The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
The Synqly Connector APIs provide a unifying interface and data model for all supported service Providers.
See the Synqly Overview for more information.
curl -i -X GET \
'https://api.synqly.com/v1/vulnerabilities/findings?cursor=string&filter=string&limit=0&meta=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: A security finding was created. 2 - Update: A security finding was updated. 3 - Close: A security finding was closed. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 2 - Findings: Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.
ClassUid is an enum, and the following values are allowed. 2001 - SecurityFinding: Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products
The Finding object describes metadata related to a security finding generated by a security tool or system.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was first observed.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was most recently observed.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was last modified.
The unique identifier of the product that reported the finding.
Describes events and/or other findings related to the finding as identified by the security product.
The Remediation object describes the recommended remediation steps to address identified issue(s).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
Additional data supporting a finding as provided by security tool
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
StateId is an enum, and the following values are allowed. 0 - Unknown: The state is unknown. 1 - New: The finding is new and yet to be reviewed. 2 - InProgress: The finding is under review. 3 - Suppressed: The finding was reviewed, considered as a false positive and is now suppressed. 4 - Resolved: The finding was reviewed and remediated and is now considered resolved. 99 - Other: The state is not mapped. See the state attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
TypeUid is an enum, and the following values are allowed. 200100 - Unknown 200101 - Create: A security finding was created. 200102 - Update: A security finding was updated. 200103 - Close: A security finding was closed. 200199 - Other
The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The attack object describes the technique and associated tactics as defined by ATT&CK MatrixTM.
The event category name, as defined by category_uid value: Findings.
The CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements.
The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
A list of data sources utilized in generation of the finding.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.
ImpactId is an enum, and the following values are allowed. 0 - Unknown: The normalized impact is unknown. 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The impact is not mapped. See the impact attribute, which contains a data source specific value.
The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
A list of Malware objects, describing details about the identified malware.
The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The Process object describes a running instance of a launched program. Defined by D3FEND d3f:Process.
Describes details about resources that were affected by the activity/event.
The risk level, normalized to the caption of the risk_level_id value.
RiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } }, "status": "PENDING" }
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Create: A security finding was created. 2 - Update: A security finding was updated. 3 - Close: A security finding was closed. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 2 - Findings: Findings events report findings, detections, and possible resolutions of malware, anomalies, or other actions performed by security products.
ClassUid is an enum, and the following values are allowed. 2001 - SecurityFinding: Security Finding events describe findings, detections, anomalies, alerts and/or actions performed by security products
The Finding object describes metadata related to a security finding generated by a security tool or system.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was first observed.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was most recently observed.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the finding was last modified.
The unique identifier of the product that reported the finding.
Describes events and/or other findings related to the finding as identified by the security product.
The Remediation object describes the recommended remediation steps to address identified issue(s).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
Additional data supporting a finding as provided by security tool
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
StateId is an enum, and the following values are allowed. 0 - Unknown: The state is unknown. 1 - New: The finding is new and yet to be reviewed. 2 - InProgress: The finding is under review. 3 - Suppressed: The finding was reviewed, considered as a false positive and is now suppressed. 4 - Resolved: The finding was reviewed and remediated and is now considered resolved. 99 - Other: The state is not mapped. See the state attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
TypeUid is an enum, and the following values are allowed. 200100 - Unknown 200101 - Create: A security finding was created. 200102 - Update: A security finding was updated. 200103 - Close: A security finding was closed. 200199 - Other
The Analytic object contains details about the analytic technique used to analyze and derive insights from the data or information that led to the creation of a finding or conclusion.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The attack object describes the technique and associated tactics as defined by ATT&CK MatrixTM.
The event category name, as defined by category_uid value: Findings.
The CIS Critical Security Controls is a list of top 20 actions and practices an organization’s security team can take on such that cyber attacks or malware, are minimized and prevented.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The Compliance object contains information about Industry and Regulatory Framework standards, controls and requirements.
The confidence, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source.
ConfidenceId is an enum, and the following values are allowed. 0 - Unknown: The normalized confidence is unknown. 1 - Low 2 - Medium 3 - High 99 - Other: The confidence is not mapped to the defined enum values. See the confidence attribute, which contains a data source specific value.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
A list of data sources utilized in generation of the finding.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The impact , normalized to the caption of the impact_id value. In the case of 'Other', it is defined by the event source.
ImpactId is an enum, and the following values are allowed. 0 - Unknown: The normalized impact is unknown. 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The impact is not mapped. See the impact attribute, which contains a data source specific value.
The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack.
A list of Malware objects, describing details about the identified malware.
The NIST Cybersecurity Framework recommendations for managing the cybersecurity risk.
The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The Process object describes a running instance of a launched program. Defined by D3FEND d3f:Process.
Describes details about resources that were affected by the activity/event.
The risk level, normalized to the caption of the risk_level_id value.
RiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
curl -i -X POST \
https://api.synqly.com/v1/vulnerabilities/findings/bulk \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"findings": [
{
"activity_id": 0,
"activity_name": "string",
"analytic": {
"category": "string",
"desc": "string",
"name": "string",
"related_analytics": [
{}
],
"type": "string",
"type_id": 0,
"uid": "string",
"version": "string"
},
"api": {
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
},
"operation": "string",
"request": {
"containers": [
{
"hash": {},
"image": {
"labels": []
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
}
],
"data": null,
"flags": [
"string"
],
"uid": "string"
},
"response": {
"code": 0,
"containers": [
{
"hash": {},
"image": {
"labels": []
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
}
],
"data": null,
"error": "string",
"error_message": "string",
"flags": [
"string"
],
"message": "string"
},
"service": {
"labels": [
"string"
],
"name": "string",
"uid": "string",
"version": "string"
},
"version": "string"
},
"attacks": [
{
"sub_technique": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"tactic": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"tactics": [
{
"name": "string",
"src_url": "string",
"uid": "string"
}
],
"technique": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"version": "string"
}
],
"category_name": "string",
"category_uid": 0,
"cis_csc": [
{
"control": "string",
"version": "string"
}
],
"class_uid": 0,
"cloud": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"project_uid": "string",
"provider": "string",
"region": "string",
"zone": "string"
},
"compliance": {
"compliance_references": [
{
"avg_timespan": {
"duration": 0,
"duration_days": 0,
"duration_hours": 0,
"duration_mins": 0,
"duration_months": 0,
"duration_secs": 0,
"duration_weeks": 0,
"duration_years": 0,
"type": "string",
"type_id": 0
},
"bulletin": "string",
"classification": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"install_state": "string",
"install_state_id": 0,
"is_superseded": true,
"os": {
"build": "string",
"country": "string",
"cpe_name": "string",
"cpu_bits": 0,
"edition": "string",
"lang": "string",
"name": "string",
"sp_name": "string",
"sp_ver": 0,
"type": "string",
"type_id": 0,
"version": "string"
},
"product": {
"cpe_name": "string",
"feature": {},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"severity": "string",
"size": 0,
"src_url": "string",
"title": "string",
"uid": "string"
}
],
"compliance_standards": [
{
"avg_timespan": {
"duration": 0,
"duration_days": 0,
"duration_hours": 0,
"duration_mins": 0,
"duration_months": 0,
"duration_secs": 0,
"duration_weeks": 0,
"duration_years": 0,
"type": "string",
"type_id": 0
},
"bulletin": "string",
"classification": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"install_state": "string",
"install_state_id": 0,
"is_superseded": true,
"os": {
"build": "string",
"country": "string",
"cpe_name": "string",
"cpu_bits": 0,
"edition": "string",
"lang": "string",
"name": "string",
"sp_name": "string",
"sp_ver": 0,
"type": "string",
"type_id": 0,
"version": "string"
},
"product": {
"cpe_name": "string",
"feature": {},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"severity": "string",
"size": 0,
"src_url": "string",
"title": "string",
"uid": "string"
}
],
"control": "string",
"requirements": [
"string"
],
"standards": [
"string"
],
"status": "string",
"status_code": "string",
"status_detail": "string",
"status_id": 0
},
"confidence": "string",
"confidence_id": 0,
"confidence_score": 0,
"count": 0,
"custom_fields": {},
"data_sources": [
"string"
],
"duration": 0,
"end_time": 0,
"end_time_dt": "2019-08-24T14:15:22Z",
"enrichments": [
{
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"data": null,
"desc": "string",
"name": "string",
"provider": "string",
"reputation": {
"base_score": 0.1,
"provider": "string",
"score": "string",
"score_id": 0
},
"short_desc": "string",
"src_url": "string",
"type": "string",
"value": "string"
}
],
"evidence": null,
"finding": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"desc": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"product_uid": "string",
"related_events": [
{
"attacks": [
{
"tactics": []
}
],
"kill_chain": [
{}
],
"observables": [
{}
],
"product_uid": "string",
"type": "string",
"type_name": "string",
"type_uid": 0,
"uid": "string"
}
],
"remediation": {
"desc": "string",
"kb_article_list": [
{
"avg_timespan": {},
"bulletin": "string",
"classification": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"install_state": "string",
"install_state_id": 0,
"is_superseded": true,
"os": {},
"product": {},
"severity": "string",
"size": 0,
"src_url": "string",
"title": "string",
"uid": "string"
}
],
"kb_articles": [
"string"
],
"references": [
"string"
]
},
"src_url": "string",
"supporting_data": null,
"title": "string",
"types": [
"string"
],
"uid": "string"
},
"impact": "string",
"impact_id": 0,
"impact_score": 0,
"kill_chain": [
{
"phase": "string",
"phase_id": 0
}
],
"malware": [
{
"classification_ids": [
0
],
"classifications": [
"string"
],
"cves": [
{
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"cvss": [
null
],
"cwe": {},
"cwe_uid": "string",
"cwe_url": "string",
"desc": "string",
"epss": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"product": {},
"references": [
null
],
"title": "string",
"type": "string",
"uid": "string"
}
],
"name": "string",
"path": "string",
"provider": "string",
"uid": "string"
}
],
"message": "string",
"metadata": {
"correlation_uid": "string",
"event_code": "string",
"extension": {
"name": "string",
"uid": "string",
"version": "string"
},
"extensions": [
{
"name": "string",
"uid": "string",
"version": "string"
}
],
"labels": [
"string"
],
"log_level": "string",
"log_name": "string",
"log_provider": "string",
"log_version": "string",
"logged_time": 0,
"logged_time_dt": "2019-08-24T14:15:22Z",
"loggers": [
{
"device": {
"agent_list": [
null
],
"autoscale_uid": "string",
"boot_time": 0,
"boot_time_dt": "2019-08-24T14:15:22Z",
"container": {},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"desc": "string",
"domain": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"groups": [
null
],
"hostname": "string",
"hw_info": {},
"hypervisor": "string",
"image": {
"labels": []
},
"imei": "string",
"instance_uid": "string",
"interface_name": "string",
"interface_uid": "string",
"ip": "string",
"ip_addresses": [
null
],
"is_compliant": true,
"is_managed": true,
"is_personal": true,
"is_trusted": true,
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"mac": "string",
"mac_addresses": [
null
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"namespace_pid": 0,
"netbios_names": [
null
],
"network_interfaces": [
null
],
"network_status": "string",
"network_status_id": 0,
"org": {},
"os": {},
"owner": {
"groups": [],
"privileges": []
},
"region": "string",
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"subnet": "string",
"subnet_uid": "string",
"sw_info": [
null
],
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor": {},
"vlan_uid": "string",
"vpc_uid": "string",
"zone": "string"
},
"log_level": "string",
"log_name": "string",
"log_provider": "string",
"log_version": "string",
"logged_time": 0,
"logged_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"product": {
"cpe_name": "string",
"feature": {},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"transmit_time": 0,
"transmit_time_dt": "2019-08-24T14:15:22Z",
"uid": "string",
"version": "string"
}
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"original_time": "string",
"processed_time": 0,
"processed_time_dt": "2019-08-24T14:15:22Z",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"profiles": [
"string"
],
"sequence": 0,
"tenant_uid": "string",
"uid": "string",
"version": "string"
},
"nist": [
"string"
],
"observables": [
{
"name": "string",
"reputation": {
"base_score": 0.1,
"provider": "string",
"score": "string",
"score_id": 0
},
"type": "string",
"type_id": 0,
"value": "string"
}
],
"osint": [
{
"answers": [
{
"class": "string",
"flag_ids": [
null
],
"flags": [
null
],
"packet_uid": 0,
"rdata": "string",
"ttl": 0,
"type": "string"
}
],
"attacks": [
