objects wrapped in the OCSF Entity Management event of type Read from the token-linked identity provider.

Query
metaArray of strings or null

Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.

limitinteger or null

Number of users to return. Defaults to 100.

cursorstring or null

Start search from cursor position.

orderArray of strings or null

Select a field to order the results by. Defaults to uid. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, email_addr[asc] will sort the results by email_addr in ascending order. The ordering defaults to asc if not specified.

filterArray of strings or null

Filter results by this query. For more information on filtering, refer to our Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.

curl -i -X GET \
  'https://api.synqly.com/v1/identity/users?cursor=string&filter=string&limit=0&meta=string&order=string' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultArray of objects(ocsfv1.3.0entitymanagementEntityManagement)required

List users wrapped in the OCSF Entity Management event of type Read.

result[].​activity_idinteger(ocsfv1.3.0entitymanagementActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

result[].​category_uidinteger(ocsfv1.3.0entitymanagementCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.

result[].​class_uidinteger(ocsfv1.3.0entitymanagementClassUid)required

ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.

result[].​entityobject(ocsfv1.3.0entitymanagementManagedEntity)required

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result[].​entity.​dataany or null

The managed entity content as a JSON object.

result[].​entity.​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result[].​entity.​emailobject(ocsfv1.3.0entitymanagementEmail)

The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.

result[].​entity.​groupobject(ocsfv1.3.0entitymanagementGroup)

The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.

result[].​entity.​namestring or null

The name of the managed entity.

result[].​entity.​orgobject(ocsfv1.3.0entitymanagementOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

result[].​entity.​policyobject(ocsfv1.3.0entitymanagementPolicy)

The Policy object describes the policies that are applicable.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

result[].​entity.​typestring or null

The managed entity type. For example: policy, user, organizational unit, device.

result[].​entity.​type_idinteger(ocsfv1.3.0entitymanagementManagedEntity_TypeId)

ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device attribute. 2 - User: A managed User entity. This item corresponds to population of the user attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email attribute. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.

result[].​entity.​uidstring or null

The identifier of the managed entity.

result[].​entity.​userobject(ocsfv1.3.0entitymanagementUser)

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

result[].​entity.​versionstring or null

The version of the managed entity. For example: 1.2.3.

result[].​metadataobject(ocsfv1.3.0entitymanagementMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

result[].​metadata.​productobject(ocsfv1.3.0entitymanagementProduct)required

The Product object describes characteristics of a software product.

result[].​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

result[].​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

result[].​metadata.​product.​featureobject(ocsfv1.3.0entitymanagementFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

result[].​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

result[].​metadata.​product.​namestring or null

The name of the product.

result[].​metadata.​product.​pathstring or null

The installation path of the product.

result[].​metadata.​product.​uidstring or null

The unique identifier of the product.

result[].​metadata.​product.​url_stringstring(ocsfv1.3.0entitymanagementURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

result[].​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

result[].​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

result[].​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

result[].​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

result[].​metadata.​extensionobject(ocsfv1.3.0entitymanagementExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

result[].​metadata.​extensionsArray of objects or null(ocsfv1.3.0entitymanagementExtension)

The schema extensions used to create the event.

result[].​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
result[].​metadata.​log_levelstring or null

The audit level at which an event was generated.

result[].​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

result[].​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

result[].​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

result[].​metadata.​logged_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
result[].​metadata.​loggersArray of objects or null(ocsfv1.3.0entitymanagementLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

result[].​metadata.​modified_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

result[].​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

result[].​metadata.​processed_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

result[].​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

result[].​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

result[].​metadata.​tenant_uidstring or null

The unique tenant identifier.

result[].​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

result[].​severity_idinteger(ocsfv1.3.0entitymanagementSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

result[].​timeinteger(ocsfv1.3.0entitymanagementTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​type_uidinteger(ocsfv1.3.0entitymanagementTypeUid)required

TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other

result[].​access_listArray of strings or null

The list of requested access rights.

result[].​access_maskinteger or null

The access mask in a platform-native format.

result[].​activity_namestring or null

The event activity name, as defined by the activity_id.

result[].​actorobject(ocsfv1.3.0entitymanagementActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

result[].​apiobject(ocsfv1.3.0entitymanagementApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

result[].​category_namestring or null

The event category name, as defined by category_uid value: Identity & Access Management.

