The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.
Select a field to order the results by. Defaults to time
. To control the direction of the sorting, append [asc]
or [desc]
to the field name. For example, time[asc]
will sort the results by time
in ascending order. The ordering defaults to asc
if not specified.
curl -i -X GET \
'https://api.synqly.com/v1/identity/audit?cursor=string&filter=string&limit=0&meta=string&order=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
List of events from the audit log. Each event will be one of the OCSF Types Account Change, Authentication, or Group Management.
Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: A user/role was created. 2 - Enable: A user/role was enabled. 3 - PasswordChange: An attempt was made to change an account's password. 4 - PasswordReset: An attempt was made to reset an account's password. 5 - Disable: A user/role was disabled. 6 - Delete: A user/role was deleted. 7 - AttachPolicy: An IAM Policy was attached to a user/role. 8 - DetachPolicy: An IAM Policy was detached from a user/role. 9 - Lock: A user account was locked out. 10 - MFAFactorEnable: An authentication factor was enabled for an account. 11 - MFAFactorDisable: An authentication factor was disabled for an account. 99 - Other: The event activity is not mapped. See the activity_name
attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.
ClassUid is an enum, and the following values are allowed. 3001 - AccountChange: Account Change events report when specific user account management tasks are performed, such as a user/role being created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en
(English), de
(German), or fr
(French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe
.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name
attribute for core profiles, or extension/name
for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity
attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
TypeUid is an enum, and the following values are allowed. 300100 - Unknown 300101 - Create: A user/role was created. 300102 - Enable: A user/role was enabled. 300103 - PasswordChange: An attempt was made to change an account's password. 300104 - PasswordReset: An attempt was made to reset an account's password. 300105 - Disable: A user/role was disabled. 300106 - Delete: A user/role was deleted. 300107 - AttachPolicy: An IAM Policy was attached to a user/role. 300108 - DetachPolicy: An IAM Policy was detached from a user/role. 300109 - Lock: A user account was locked out. 300110 - MFAFactorEnable: An authentication factor was enabled for an account. 300111 - MFAFactorDisable: An authentication factor was disabled for an account. 300199 - Other
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The Account object contains details about the account that initiated or performed a specific activity within a system or application.
The unique identifier of the user's credential. For example, AWS Access Key ID.
The domain where the user is defined. For example: the LDAP or Active Directory domain.
Email address. For example: john_doe@example.com
.
The full name of the person, as per the LDAP Common Name attribute (cn).
The administrative groups to which the user belongs.
The additional LDAP attributes that describe a person.
The multi-factor authentication status, normalized to the caption of the mfa_status_id value. In the case of 'Other', it is defined by the data source.
UserMfaStatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Enabled: Multi-factor authentication is on for this user. 2 - NotEnabled: TMulti-factor authentication is off for this user. 99 - Other: The event status is not mapped. See the user_status
attribute, which contains a data source specific value.
The Organization object describes characteristics of an organization or company and its division if any.
The risk level, normalized to the caption of the risk_level_id value.
UserRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level
attribute, which contains a data source specific value.
UserTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - User: Regular user account. 2 - Admin: Admin/root user account. 3 - System: System account. For example, Windows computer accounts with a trailing dollar sign ($). 99 - Other: The type is not mapped. See the type
attribute, which contains a data source specific value.
The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN.
The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
The user status, normalized to the caption of the user_status_id value. In the case of 'Other', it is defined by the data source.
UserUserStatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Active: The user is active. 2 - Pending: The user is not active, pending either user or admin action. 3 - Locked: The user account is locked requiring either time or intervention to unlock. 4 - Suspended: The user account is suspended. 5 - Deprovisioned: The user account has been deprovisioned and is pending removal. 99 - Other: The event status is not mapped. See the user_status
attribute, which contains a data source specific value.
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Identity & Access Management
.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status
attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time
is ahead or behind UTC, in the range -1,080 to +1,080.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.
Select a field to order the results by. Defaults to uid
. To control the direction of the sorting, append [asc]
or [desc]
to the field name. For example, email_addr[asc]
will sort the results by email_addr
in ascending order. The ordering defaults to asc
if not specified.
curl -i -X GET \
'https://api.synqly.com/v1/identity/users?cursor=string&filter=string&limit=0&meta=string&order=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
List users wrapped in the OCSF Entity Management event of type Read.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name
attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.
ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.
The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.
The Organization object describes characteristics of an organization or company and its division if any.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The managed entity type. For example: policy
, user
, organizational unit
, device
.
ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device
attribute. 2 - User: A managed User entity. This item corresponds to population of the user
attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group
attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org
attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy
attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email
attribute. 99 - Other: The type is not mapped. See the type
attribute, which contains a data source specific value.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en
(English), de
(German), or fr
(French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe
.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name
attribute for core profiles, or extension/name
for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity
attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Identity & Access Management
.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status
attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time
is ahead or behind UTC, in the range -1,080 to +1,080.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
curl -i -X GET \
'https://api.synqly.com/v1/identity/users/{userId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name
attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.
ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.
The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.
The Organization object describes characteristics of an organization or company and its division if any.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The managed entity type. For example: policy
, user
, organizational unit
, device
.
ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device
attribute. 2 - User: A managed User entity. This item corresponds to population of the user
attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group
attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org
attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy
attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email
attribute. 99 - Other: The type is not mapped. See the type
attribute, which contains a data source specific value.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en
(English), de
(German), or fr
(French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe
.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name
attribute for core profiles, or extension/name
for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity
attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Identity & Access Management
.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status
attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time
is ahead or behind UTC, in the range -1,080 to +1,080.
{ "result": { "access_list": [ … ], "access_mask": 0, "activity_id": 0, "activity_name": "string", "actor": { … }, "api": { … }, "category_name": "string", "category_uid": 0, "class_uid": 0, "cloud": { … }, "comment": "string", "count": 0, "custom_fields": {}, "device": { … }, "duration": 0, "end_time": 0, "end_time_dt": "2019-08-24T14:15:22Z", "enrichments": [ … ], "entity": { … }, "entity_result": { … }, "http_request": { … }, "message": "string", "metadata": { … }, "observables": [ … ], "osint": [ … ], "raw_data": "string", "severity": "string", "severity_id": 0, "src_endpoint": { … }, "start_time": 0, "start_time_dt": "2019-08-24T14:15:22Z", "status": "string", "status_code": "string", "status_detail": "string", "status_id": 0, "time": 0, "time_dt": "2019-08-24T14:15:22Z", "timezone_offset": 0, "type_name": "string", "type_uid": 0, "unmapped": {} }, "meta": { "stats": { … }, "api": { … } } }
Add metadata to the response by invoking meta functions. Documentation for meta functions is available at https://docs.synqly.com/api-reference/meta-functions. Not all meta function are available at every endpoint.
Select a field to order the results by. Defaults to uid
. To control the direction of the sorting, append [asc]
or [desc]
to the field name. For example, email_addr[asc]
will sort the results by email_addr
in ascending order. The ordering defaults to asc
if not specified.
curl -i -X GET \
'https://api.synqly.com/v1/identity/groups?cursor=string&filter=string&limit=0&meta=string&order=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
List groups wrapped in the OCSF Entity Management event of type Read.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name
attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.
ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.
The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.
The Organization object describes characteristics of an organization or company and its division if any.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The managed entity type. For example: policy
, user
, organizational unit
, device
.
ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device
attribute. 2 - User: A managed User entity. This item corresponds to population of the user
attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group
attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org
attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy
attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email
attribute. 99 - Other: The type is not mapped. See the type
attribute, which contains a data source specific value.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en
(English), de
(German), or fr
(French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe
.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name
attribute for core profiles, or extension/name
for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity
attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Identity & Access Management
.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status
attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time
is ahead or behind UTC, in the range -1,080 to +1,080.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
curl -i -X GET \
'https://api.synqly.com/v1/identity/groups/{groupId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name
attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.
ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.
The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.
The Organization object describes characteristics of an organization or company and its division if any.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The managed entity type. For example: policy
, user
, organizational unit
, device
.
ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device
attribute. 2 - User: A managed User entity. This item corresponds to population of the user
attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group
attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org
attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy
attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email
attribute. 99 - Other: The type is not mapped. See the type
attribute, which contains a data source specific value.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en
(English), de
(German), or fr
(French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe
.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name
attribute for core profiles, or extension/name
for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity
attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Identity & Access Management
.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status
attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time
is ahead or behind UTC, in the range -1,080 to +1,080.