{
"sub_technique": {},
"tactic": {},
"tactics": [
null
],
"technique": {},
"version": "string"
}
],
"autonomous_system": {
"name": "string",
"number": 0
},
"comment": "string",
"confidence": "string",
"confidence_id": 0,
"email": {
"cc": [
"string"
],
"delivered_to": "string",
"from": "string",
"message_uid": "string",
"raw_header": "string",
"reply_to": "string",
"size": 0,
"smtp_from": "string",
"smtp_to": [
"string"
],
"subject": "string",
"to": [
"string"
],
"uid": "string",
"x_originating_ip": [
"string"
]
},
"email_auth": {
"dkim": "string",
"dkim_domain": "string",
"dkim_signature": "string",
"dmarc": "string",
"dmarc_override": "string",
"dmarc_policy": "string",
"spf": "string"
},
"kill_chain": [
{
"phase": "string",
"phase_id": 0
}
],
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"name": "string",
"signatures": [
{
"algorithm": "string",
"algorithm_id": 0,
"certificate": {
"fingerprints": []
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"developer_uid": "string",
"digest": {},
"state": "string",
"state_id": 0
}
],
"src_url": "string",
"subdomains": [
"string"
],
"tlp": "string",
"type": "string",
"type_id": 0,
"uid": "string",
"value": "string",
"vendor_name": "string",
"vulnerabilities": [
{
"affected_code": [
null
],
"affected_packages": [
null
],
"cve": {
"cvss": [],
"references": []
},
"cwe": {},
"desc": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"fix_available": true,
"is_exploit_available": true,
"is_fix_available": true,
"kb_article_list": [
null
],
"kb_articles": [
null
],
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"packages": [
null
],
"references": [
null
],
"related_vulnerabilities": [
null
],
"remediation": {
"kb_article_list": [],
"kb_articles": [],
"references": []
},
"severity": "string",
"title": "string",
"vendor_name": "string"
}
],
"whois": {
"autonomous_system": {
"name": "string",
"number": 0
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"dnssec_status": "string",
"dnssec_status_id": 0,
"domain": "string",
"domain_contacts": [
{}
],
"email_addr": "string",
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"name_servers": [
"string"
],
"phone_number": "string",
"registrar": "string",
"status": "string",
"subdomains": [
"string"
],
"subnet": "string"
}
}
],
"process": {
"auid": 0,
"cmd_line": "string",
"container": {
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"egid": 0,
"euid": 0,
"file": {
"accessed_time": 0,
"accessed_time_dt": "2019-08-24T14:15:22Z",
"accessor": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"attributes": 0,
"company_name": "string",
"confidentiality": "string",
"confidentiality_id": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"creator": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"desc": "string",
"ext": "string",
"hashes": [
{
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
}
],
"is_system": true,
"mime_type": "string",
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"modifier": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"name": "string",
"owner": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"parent_folder": "string",
"path": "string",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"security_descriptor": "string",
"signature": {
"algorithm": "string",
"algorithm_id": 0,
"certificate": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"fingerprints": [
null
],
"is_self_signed": true,
"issuer": "string",
"serial_number": "string",
"subject": "string",
"uid": "string",
"version": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"developer_uid": "string",
"digest": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"state": "string",
"state_id": 0
},
"size": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"version": "string",
"xattributes": {}
},
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
},
"integrity": "string",
"integrity_id": 0,
"lineage": [
"string"
],
"loaded_modules": [
"string"
],
"name": "string",
"namespace_pid": 0,
"parent_process": {},
"pid": 0,
"sandbox": "string",
"session": {
"count": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"credential_uid": "string",
"expiration_reason": "string",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"is_mfa": true,
"is_remote": true,
"is_vpn": true,
"issuer": "string",
"terminal": "string",
"uid": "string",
"uid_alt": "string",
"uuid": "string"
},
"terminated_time": 0,
"terminated_time_dt": "2019-08-24T14:15:22Z",
"tid": 0,
"uid": "string",
"user": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
null
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
null
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"xattributes": {}
},
"raw_data": "string",
"resources": [
{
"agent_list": [
{
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor_name": "string",
"version": "string"
}
],
"cloud_partition": "string",
"criticality": "string",
"data": null,
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
},
"labels": [
"string"
],
"name": "string",
"namespace": "string",
"owner": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"region": "string",
"type": "string",
"uid": "string",
"version": "string"
}
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"severity": "string",
"severity_id": 0,
"start_time": 0,
"start_time_dt": "2019-08-24T14:15:22Z",
"state": "string",
"state_id": 0,
"status": "string",
"status_code": "string",
"status_detail": "string",
"status_id": 0,
"time": 0,
"time_dt": "2019-08-24T14:15:22Z",
"timezone_offset": 0,
"type_name": "string",
"type_uid": 0,
"unmapped": {},
"vulnerabilities": [
{
"affected_code": [
{
"end_line": 0,
"file": {
"hashes": []
},
"owner": {
"groups": [],
"privileges": []
},
"remediation": {
"kb_article_list": [],
"kb_articles": [],
"references": []
},
"start_line": 0
}
],
"affected_packages": [
{
"architecture": "string",
"cpe_name": "string",
"epoch": 0,
"fixed_in_version": "string",
"hash": {},
"license": "string",
"name": "string",
"package_manager": "string",
"path": "string",
"purl": "string",
"release": "string",
"remediation": {
"kb_article_list": [],
"kb_articles": [],
"references": []
},
"type": "string",
"type_id": 0,
"vendor_name": "string",
"version": "string"
}
],
"cve": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"cvss": [
{
"metrics": []
}
],
"cwe": {
"caption": "string",
"src_url": "string",
"uid": "string"
},
"cwe_uid": "string",
"cwe_url": "string",
"desc": "string",
"epss": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"percentile": 0.1,
"score": "string",
"version": "string"
},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"product": {
"cpe_name": "string",
"feature": {},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"references": [
"string"
],
"title": "string",
"type": "string",
"uid": "string"
},
"cwe": {
"caption": "string",
"src_url": "string",
"uid": "string"
},
"desc": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"fix_available": true,
"is_exploit_available": true,
"is_fix_available": true,
"kb_article_list": [
{
"avg_timespan": {},
"bulletin": "string",
"classification": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"install_state": "string",
"install_state_id": 0,
"is_superseded": true,
"os": {},
"product": {},
"severity": "string",
"size": 0,
"src_url": "string",
"title": "string",
"uid": "string"
}
],
"kb_articles": [
"string"
],
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"packages": [
{
"architecture": "string",
"cpe_name": "string",
"epoch": 0,
"hash": {},
"license": "string",
"name": "string",
"purl": "string",
"release": "string",
"type": "string",
"type_id": 0,
"vendor_name": "string",
"version": "string"
}
],
"references": [
"string"
],
"related_vulnerabilities": [
"string"
],
"remediation": {
"desc": "string",
"kb_article_list": [
{}
],
"kb_articles": [
"string"
],
"references": [
"string"
]
},
"severity": "string",
"title": "string",
"vendor_name": "string"
}
]
}
]
}'{ "status": "PENDING", "errors": [ { … } ], "meta": { "stats": { … }, "api": { … } } }
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
Values supported by using severity as a filter. Supports [eq] and [in] operators. For example, severity[eq]critical or severity[in]critical, high.