result[].​cloudobject(ocsfv1.3.0entitymanagementCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

result[].​commentstring or null

The user provided comment about why the entity was changed.

result[].​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

result[].​custom_fieldsobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result[].​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result[].​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

result[].​end_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

result[].​enrichmentsArray of objects or null(ocsfv1.3.0entitymanagementEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

result[].​entity_resultobject(ocsfv1.3.0entitymanagementManagedEntity)

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result[].​http_requestobject(ocsfv1.3.0entitymanagementHttpRequest)

The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.

result[].​messagestring or null

The description of the event/finding, as defined by the source.

result[].​observablesArray of objects or null(ocsfv1.3.0entitymanagementObservable)

The observables associated with the event or a finding.

result[].​osintArray of objects or null(ocsfv1.3.0entitymanagementOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

result[].​raw_datastring or null

The raw event/finding data as received from the source.

result[].​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

result[].​src_endpointobject(ocsfv1.3.0entitymanagementNetworkEndpoint)

The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.

result[].​start_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

result[].​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

result[].​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

result[].​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

result[].​status_idinteger(ocsfv1.3.0entitymanagementStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result[].​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

result[].​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

result[].​type_namestring or null

The event/finding type name, as defined by the type_uid.

result[].​unmappedobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

cursorstringrequired

Cursor to use to retrieve the next page of results

metaobject(MetaResponse)
Response
application/json
{
  "result": [
    {}
  ],
  "cursor": "string",
  "meta": {
    "stats": {},
    "api": {}
  }
}

Get User

Request

Returns a User object wrapped in an OCSF Entity Management event of type Read from the token-linked identity provider. Depending on the providers offerings, this may include additional user information, such as the user's current groups and roles.

Path
userIdstring(UserId)required

The unique identifier for a user in the identity provider's system

curl -i -X GET \
  'https://api.synqly.com/v1/identity/users/{userId}' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultobject(ocsfv1.3.0entitymanagementEntityManagement)required

Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.

result.​activity_idinteger(ocsfv1.3.0entitymanagementActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

result.​category_uidinteger(ocsfv1.3.0entitymanagementCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.

result.​class_uidinteger(ocsfv1.3.0entitymanagementClassUid)required

ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.

result.​entityobject(ocsfv1.3.0entitymanagementManagedEntity)required

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result.​entity.​dataany or null

The managed entity content as a JSON object.

result.​entity.​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result.​entity.​emailobject(ocsfv1.3.0entitymanagementEmail)

The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.

result.​entity.​groupobject(ocsfv1.3.0entitymanagementGroup)

The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.

result.​entity.​namestring or null

The name of the managed entity.

result.​entity.​orgobject(ocsfv1.3.0entitymanagementOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

result.​entity.​policyobject(ocsfv1.3.0entitymanagementPolicy)

The Policy object describes the policies that are applicable.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

result.​entity.​typestring or null

The managed entity type. For example: policy, user, organizational unit, device.

result.​entity.​type_idinteger(ocsfv1.3.0entitymanagementManagedEntity_TypeId)

ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device attribute. 2 - User: A managed User entity. This item corresponds to population of the user attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email attribute. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.

result.​entity.​uidstring or null

The identifier of the managed entity.

result.​entity.​userobject(ocsfv1.3.0entitymanagementUser)

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

result.​entity.​versionstring or null

The version of the managed entity. For example: 1.2.3.

result.​metadataobject(ocsfv1.3.0entitymanagementMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

result.​metadata.​productobject(ocsfv1.3.0entitymanagementProduct)required

The Product object describes characteristics of a software product.

result.​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

result.​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

result.​metadata.​product.​featureobject(ocsfv1.3.0entitymanagementFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

result.​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

result.​metadata.​product.​namestring or null

The name of the product.

result.​metadata.​product.​pathstring or null

The installation path of the product.

result.​metadata.​product.​uidstring or null

The unique identifier of the product.

result.​metadata.​product.​url_stringstring(ocsfv1.3.0entitymanagementURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

result.​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

result.​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

result.​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

result.​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

result.​metadata.​extensionobject(ocsfv1.3.0entitymanagementExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

result.​metadata.​extensionsArray of objects or null(ocsfv1.3.0entitymanagementExtension)