{ "result": { "access_list": [ … ], "access_mask": 0, "activity_id": 0, "activity_name": "string", "actor": { … }, "api": { … }, "category_name": "string", "category_uid": 0, "class_uid": 0, "cloud": { … }, "comment": "string", "count": 0, "custom_fields": {}, "device": { … }, "duration": 0, "end_time": 0, "end_time_dt": "2019-08-24T14:15:22Z", "enrichments": [ … ], "entity": { … }, "entity_result": { … }, "http_request": { … }, "message": "string", "metadata": { … }, "observables": [ … ], "osint": [ … ], "raw_data": "string", "severity": "string", "severity_id": 0, "src_endpoint": { … }, "start_time": 0, "start_time_dt": "2019-08-24T14:15:22Z", "status": "string", "status_code": "string", "status_detail": "string", "status_id": 0, "time": 0, "time_dt": "2019-08-24T14:15:22Z", "timezone_offset": 0, "type_name": "string", "type_uid": 0, "unmapped": {} }, "meta": { "stats": { … }, "api": { … } } }
curl -i -X GET \
'https://api.synqly.com/v1/identity/groups/{groupId}/members?cursor=string&limit=0&meta=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
List of users wrapped in the OCSF Entity Management event of type Read that are members in the group referenced by ID.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: Create a new managed entity. 2 - Read: Read an existing managed entity. 3 - Update: Update an existing managed entity. 4 - Delete: Delete a managed entity. 5 - Move: Move or rename an existing managed entity. 6 - Enroll: Enroll an existing managed entity. 7 - Unenroll: Unenroll an existing managed entity. 8 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 9 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 10 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 11 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 12 - Suspend: Suspend an existing managed entity. 13 - Resume: Resume (unsuspend) an existing managed entity. 99 - Other: The event activity is not mapped. See the activity_name
attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 3 - AccessManagement: Identity & Access Management (IAM) events relate to the supervision of the system's authentication and access control model. Examples of such events are the success or failure of authentication, granting of authority, password change, entity change, privileged use etc.
ClassUid is an enum, and the following values are allowed. 3004 - EntityManagement: Entity Management events report activity by a managed client, a micro service, or a user at a management console. The activity can be a create, read, update, and delete operation on a managed entity.
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND d3f:Email.
The Group object represents a collection or association of entities, such as users, policies, or devices. It serves as a logical grouping mechanism to organize and manage entities with similar characteristics or permissions within a system or organization.
The Organization object describes characteristics of an organization or company and its division if any.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The managed entity type. For example: policy
, user
, organizational unit
, device
.
ManagedEntityTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Device: A managed Device entity. This item corresponds to population of the device
attribute. 2 - User: A managed User entity. This item corresponds to population of the user
attribute. 3 - Group: A managed Group entity. This item corresponds to population of the group
attribute. 4 - Organization: A managed Organization entity. This item corresponds to population of the org
attribute. 5 - Policy: A managed Policy entity. This item corresponds to population of the policy
attribute. 6 - Email: A managed Email entity. This item corresponds to population of the email
attribute. 99 - Other: The type is not mapped. See the type
attribute, which contains a data source specific value.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en
(English), de
(German), or fr
(French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe
.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]
The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name
attribute for core profiles, or extension/name
for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity
attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
TypeUid is an enum, and the following values are allowed. 300400 - Unknown 300401 - Create: Create a new managed entity. 300402 - Read: Read an existing managed entity. 300403 - Update: Update an existing managed entity. 300404 - Delete: Delete a managed entity. 300405 - Move: Move or rename an existing managed entity. 300406 - Enroll: Enroll an existing managed entity. 300407 - Unenroll: Unenroll an existing managed entity. 300408 - Enable: Enable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300409 - Disable: Disable an existing managed entity. Note: This is typically regarded as a semi-permanent, editor visible, syncable change. 300410 - Activate: Activate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300411 - Deactivate: Deactivate an existing managed entity. Note: This is a typically regarded as a transient change, a change of state of the engine. 300412 - Suspend: Suspend an existing managed entity. 300413 - Resume: Resume (unsuspend) an existing managed entity. 300499 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Identity & Access Management
.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The event duration or aggregate time, the amount of time the event covers from start_time
to end_time
in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
The Managed Entity object describes the type and version of an entity, such as a user, device, or policy. For types in the type_id
enum list, an associated attribute should be populated. If the type of entity is not in the type_id
list, information can be put into the data
attribute and the type
attribute should identify the entity.
The HTTP Request object represents the attributes of a request made to a web server. It encapsulates the details and metadata associated with an HTTP request, including the request method, headers, URL, query parameters, body content, and other relevant information.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The Network Endpoint object describes characteristics of a network endpoint. These can be a source or destination of a network connection.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901
.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status
attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time
is ahead or behind UTC, in the range -1,080 to +1,080.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
curl -i -X POST \
'https://api.synqly.com/v1/identity/users/{userId}/actions/enable' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
curl -i -X POST \
'https://api.synqly.com/v1/identity/users/{userId}/actions/disable' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
curl -i -X POST \
'https://api.synqly.com/v1/identity/users/{userId}/actions/force_reset_password' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'
curl -i -X POST \
'https://api.synqly.com/v1/identity/users/{userId}/actions/expire_all_sessions' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'