The normalized state identifier of a security finding
curl -i -X PUT \
'https://api.synqly.com/v1/vulnerabilities/findings/{findingId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"severity_id": 0,
"severity": "critical",
"state": "Unknown",
"unmapped": {
"type": "nucleus",
"due_date": "2019-08-24T14:15:22Z",
"comment": "string"
}
}'curl -i -X GET \
'https://api.synqly.com/v1/vulnerabilities/assets?cursor=string&filter=string&limit=0&meta=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.
ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
DeviceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 89 - ImagingEquipment: Equipment for processing optical data, such as a camera. 90 - PLC: A Programmable logic controller. 91 - SCADA: A supervisory control and data acquisition system. 92 - DCS: A distributed control system. 93 - CNC: A computer numerical control system, including computerized machine tools. 94 - ScientificEquipment: A piece of scientific equipment such as an oscilloscope or spectrometer. 95 - MedicalDevice: A medical device such as an MRI machine or infusion pump. 96 - LightingControls: A lighting control for internal or external applications. 97 - EnergyMonitoringSystem: An energy monitoring, security or safety system. 98 - TransportationDevice: A transportation device or transportation supporting device. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.
A list of agent objects associated with a device, endpoint, or resource.
The unique identifier of the cloud autoscale configuration.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the device was known to have been created.
The description of the device, ordinarily as reported by the operating system.
The network domain where the device resides. For example: work.example.com.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The initial discovery time of the device.
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].
Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.
The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.
The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.
The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.
The International Mobile Station Equipment Identifier that is associated with the device.
Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
A list of IP addresses available on the device
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The most recent discovery time of the device.
The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.
Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.
A list of MAC addresses available on the device
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the device was last known to have been modified.
The alternate device name, ordinarily as assigned by an administrator.
Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
If running under a process namespace (such as in a container), the process identifier within that process namespace.
A list of NetBIOS names available on the device
The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.
Note: The first element of the array is the network information that pertains to the event.
DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.
The Organization object describes characteristics of an organization or company and its division if any.
The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The region where the virtual machine is located. For example, an AWS Region.
The risk level, normalized to the caption of the risk_level_id value.
DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
The list of software contained on a device
The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, plc, scada, dcs, cnc, scientific, medical, lighting, energy, transportation other.
The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
An alternate unique identifier of the device if any. For example the ActiveDirectory DN.
The Organization object describes characteristics of an organization or company and its division if any.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Discovery.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } }, "status": "PENDING" }
Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.
ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
DeviceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 89 - ImagingEquipment: Equipment for processing optical data, such as a camera. 90 - PLC: A Programmable logic controller. 91 - SCADA: A supervisory control and data acquisition system. 92 - DCS: A distributed control system. 93 - CNC: A computer numerical control system, including computerized machine tools. 94 - ScientificEquipment: A piece of scientific equipment such as an oscilloscope or spectrometer. 95 - MedicalDevice: A medical device such as an MRI machine or infusion pump. 96 - LightingControls: A lighting control for internal or external applications. 97 - EnergyMonitoringSystem: An energy monitoring, security or safety system. 98 - TransportationDevice: A transportation device or transportation supporting device. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.
A list of agent objects associated with a device, endpoint, or resource.
The unique identifier of the cloud autoscale configuration.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the device was known to have been created.
The description of the device, ordinarily as reported by the operating system.
The network domain where the device resides. For example: work.example.com.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].
Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.
The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.
The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.
The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.
The International Mobile Station Equipment Identifier that is associated with the device.
Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The most recent discovery time of the device.
The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.
Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the device was last known to have been modified.
The alternate device name, ordinarily as assigned by an administrator.
Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
If running under a process namespace (such as in a container), the process identifier within that process namespace.
The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.
Note: The first element of the array is the network information that pertains to the event.
DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.
The Organization object describes characteristics of an organization or company and its division if any.
The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The region where the virtual machine is located. For example, an AWS Region.
The risk level, normalized to the caption of the risk_level_id value.
DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
The list of software contained on a device
The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, plc, scada, dcs, cnc, scientific, medical, lighting, energy, transportation other.
The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
An alternate unique identifier of the device if any. For example the ActiveDirectory DN.