The schema extensions used to create the event.

result.​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
result.​metadata.​log_levelstring or null

The audit level at which an event was generated.

result.​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

result.​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

result.​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

result.​metadata.​logged_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
result.​metadata.​loggersArray of objects or null(ocsfv1.3.0entitymanagementLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

result.​metadata.​modified_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

result.​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

result.​metadata.​processed_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

result.​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

result.​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

result.​metadata.​tenant_uidstring or null

The unique tenant identifier.

result.​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

result.​severity_idinteger(ocsfv1.3.0entitymanagementSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

result.​timeinteger(ocsfv1.3.0entitymanagementTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​type_uidinteger(ocsfv1.3.0entitymanagementTypeUid)required

TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other

result.​access_listArray of strings or null

The list of requested access rights.

result.​access_maskinteger or null

The access mask in a platform-native format.

result.​activity_namestring or null

The event activity name, as defined by the activity_id.

result.​actorobject(ocsfv1.3.0entitymanagementActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

result.​apiobject(ocsfv1.3.0entitymanagementApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

result.​category_namestring or null

The event category name, as defined by category_uid value: Identity & Access Management.

result.​cloudobject(ocsfv1.3.0entitymanagementCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

result.​commentstring or null

The user provided comment about why the entity was changed.

result.​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

result.​custom_fieldsobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result.​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result.​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

result.​end_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

result.​enrichmentsArray of objects or null(ocsfv1.3.0entitymanagementEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

result.​entity_resultobject(ocsfv1.3.0entitymanagementManagedEntity)

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result.​http_requestobject(ocsfv1.3.0entitymanagementHttpRequest)

The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.

result.​messagestring or null

The description of the event/finding, as defined by the source.

result.​observablesArray of objects or null(ocsfv1.3.0entitymanagementObservable)

The observables associated with the event or a finding.

result.​osintArray of objects or null(ocsfv1.3.0entitymanagementOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

result.​raw_datastring or null

The raw event/finding data as received from the source.

result.​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

result.​src_endpointobject(ocsfv1.3.0entitymanagementNetworkEndpoint)

The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.

result.​start_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

result.​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

result.​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

result.​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

result.​status_idinteger(ocsfv1.3.0entitymanagementStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result.​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

result.​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

result.​type_namestring or null

The event/finding type name, as defined by the type_uid.

result.​unmappedobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

metaobject(MetaResponse)
Response
application/json
{
  "result": {
    "access_list": [],
    "access_mask": 0,
    "activity_id": 0,
    "activity_name": "string",
    "actor": {},
    "api": {},
    "category_name": "string",
    "category_uid": 0,
    "class_uid": 0,
    "cloud": {},
    "comment": "string",
    "count": 0,
    "custom_fields": {},
    "device": {},
    "duration": 0,
    "end_time": 0,
    "end_time_dt": "2019-08-24T14:15:22Z",
    "enrichments": [],
    "entity": {},
    "entity_result": {},
    "http_request": {},
    "message": "string",
    "metadata": {},
    "observables": [],
    "osint": [],
    "raw_data": "string",
    "severity": "string",
    "severity_id": 0,
    "src_endpoint": {},
    "start_time": 0,
    "start_time_dt": "2019-08-24T14:15:22Z",
    "status": "string",
    "status_code": "string",
    "status_detail": "string",
    "status_id": 0,
    "time": 0,
    "time_dt": "2019-08-24T14:15:22Z",
    "timezone_offset": 0,
    "type_name": "string",
    "type_uid": 0,
    "unmapped": {}
  },
  "meta": {
    "stats": {},
    "api": {}
  }
}

Query Groups

Request

Returns a list of Group objects wrapped in the OCSF Entity Management event of type Read from the token-linked identity provider.

Query
metaArray of strings or null

Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.

limitinteger or null

Number of users to return. Defaults to 100.

cursorstring or null

Start search from cursor position.

orderArray of strings or null

Select a field to order the results by. Defaults to uid. To control the direction of the sorting, append [asc] or [desc] to the field name. For example, email_addr[asc] will sort the results by email_addr in ascending order. The ordering defaults to asc if not specified.

filterArray of strings or null

Filter results by this query. For more information on filtering, refer to our Filtering Guide. Defaults to no filter. If used more than once, the queries are ANDed together.

curl -i -X GET \
  'https://api.synqly.com/v1/identity/groups?cursor=string&filter=string&limit=0&meta=string&order=string' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultArray of objects(ocsfv1.3.0entitymanagementEntityManagement)required

List groups wrapped in the OCSF Entity Management event of type Read.

result[].​activity_idinteger(ocsfv1.3.0entitymanagementActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

result[].​category_uidinteger(ocsfv1.3.0entitymanagementCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.

result[].​class_uidinteger(ocsfv1.3.0entitymanagementClassUid)required

ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.

result[].​entityobject(ocsfv1.3.0entitymanagementManagedEntity)required

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result[].​entity.​dataany or null

The managed entity content as a JSON object.

result[].​entity.​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result[].​entity.​emailobject(ocsfv1.3.0entitymanagementEmail)

The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.

result[].​entity.​groupobject(ocsfv1.3.0entitymanagementGroup)

The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.

result[].​entity.​namestring or null

The name of the managed entity.

result[].​entity.​orgobject(ocsfv1.3.0entitymanagementOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

result[].​entity.​policyobject(ocsfv1.3.0entitymanagementPolicy)

The Policy object describes the policies that are applicable.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

result[].​entity.​typestring or null

The managed entity type. For example: policy, user, organizational unit, device.

result[].​entity.​type_idinteger(ocsfv1.3.0entitymanagementManagedEntity_TypeId)

ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device attribute. 2 - User: A managed User entity. This item corresponds to population of the user attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email attribute. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.

result[].​entity.​uidstring or null

The identifier of the managed entity.

result[].​entity.​userobject(ocsfv1.3.0entitymanagementUser)

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

result[].​entity.​versionstring or null

The version of the managed entity. For example: 1.2.3.

result[].​metadataobject(ocsfv1.3.0entitymanagementMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

result[].​metadata.​productobject(ocsfv1.3.0entitymanagementProduct)required

The Product object describes characteristics of a software product.

result[].​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

result[].​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

result[].​metadata.​product.​featureobject(ocsfv1.3.0entitymanagementFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

result[].​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

result[].​metadata.​product.​namestring or null

The name of the product.

result[].​metadata.​product.​pathstring or null

The installation path of the product.

result[].​metadata.​product.​uidstring or null

The unique identifier of the product.

result[].​metadata.​product.​url_stringstring(ocsfv1.3.0entitymanagementURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

result[].​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

result[].​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

result[].​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

result[].​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

result[].​metadata.​extensionobject(ocsfv1.3.0entitymanagementExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

result[].​metadata.​extensionsArray of objects or null(ocsfv1.3.0entitymanagementExtension)

The schema extensions used to create the event.

result[].​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
result[].​metadata.​log_levelstring or null

The audit level at which an event was generated.

result[].​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

result[].​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

result[].​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

result[].​metadata.​logged_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
result[].​metadata.​loggersArray of objects or null(ocsfv1.3.0entitymanagementLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

result[].​metadata.​modified_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

result[].​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

result[].​metadata.​processed_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

result[].​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

result[].​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

result[].​metadata.​tenant_uidstring or null

The unique tenant identifier.

result[].​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

result[].​severity_idinteger(ocsfv1.3.0entitymanagementSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

result[].​timeinteger(ocsfv1.3.0entitymanagementTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​type_uidinteger(ocsfv1.3.0entitymanagementTypeUid)required

TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other

result[].​access_listArray of strings or null

The list of requested access rights.

result[].​access_maskinteger or null

The access mask in a platform-native format.

result[].​activity_namestring or null

The event activity name, as defined by the activity_id.

result[].​actorobject(ocsfv1.3.0entitymanagementActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

result[].​apiobject(ocsfv1.3.0entitymanagementApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

result[].​category_namestring or null

The event category name, as defined by category_uid value: Identity & Access Management.

result[].​cloudobject(ocsfv1.3.0entitymanagementCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

result[].​commentstring or null

The user provided comment about why the entity was changed.

result[].​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

result[].​custom_fieldsobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result[].​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result[].​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

result[].​end_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

result[].​enrichmentsArray of objects or null(ocsfv1.3.0entitymanagementEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

result[].​entity_resultobject(ocsfv1.3.0entitymanagementManagedEntity)