The Organization object describes characteristics of an organization or company and its division if any.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Discovery.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
curl -i -X POST \
https://api.synqly.com/v1/vulnerabilities/assets \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"asset": {
"activity_id": 0,
"activity_name": "string",
"actor": {
"app_name": "string",
"app_uid": "string",
"authorizations": [
{
"decision": "string",
"policy": {
"desc": "string",
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
null
],
"type": "string",
"uid": "string"
},
"is_applied": true,
"name": "string",
"uid": "string",
"version": "string"
}
}
],
"idp": {
"name": "string",
"uid": "string"
},
"invoked_by": "string",
"process": {
"auid": 0,
"cmd_line": "string",
"container": {
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"egid": 0,
"euid": 0,
"file": {
"accessed_time": 0,
"accessed_time_dt": "2019-08-24T14:15:22Z",
"accessor": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"attributes": 0,
"company_name": "string",
"confidentiality": "string",
"confidentiality_id": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"creator": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"desc": "string",
"ext": "string",
"hashes": [
{
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
}
],
"is_system": true,
"mime_type": "string",
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"modifier": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"name": "string",
"owner": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"parent_folder": "string",
"path": "string",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"security_descriptor": "string",
"signature": {
"algorithm": "string",
"algorithm_id": 0,
"certificate": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"fingerprints": [
null
],
"is_self_signed": true,
"issuer": "string",
"serial_number": "string",
"subject": "string",
"uid": "string",
"version": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"developer_uid": "string",
"digest": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"state": "string",
"state_id": 0
},
"size": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"version": "string",
"xattributes": {}
},
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
},
"integrity": "string",
"integrity_id": 0,
"lineage": [
"string"
],
"loaded_modules": [
"string"
],
"name": "string",
"namespace_pid": 0,
"parent_process": {},
"pid": 0,
"sandbox": "string",
"session": {
"count": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"credential_uid": "string",
"expiration_reason": "string",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"is_mfa": true,
"is_remote": true,
"is_vpn": true,
"issuer": "string",
"terminal": "string",
"uid": "string",
"uid_alt": "string",
"uuid": "string"
},
"terminated_time": 0,
"terminated_time_dt": "2019-08-24T14:15:22Z",
"tid": 0,
"uid": "string",
"user": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
null
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
null
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"xattributes": {}
},
"session": {
"count": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"credential_uid": "string",
"expiration_reason": "string",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"is_mfa": true,
"is_remote": true,
"is_vpn": true,
"issuer": "string",
"terminal": "string",
"uid": "string",
"uid_alt": "string",
"uuid": "string"
},
"user": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
}
},
"api": {
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
},
"operation": "string",
"request": {
"containers": [
{
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
null
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
}
],
"data": null,
"flags": [
"string"
],
"uid": "string"
},
"response": {
"code": 0,
"containers": [
{
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
null
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
}
],
"data": null,
"error": "string",
"error_message": "string",
"flags": [
"string"
],
"message": "string"
},
"service": {
"labels": [
"string"
],
"name": "string",
"uid": "string",
"version": "string"
},
"version": "string"
},
"category_name": "string",
"category_uid": 0,
"class_uid": 0,
"cloud": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"project_uid": "string",
"provider": "string",
"region": "string",
"zone": "string"
},
"count": 0,
"custom_fields": {},
"device": {
"agent_list": [
{
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor_name": "string",
"version": "string"
}
],
"autoscale_uid": "string",
"boot_time": 0,
"boot_time_dt": "2019-08-24T14:15:22Z",
"container": {
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"desc": "string",
"domain": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
}
],
"hostname": "string",
"hw_info": {
"bios_date": "string",
"bios_manufacturer": "string",
"bios_uid": "string",
"bios_ver": "string",
"chassis": "string",
"cpu_bits": 0,
"cpu_cores": 0,
"cpu_count": 0,
"cpu_speed": 0,
"cpu_type": "string",
"desktop_display": {
"color_depth": 0,
"physical_height": 0,
"physical_orientation": 0,
"physical_width": 0,
"scale_factor": 0
},
"keyboard_info": {
"function_keys": 0,
"ime": "string",
"keyboard_layout": "string",
"keyboard_subtype": 0,
"keyboard_type": "string"
},
"ram_size": 0,
"serial_number": "string"
},
"hypervisor": "string",
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"imei": "string",
"instance_uid": "string",
"interface_name": "string",
"interface_uid": "string",
"ip": "string",
"ip_addresses": [
"string"
],
"is_compliant": true,
"is_managed": true,
"is_personal": true,
"is_trusted": true,
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"mac": "string",
"mac_addresses": [
"string"
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"namespace_pid": 0,
"netbios_names": [
"string"
],
"network_interfaces": [
{
"hostname": "string",
"ip": "string",
"ip_addresses": [
"string"
],
"mac": "string",
"mac_addresses": [
"string"
],
"name": "string",
"namespace": "string",
"subnet_prefix": 0,
"type": "string",
"type_id": 0,
"uid": "string"
}
],
"network_status": "string",
"network_status_id": 0,
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"os": {
"build": "string",
"country": "string",
"cpe_name": "string",
"cpu_bits": 0,
"edition": "string",
"lang": "string",
"name": "string",
"sp_name": "string",
"sp_ver": 0,
"type": "string",
"type_id": 0,
"version": "string"
},
"owner": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"region": "string",
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"subnet": "string",
"subnet_uid": "string",
"sw_info": [
{
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
}
],
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"vlan_uid": "string",
"vpc_uid": "string",
"zone": "string"
},
"duration": 0,
"end_time": 0,
"end_time_dt": "2019-08-24T14:15:22Z",
"enrichments": [
{
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"data": null,
"desc": "string",
"name": "string",
"provider": "string",
"reputation": {
"base_score": 0.1,
"provider": "string",
"score": "string",
"score_id": 0
},
"short_desc": "string",
"src_url": "string",
"type": "string",
"value": "string"
}
],
"message": "string",
"metadata": {
"correlation_uid": "string",
"event_code": "string",
"extension": {
"name": "string",
"uid": "string",
"version": "string"
},
"extensions": [
{
"name": "string",
"uid": "string",
"version": "string"
}
],
"labels": [
"string"
],
"log_level": "string",
"log_name": "string",
"log_provider": "string",
"log_version": "string",
"logged_time": 0,
"logged_time_dt": "2019-08-24T14:15:22Z",
"loggers": [
{
"device": {
"agent_list": [
{}
],
"autoscale_uid": "string",
"boot_time": 0,
"boot_time_dt": "2019-08-24T14:15:22Z",
"container": {
"hash": {},
"image": {
"labels": []
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"desc": "string",
"domain": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"groups": [
{
"privileges": []
}
],
"hostname": "string",
"hw_info": {