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result[].​http_requestobject(ocsfv1.3.0entitymanagementHttpRequest)

The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.

result[].​messagestring or null

The description of the event/finding, as defined by the source.

result[].​observablesArray of objects or null(ocsfv1.3.0entitymanagementObservable)

The observables associated with the event or a finding.

result[].​osintArray of objects or null(ocsfv1.3.0entitymanagementOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

result[].​raw_datastring or null

The raw event/finding data as received from the source.

result[].​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

result[].​src_endpointobject(ocsfv1.3.0entitymanagementNetworkEndpoint)

The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.

result[].​start_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

result[].​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

result[].​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

result[].​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

result[].​status_idinteger(ocsfv1.3.0entitymanagementStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result[].​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

result[].​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

result[].​type_namestring or null

The event/finding type name, as defined by the type_uid.

result[].​unmappedobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

cursorstringrequired

Cursor to use to retrieve the next page of results

metaobject(MetaResponse)
Response
application/json
{
  "result": [
    {}
  ],
  "cursor": "string",
  "meta": {
    "stats": {},
    "api": {}
  }
}

Get Group

Request

Returns a Group object wrapped in an OCSF Entity Management event of type Read from the token-linked identity provider. Depending on the providers offerings, this may include additional group information, such as the roles assigned.

Path
groupIdstring(GroupId)required

The unique identifier for a group in the identity provider's system

curl -i -X GET \
  'https://api.synqly.com/v1/identity/groups/{groupId}' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultobject(ocsfv1.3.0entitymanagementEntityManagement)required

Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.

result.​activity_idinteger(ocsfv1.3.0entitymanagementActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

result.​category_uidinteger(ocsfv1.3.0entitymanagementCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.

result.​class_uidinteger(ocsfv1.3.0entitymanagementClassUid)required

ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.

result.​entityobject(ocsfv1.3.0entitymanagementManagedEntity)required

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result.​entity.​dataany or null

The managed entity content as a JSON object.

result.​entity.​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result.​entity.​emailobject(ocsfv1.3.0entitymanagementEmail)

The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.

result.​entity.​groupobject(ocsfv1.3.0entitymanagementGroup)

The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.

result.​entity.​namestring or null

The name of the managed entity.

result.​entity.​orgobject(ocsfv1.3.0entitymanagementOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

result.​entity.​policyobject(ocsfv1.3.0entitymanagementPolicy)

The Policy object describes the policies that are applicable.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

result.​entity.​typestring or null

The managed entity type. For example: policy, user, organizational unit, device.

result.​entity.​type_idinteger(ocsfv1.3.0entitymanagementManagedEntity_TypeId)

ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device attribute. 2 - User: A managed User entity. This item corresponds to population of the user attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email attribute. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.

result.​entity.​uidstring or null

The identifier of the managed entity.

result.​entity.​userobject(ocsfv1.3.0entitymanagementUser)

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

result.​entity.​versionstring or null

The version of the managed entity. For example: 1.2.3.

result.​metadataobject(ocsfv1.3.0entitymanagementMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

result.​metadata.​productobject(ocsfv1.3.0entitymanagementProduct)required

The Product object describes characteristics of a software product.

result.​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

result.​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

result.​metadata.​product.​featureobject(ocsfv1.3.0entitymanagementFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

result.​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

result.​metadata.​product.​namestring or null

The name of the product.

result.​metadata.​product.​pathstring or null

The installation path of the product.

result.​metadata.​product.​uidstring or null

The unique identifier of the product.

result.​metadata.​product.​url_stringstring(ocsfv1.3.0entitymanagementURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

result.​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

result.​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

result.​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

result.​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

result.​metadata.​extensionobject(ocsfv1.3.0entitymanagementExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

result.​metadata.​extensionsArray of objects or null(ocsfv1.3.0entitymanagementExtension)

The schema extensions used to create the event.

result.​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
result.​metadata.​log_levelstring or null

The audit level at which an event was generated.

result.​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

result.​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

result.​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

result.​metadata.​logged_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
result.​metadata.​loggersArray of objects or null(ocsfv1.3.0entitymanagementLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

result.​metadata.​modified_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

result.​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

result.​metadata.​processed_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

result.​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

result.​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

result.​metadata.​tenant_uidstring or null

The unique tenant identifier.