"bios_date": "string",
"bios_manufacturer": "string",
"bios_uid": "string",
"bios_ver": "string",
"chassis": "string",
"cpu_bits": 0,
"cpu_cores": 0,
"cpu_count": 0,
"cpu_speed": 0,
"cpu_type": "string",
"desktop_display": {},
"keyboard_info": {},
"ram_size": 0,
"serial_number": "string"
},
"hypervisor": "string",
"image": {
"labels": [
null
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"imei": "string",
"instance_uid": "string",
"interface_name": "string",
"interface_uid": "string",
"ip": "string",
"ip_addresses": [
"string"
],
"is_compliant": true,
"is_managed": true,
"is_personal": true,
"is_trusted": true,
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
null
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"mac": "string",
"mac_addresses": [
"string"
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"namespace_pid": 0,
"netbios_names": [
"string"
],
"network_interfaces": [
{
"ip_addresses": [],
"mac_addresses": []
}
],
"network_status": "string",
"network_status_id": 0,
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"os": {
"build": "string",
"country": "string",
"cpe_name": "string",
"cpu_bits": 0,
"edition": "string",
"lang": "string",
"name": "string",
"sp_name": "string",
"sp_ver": 0,
"type": "string",
"type_id": 0,
"version": "string"
},
"owner": {
"account": {
"labels": []
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
null
],
"ldap_person": {
"email_addrs": [],
"labels": []
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {},
"privileges": [
null
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"region": "string",
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"subnet": "string",
"subnet_uid": "string",
"sw_info": [
{}
],
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"vlan_uid": "string",
"vpc_uid": "string",
"zone": "string"
},
"log_level": "string",
"log_name": "string",
"log_provider": "string",
"log_version": "string",
"logged_time": 0,
"logged_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"transmit_time": 0,
"transmit_time_dt": "2019-08-24T14:15:22Z",
"uid": "string",
"version": "string"
}
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"original_time": "string",
"processed_time": 0,
"processed_time_dt": "2019-08-24T14:15:22Z",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"profiles": [
"string"
],
"sequence": 0,
"tenant_uid": "string",
"uid": "string",
"version": "string"
},
"observables": [
{
"name": "string",
"reputation": {
"base_score": 0.1,
"provider": "string",
"score": "string",
"score_id": 0
},
"type": "string",
"type_id": 0,
"value": "string"
}
],
"osint": [
{
"answers": [
{
"class": "string",
"flag_ids": [
0
],
"flags": [
"string"
],
"packet_uid": 0,
"rdata": "string",
"ttl": 0,
"type": "string"
}
],
"attacks": [
{
"sub_technique": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"tactic": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"tactics": [
{}
],
"technique": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"version": "string"
}
],
"autonomous_system": {
"name": "string",
"number": 0
},
"comment": "string",
"confidence": "string",
"confidence_id": 0,
"email": {
"cc": [
"string"
],
"delivered_to": "string",
"from": "string",
"message_uid": "string",
"raw_header": "string",
"reply_to": "string",
"size": 0,
"smtp_from": "string",
"smtp_to": [
"string"
],
"subject": "string",
"to": [
"string"
],
"uid": "string",
"x_originating_ip": [
"string"
]
},
"email_auth": {
"dkim": "string",
"dkim_domain": "string",
"dkim_signature": "string",
"dmarc": "string",
"dmarc_override": "string",
"dmarc_policy": "string",
"spf": "string"
},
"kill_chain": [
{
"phase": "string",
"phase_id": 0
}
],
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"name": "string",
"signatures": [
{
"algorithm": "string",
"algorithm_id": 0,
"certificate": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"fingerprints": [
null
],
"is_self_signed": true,
"issuer": "string",
"serial_number": "string",
"subject": "string",
"uid": "string",
"version": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"developer_uid": "string",
"digest": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"state": "string",
"state_id": 0
}
],
"src_url": "string",
"subdomains": [
"string"
],
"tlp": "string",
"type": "string",
"type_id": 0,
"uid": "string",
"value": "string",
"vendor_name": "string",
"vulnerabilities": [
{
"affected_code": [
{}
],
"affected_packages": [
{}
],
"cve": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"cvss": [
null
],
"cwe": {},
"cwe_uid": "string",
"cwe_url": "string",
"desc": "string",
"epss": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"product": {},
"references": [
null
],
"title": "string",
"type": "string",
"uid": "string"
},
"cwe": {
"caption": "string",
"src_url": "string",
"uid": "string"
},
"desc": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"fix_available": true,
"is_exploit_available": true,
"is_fix_available": true,
"kb_article_list": [
{}
],
"kb_articles": [
"string"
],
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"packages": [
{}
],
"references": [
"string"
],
"related_vulnerabilities": [
"string"
],
"remediation": {
"desc": "string",
"kb_article_list": [
null
],
"kb_articles": [
null
],
"references": [
null
]
},
"severity": "string",
"title": "string",
"vendor_name": "string"
}
],
"whois": {
"autonomous_system": {
"name": "string",
"number": 0
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"dnssec_status": "string",
"dnssec_status_id": 0,
"domain": "string",
"domain_contacts": [
{
"email_addr": "string",
"location": {
"coordinates": []
},
"name": "string",
"phone_number": "string",
"type": "string",
"type_id": 0,
"uid": "string"
}
],
"email_addr": "string",
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"name_servers": [
"string"
],
"phone_number": "string",
"registrar": "string",
"status": "string",
"subdomains": [
"string"
],
"subnet": "string"
}
}
],
"raw_data": "string",
"severity": "string",
"severity_id": 0,
"start_time": 0,
"start_time_dt": "2019-08-24T14:15:22Z",
"status": "string",
"status_code": "string",
"status_detail": "string",
"status_id": 0,
"time": 0,
"time_dt": "2019-08-24T14:15:22Z",
"timezone_offset": 0,
"type_name": "string",
"type_uid": 0,
"unmapped": {}
},
"source_name": "string"
}'{ "device": { "uid": "string" }, "meta": { "stats": { … }, "api": { … } } }
Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.
ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
DeviceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 89 - ImagingEquipment: Equipment for processing optical data, such as a camera. 90 - PLC: A Programmable logic controller. 91 - SCADA: A supervisory control and data acquisition system. 92 - DCS: A distributed control system. 93 - CNC: A computer numerical control system, including computerized machine tools. 94 - ScientificEquipment: A piece of scientific equipment such as an oscilloscope or spectrometer. 95 - MedicalDevice: A medical device such as an MRI machine or infusion pump. 96 - LightingControls: A lighting control for internal or external applications. 97 - EnergyMonitoringSystem: An energy monitoring, security or safety system. 98 - TransportationDevice: A transportation device or transportation supporting device. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.
A list of agent objects associated with a device, endpoint, or resource.
The unique identifier of the cloud autoscale configuration.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the device was known to have been created.
The description of the device, ordinarily as reported by the operating system.
The network domain where the device resides. For example: work.example.com.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].
Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.
The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.
The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.
The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.
The International Mobile Station Equipment Identifier that is associated with the device.
Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The most recent discovery time of the device.
The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.
Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the device was last known to have been modified.
The alternate device name, ordinarily as assigned by an administrator.
Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
If running under a process namespace (such as in a container), the process identifier within that process namespace.
The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.
Note: The first element of the array is the network information that pertains to the event.
DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.
The Organization object describes characteristics of an organization or company and its division if any.
The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The region where the virtual machine is located. For example, an AWS Region.
The risk level, normalized to the caption of the risk_level_id value.
DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
The list of software contained on a device
The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, plc, scada, dcs, cnc, scientific, medical, lighting, energy, transportation other.
The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
An alternate unique identifier of the device if any. For example the ActiveDirectory DN.
The Organization object describes characteristics of an organization or company and its division if any.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Discovery.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
curl -i -X PUT \
'https://api.synqly.com/v1/vulnerabilities/assets/{assetId}' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"asset": {
"activity_id": 0,
"activity_name": "string",
"actor": {
"app_name": "string",
"app_uid": "string",
"authorizations": [
{
"decision": "string",
"policy": {
"desc": "string",
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
null
],
"type": "string",
"uid": "string"
},
"is_applied": true,
"name": "string",
"uid": "string",
"version": "string"
}
}
],
"idp": {
"name": "string",
"uid": "string"
},
"invoked_by": "string",
"process": {
"auid": 0,
"cmd_line": "string",
"container": {
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"egid": 0,
"euid": 0,
"file": {
"accessed_time": 0,
"accessed_time_dt": "2019-08-24T14:15:22Z",
"accessor": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"attributes": 0,
"company_name": "string",
"confidentiality": "string",
"confidentiality_id": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"creator": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"desc": "string",
"ext": "string",
"hashes": [
{
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
}
],
"is_system": true,
"mime_type": "string",
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"modifier": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"name": "string",
"owner": {
"account": {
"labels": [
null
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"privileges": []
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
null
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
null
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"coordinates": []
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"parent_folder": "string",
"path": "string",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"security_descriptor": "string",
"signature": {
"algorithm": "string",
"algorithm_id": 0,
"certificate": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"fingerprints": [
null
],
"is_self_signed": true,
"issuer": "string",
"serial_number": "string",
"subject": "string",
"uid": "string",
"version": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"developer_uid": "string",
"digest": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"state": "string",
"state_id": 0
},
"size": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"version": "string",
"xattributes": {}
},
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
},
"integrity": "string",
"integrity_id": 0,
"lineage": [
"string"
],
"loaded_modules": [
"string"
],
"name": "string",
"namespace_pid": 0,
"parent_process": {},
"pid": 0,
"sandbox": "string",
"session": {
"count": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"credential_uid": "string",
"expiration_reason": "string",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"is_mfa": true,
"is_remote": true,
"is_vpn": true,
"issuer": "string",
"terminal": "string",
"uid": "string",
"uid_alt": "string",
"uuid": "string"
},
"terminated_time": 0,
"terminated_time_dt": "2019-08-24T14:15:22Z",
"tid": 0,
"uid": "string",
"user": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
null
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
null
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"xattributes": {}
},
"session": {
"count": 0,
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"credential_uid": "string",
"expiration_reason": "string",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"is_mfa": true,
"is_remote": true,
"is_vpn": true,
"issuer": "string",
"terminal": "string",
"uid": "string",
"uid_alt": "string",
"uuid": "string"
},
"user": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
}
},
"api": {
"group": {
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
},
"operation": "string",
"request": {
"containers": [
{
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
null
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
}
],
"data": null,
"flags": [
"string"
],
"uid": "string"
},
"response": {
"code": 0,
"containers": [
{
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
null
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
}
],
"data": null,
"error": "string",
"error_message": "string",
"flags": [
"string"
],
"message": "string"
},
"service": {
"labels": [
"string"
],
"name": "string",
"uid": "string",
"version": "string"
},
"version": "string"
},
"category_name": "string",
"category_uid": 0,
"class_uid": 0,
"cloud": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"project_uid": "string",
"provider": "string",
"region": "string",
"zone": "string"
},
"count": 0,
"custom_fields": {},
"device": {
"agent_list": [
{
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor_name": "string",
"version": "string"
}
],
"autoscale_uid": "string",
"boot_time": 0,
"boot_time_dt": "2019-08-24T14:15:22Z",
"container": {
"hash": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"desc": "string",
"domain": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
}
],
"hostname": "string",
"hw_info": {
"bios_date": "string",
"bios_manufacturer": "string",
"bios_uid": "string",
"bios_ver": "string",
"chassis": "string",
"cpu_bits": 0,
"cpu_cores": 0,
"cpu_count": 0,
"cpu_speed": 0,
"cpu_type": "string",
"desktop_display": {
"color_depth": 0,
"physical_height": 0,
"physical_orientation": 0,
"physical_width": 0,
"scale_factor": 0
},
"keyboard_info": {
"function_keys": 0,
"ime": "string",
"keyboard_layout": "string",
"keyboard_subtype": 0,
"keyboard_type": "string"
},
"ram_size": 0,
"serial_number": "string"
},
"hypervisor": "string",
"image": {
"labels": [
"string"
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"imei": "string",
"instance_uid": "string",
"interface_name": "string",
"interface_uid": "string",
"ip": "string",