result.​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

result.​severity_idinteger(ocsfv1.3.0entitymanagementSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

result.​timeinteger(ocsfv1.3.0entitymanagementTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​type_uidinteger(ocsfv1.3.0entitymanagementTypeUid)required

TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other

result.​access_listArray of strings or null

The list of requested access rights.

result.​access_maskinteger or null

The access mask in a platform-native format.

result.​activity_namestring or null

The event activity name, as defined by the activity_id.

result.​actorobject(ocsfv1.3.0entitymanagementActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

result.​apiobject(ocsfv1.3.0entitymanagementApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

result.​category_namestring or null

The event category name, as defined by category_uid value: Identity & Access Management.

result.​cloudobject(ocsfv1.3.0entitymanagementCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

result.​commentstring or null

The user provided comment about why the entity was changed.

result.​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

result.​custom_fieldsobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result.​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result.​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

result.​end_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

result.​enrichmentsArray of objects or null(ocsfv1.3.0entitymanagementEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

result.​entity_resultobject(ocsfv1.3.0entitymanagementManagedEntity)

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result.​http_requestobject(ocsfv1.3.0entitymanagementHttpRequest)

The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.

result.​messagestring or null

The description of the event/finding, as defined by the source.

result.​observablesArray of objects or null(ocsfv1.3.0entitymanagementObservable)

The observables associated with the event or a finding.

result.​osintArray of objects or null(ocsfv1.3.0entitymanagementOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

result.​raw_datastring or null

The raw event/finding data as received from the source.

result.​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

result.​src_endpointobject(ocsfv1.3.0entitymanagementNetworkEndpoint)

The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.

result.​start_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result.​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

result.​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

result.​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

result.​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

result.​status_idinteger(ocsfv1.3.0entitymanagementStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result.​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

result.​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

result.​type_namestring or null

The event/finding type name, as defined by the type_uid.

result.​unmappedobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

metaobject(MetaResponse)
Response
application/json
{
  "result": {
    "access_list": [],
    "access_mask": 0,
    "activity_id": 0,
    "activity_name": "string",
    "actor": {},
    "api": {},
    "category_name": "string",
    "category_uid": 0,
    "class_uid": 0,
    "cloud": {},
    "comment": "string",
    "count": 0,
    "custom_fields": {},
    "device": {},
    "duration": 0,
    "end_time": 0,
    "end_time_dt": "2019-08-24T14:15:22Z",
    "enrichments": [],
    "entity": {},
    "entity_result": {},
    "http_request": {},
    "message": "string",
    "metadata": {},
    "observables": [],
    "osint": [],
    "raw_data": "string",
    "severity": "string",
    "severity_id": 0,
    "src_endpoint": {},
    "start_time": 0,
    "start_time_dt": "2019-08-24T14:15:22Z",
    "status": "string",
    "status_code": "string",
    "status_detail": "string",
    "status_id": 0,
    "time": 0,
    "time_dt": "2019-08-24T14:15:22Z",
    "timezone_offset": 0,
    "type_name": "string",
    "type_uid": 0,
    "unmapped": {}
  },
  "meta": {
    "stats": {},
    "api": {}
  }
}

Get Group Members

Request

Returns list of User objects wrapped in an OCSF Entity Management event of type Read from the token-linked identity provider that are members in the group referenced by ID.

Path
groupIdstring(GroupId)required

The unique identifier for a group in the identity provider's system

Query
metaArray of strings or null

Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.

limitinteger or null

Number of users to return. Defaults to 100.

cursorstring or null

Start search from cursor position.

curl -i -X GET \
  'https://api.synqly.com/v1/identity/groups/{groupId}/members?cursor=string&limit=0&meta=string' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Bodyapplication/json
resultArray of objects(ocsfv1.3.0entitymanagementEntityManagement)required

List of users wrapped in the OCSF Entity Management event of type Read that are members in the group referenced by ID.

result[].​activity_idinteger(ocsfv1.3.0entitymanagementActivityId)required

ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.

result[].​category_uidinteger(ocsfv1.3.0entitymanagementCategoryUid)required

CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.

result[].​class_uidinteger(ocsfv1.3.0entitymanagementClassUid)required

ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.

result[].​entityobject(ocsfv1.3.0entitymanagementManagedEntity)required

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result[].​entity.​dataany or null

The managed entity content as a JSON object.

result[].​entity.​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result[].​entity.​emailobject(ocsfv1.3.0entitymanagementEmail)

The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.

result[].​entity.​groupobject(ocsfv1.3.0entitymanagementGroup)

The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.

result[].​entity.​namestring or null

The name of the managed entity.

result[].​entity.​orgobject(ocsfv1.3.0entitymanagementOrganization)

The Organization object describes characteristics of an organization or company and its division if any.

result[].​entity.​policyobject(ocsfv1.3.0entitymanagementPolicy)

The Policy object describes the policies that are applicable.

Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.

result[].​entity.​typestring or null

The managed entity type. For example: policy, user, organizational unit, device.

result[].​entity.​type_idinteger(ocsfv1.3.0entitymanagementManagedEntity_TypeId)

ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device attribute. 2 - User: A managed User entity. This item corresponds to population of the user attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email attribute. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.

result[].​entity.​uidstring or null

The identifier of the managed entity.

result[].​entity.​userobject(ocsfv1.3.0entitymanagementUser)

The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.

result[].​entity.​versionstring or null

The version of the managed entity. For example: 1.2.3.

result[].​metadataobject(ocsfv1.3.0entitymanagementMetadata)required

The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.

result[].​metadata.​productobject(ocsfv1.3.0entitymanagementProduct)required

The Product object describes characteristics of a software product.

result[].​metadata.​product.​vendor_namestringrequired

The name of the vendor of the product.

result[].​metadata.​product.​cpe_namestring or null

The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.

result[].​metadata.​product.​featureobject(ocsfv1.3.0entitymanagementFeature)

The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.

result[].​metadata.​product.​langstring or null

The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).

result[].​metadata.​product.​namestring or null

The name of the product.

result[].​metadata.​product.​pathstring or null

The installation path of the product.

result[].​metadata.​product.​uidstring or null

The unique identifier of the product.

result[].​metadata.​product.​url_stringstring(ocsfv1.3.0entitymanagementURLString)

Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.

result[].​metadata.​product.​versionstring or null

The version of the product, as defined by the event source. For example: 2013.1.3-beta.

result[].​metadata.​versionstringrequired

The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.

result[].​metadata.​correlation_uidstring or null

The unique identifier used to correlate events.

result[].​metadata.​event_codestring or null

The Event ID or Code that the product uses to describe the event.

result[].​metadata.​extensionobject(ocsfv1.3.0entitymanagementExtension)

The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.

result[].​metadata.​extensionsArray of objects or null(ocsfv1.3.0entitymanagementExtension)

The schema extensions used to create the event.

result[].​metadata.​labelsArray of strings or null

The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.

For example: ["network", "connection.ip:destination", "device.ip:source"]
result[].​metadata.​log_levelstring or null

The audit level at which an event was generated.

result[].​metadata.​log_namestring or null

The event log name. For example, syslog file name or Windows logging subsystem: Security.

result[].​metadata.​log_providerstring or null

The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.

result[].​metadata.​log_versionstring or null

The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.

result[].​metadata.​logged_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​logged_time_dtstring or null(date-time)

The time when the logging system collected and logged the event.

This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
result[].​metadata.​loggersArray of objects or null(ocsfv1.3.0entitymanagementLogger)

An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.

result[].​metadata.​modified_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​modified_time_dtstring or null(date-time)

The time when the event was last modified or enriched.

result[].​metadata.​original_timestring or null

The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.

result[].​metadata.​processed_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​metadata.​processed_time_dtstring or null(date-time)

The event processed time, such as an ETL operation.

result[].​metadata.​profilesArray of strings or null

The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.

result[].​metadata.​sequenceinteger or null

Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.

result[].​metadata.​tenant_uidstring or null

The unique tenant identifier.

result[].​metadata.​uidstring or null

The logging system-assigned unique identifier of an event instance.

result[].​severity_idinteger(ocsfv1.3.0entitymanagementSeverityId)required

SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.

result[].​timeinteger(ocsfv1.3.0entitymanagementTimestamp)required

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​type_uidinteger(ocsfv1.3.0entitymanagementTypeUid)required

TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other

result[].​access_listArray of strings or null

The list of requested access rights.

result[].​access_maskinteger or null

The access mask in a platform-native format.

result[].​activity_namestring or null

The event activity name, as defined by the activity_id.

result[].​actorobject(ocsfv1.3.0entitymanagementActor)

The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.

result[].​apiobject(ocsfv1.3.0entitymanagementApi)

The API, or Application Programming Interface, object represents information pertaining to an API request and response.

result[].​category_namestring or null

The event category name, as defined by category_uid value: Identity & Access Management.

result[].​cloudobject(ocsfv1.3.0entitymanagementCloud)

The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.

result[].​commentstring or null

The user provided comment about why the entity was changed.

result[].​countinteger or null

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

result[].​custom_fieldsobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

result[].​deviceobject(ocsfv1.3.0entitymanagementDevice)

The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.

result[].​durationinteger or null

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

result[].​end_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​end_time_dtstring or null(date-time)

The end time of a time period, or the time of the most recent event included in the aggregate event.

result[].​enrichmentsArray of objects or null(ocsfv1.3.0entitymanagementEnrichment)

The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:

[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

result[].​entity_resultobject(ocsfv1.3.0entitymanagementManagedEntity)

The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id enum list, an associated attribute should be populated. If the type of entity is not in the type_id list, information can be put into the data attribute and the type attribute should identify the entity.

result[].​http_requestobject(ocsfv1.3.0entitymanagementHttpRequest)

The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.

result[].​messagestring or null

The description of the event/finding, as defined by the source.

result[].​observablesArray of objects or null(ocsfv1.3.0entitymanagementObservable)

The observables associated with the event or a finding.

result[].​osintArray of objects or null(ocsfv1.3.0entitymanagementOsint)

The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.

result[].​raw_datastring or null

The raw event/finding data as received from the source.

result[].​severitystring or null

The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.

result[].​src_endpointobject(ocsfv1.3.0entitymanagementNetworkEndpoint)

The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.

result[].​start_timeinteger(ocsfv1.3.0entitymanagementTimestamp)

The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.

result[].​start_time_dtstring or null(date-time)

The start time of a time period, or the time of the least recent event included in the aggregate event.

result[].​statusstring or null

The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.

result[].​status_codestring or null

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.

result[].​status_detailstring or null

The status detail contains additional information about the event/finding outcome.

result[].​status_idinteger(ocsfv1.3.0entitymanagementStatusId)

StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

result[].​time_dtstring or null(date-time)

The normalized event occurrence time or the finding creation time.

result[].​timezone_offsetinteger or null

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

result[].​type_namestring or null

The event/finding type name, as defined by the type_uid.

result[].​unmappedobject(ocsfv1.3.0entitymanagementObject)

An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.

cursorstringrequired

Cursor to use to retrieve the next page of results

metaobject(MetaResponse)
Response
application/json
{
  "result": [
    {}
  ],
  "cursor": "string",
  "meta": {
    "stats": {},
    "api": {}
  }
}

Enable User

Request

Reenables a disabled user in the identity system based on user ID.

Path
userIdstring(UserId)required

The unique identifier for a user in the identity provider's system

curl -i -X POST \
  'https://api.synqly.com/v1/identity/users/{userId}/actions/enable' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Response
No content

Disable User

Request

Disables a user in the identity system based on user ID.

Path
userIdstring(UserId)required

The unique identifier for a user in the identity provider's system

curl -i -X POST \
  'https://api.synqly.com/v1/identity/users/{userId}/actions/disable' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Response
No content

Force User Password Reset

Request

Forces a user to reset their password before they can log in again.

Path
userIdstring(UserId)required

The unique identifier for a user in the identity provider's system

curl -i -X POST \
  'https://api.synqly.com/v1/identity/users/{userId}/actions/force_reset_password' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Response
No content

Expire All User Sessions

Request

Logs a user out of all current sessions so they must log in again.

Path
userIdstring(UserId)required

The unique identifier for a user in the identity provider's system

curl -i -X POST \
  'https://api.synqly.com/v1/identity/users/{userId}/actions/expire_all_sessions' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Responses

Response
No content

Notifications

Operations

Operations (In Development)

In Development

This feature is actively being developed. Breaking changes should be expected.

Please contact us before using this feature.

Operations

Siem

Operations

Sink

Operations

Storage

Operations

Ticketing

Operations

Vulnerabilities

Operations