"ip_addresses": [
"string"
],
"is_compliant": true,
"is_managed": true,
"is_personal": true,
"is_trusted": true,
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"mac": "string",
"mac_addresses": [
"string"
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"namespace_pid": 0,
"netbios_names": [
"string"
],
"network_interfaces": [
{
"hostname": "string",
"ip": "string",
"ip_addresses": [
"string"
],
"mac": "string",
"mac_addresses": [
"string"
],
"name": "string",
"namespace": "string",
"subnet_prefix": 0,
"type": "string",
"type_id": 0,
"uid": "string"
}
],
"network_status": "string",
"network_status_id": 0,
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"os": {
"build": "string",
"country": "string",
"cpe_name": "string",
"cpu_bits": 0,
"edition": "string",
"lang": "string",
"name": "string",
"sp_name": "string",
"sp_ver": 0,
"type": "string",
"type_id": 0,
"version": "string"
},
"owner": {
"account": {
"labels": [
"string"
],
"name": "string",
"type": "string",
"type_id": 0,
"uid": "string"
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
{
"desc": "string",
"domain": "string",
"name": "string",
"privileges": [
"string"
],
"type": "string",
"uid": "string"
}
],
"ldap_person": {
"cost_center": "string",
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"deleted_time": 0,
"deleted_time_dt": "2019-08-24T14:15:22Z",
"email_addrs": [
"string"
],
"employee_uid": "string",
"given_name": "string",
"hire_time": 0,
"hire_time_dt": "2019-08-24T14:15:22Z",
"job_title": "string",
"labels": [
"string"
],
"last_login_time": 0,
"last_login_time_dt": "2019-08-24T14:15:22Z",
"ldap_cn": "string",
"ldap_dn": "string",
"leave_time": 0,
"leave_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"manager": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"office_location": "string",
"surname": "string"
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"privileges": [
"string"
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"region": "string",
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"subnet": "string",
"subnet_uid": "string",
"sw_info": [
{
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
}
],
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"vlan_uid": "string",
"vpc_uid": "string",
"zone": "string"
},
"duration": 0,
"end_time": 0,
"end_time_dt": "2019-08-24T14:15:22Z",
"enrichments": [
{
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"data": null,
"desc": "string",
"name": "string",
"provider": "string",
"reputation": {
"base_score": 0.1,
"provider": "string",
"score": "string",
"score_id": 0
},
"short_desc": "string",
"src_url": "string",
"type": "string",
"value": "string"
}
],
"message": "string",
"metadata": {
"correlation_uid": "string",
"event_code": "string",
"extension": {
"name": "string",
"uid": "string",
"version": "string"
},
"extensions": [
{
"name": "string",
"uid": "string",
"version": "string"
}
],
"labels": [
"string"
],
"log_level": "string",
"log_name": "string",
"log_provider": "string",
"log_version": "string",
"logged_time": 0,
"logged_time_dt": "2019-08-24T14:15:22Z",
"loggers": [
{
"device": {
"agent_list": [
{}
],
"autoscale_uid": "string",
"boot_time": 0,
"boot_time_dt": "2019-08-24T14:15:22Z",
"container": {
"hash": {},
"image": {
"labels": []
},
"name": "string",
"network_driver": "string",
"orchestrator": "string",
"pod_uuid": "string",
"runtime": "string",
"size": 0,
"tag": "string",
"uid": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"desc": "string",
"domain": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"groups": [
{
"privileges": []
}
],
"hostname": "string",
"hw_info": {
"bios_date": "string",
"bios_manufacturer": "string",
"bios_uid": "string",
"bios_ver": "string",
"chassis": "string",
"cpu_bits": 0,
"cpu_cores": 0,
"cpu_count": 0,
"cpu_speed": 0,
"cpu_type": "string",
"desktop_display": {},
"keyboard_info": {},
"ram_size": 0,
"serial_number": "string"
},
"hypervisor": "string",
"image": {
"labels": [
null
],
"name": "string",
"path": "string",
"tag": "string",
"uid": "string"
},
"imei": "string",
"instance_uid": "string",
"interface_name": "string",
"interface_uid": "string",
"ip": "string",
"ip_addresses": [
"string"
],
"is_compliant": true,
"is_managed": true,
"is_personal": true,
"is_trusted": true,
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"location": {
"city": "string",
"continent": "string",
"coordinates": [
null
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"mac": "string",
"mac_addresses": [
"string"
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"namespace_pid": 0,
"netbios_names": [
"string"
],
"network_interfaces": [
{
"ip_addresses": [],
"mac_addresses": []
}
],
"network_status": "string",
"network_status_id": 0,
"org": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"os": {
"build": "string",
"country": "string",
"cpe_name": "string",
"cpu_bits": 0,
"edition": "string",
"lang": "string",
"name": "string",
"sp_name": "string",
"sp_ver": 0,
"type": "string",
"type_id": 0,
"version": "string"
},
"owner": {
"account": {
"labels": []
},
"credential_uid": "string",
"domain": "string",
"email_addr": "string",
"full_name": "string",
"groups": [
null
],
"ldap_person": {
"email_addrs": [],
"labels": []
},
"mfa_status": "string",
"mfa_status_id": 0,
"name": "string",
"org": {},
"privileges": [
null
],
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"user_status": "string",
"user_status_id": 0
},
"region": "string",
"risk_level": "string",
"risk_level_id": 0,
"risk_score": 0,
"subnet": "string",
"subnet_uid": "string",
"sw_info": [
{}
],
"type": "string",
"type_id": 0,
"uid": "string",
"uid_alt": "string",
"vendor": {
"name": "string",
"ou_name": "string",
"ou_uid": "string",
"uid": "string"
},
"vlan_uid": "string",
"vpc_uid": "string",
"zone": "string"
},
"log_level": "string",
"log_name": "string",
"log_provider": "string",
"log_version": "string",
"logged_time": 0,
"logged_time_dt": "2019-08-24T14:15:22Z",
"name": "string",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"transmit_time": 0,
"transmit_time_dt": "2019-08-24T14:15:22Z",
"uid": "string",
"version": "string"
}
],
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"original_time": "string",
"processed_time": 0,
"processed_time_dt": "2019-08-24T14:15:22Z",
"product": {
"cpe_name": "string",
"feature": {
"name": "string",
"uid": "string",
"version": "string"
},
"lang": "string",
"name": "string",
"path": "string",
"uid": "string",
"url_string": "string",
"vendor_name": "string",
"version": "string"
},
"profiles": [
"string"
],
"sequence": 0,
"tenant_uid": "string",
"uid": "string",
"version": "string"
},
"observables": [
{
"name": "string",
"reputation": {
"base_score": 0.1,
"provider": "string",
"score": "string",
"score_id": 0
},
"type": "string",
"type_id": 0,
"value": "string"
}
],
"osint": [
{
"answers": [
{
"class": "string",
"flag_ids": [
0
],
"flags": [
"string"
],
"packet_uid": 0,
"rdata": "string",
"ttl": 0,
"type": "string"
}
],
"attacks": [
{
"sub_technique": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"tactic": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"tactics": [
{}
],
"technique": {
"name": "string",
"src_url": "string",
"uid": "string"
},
"version": "string"
}
],
"autonomous_system": {
"name": "string",
"number": 0
},
"comment": "string",
"confidence": "string",
"confidence_id": 0,
"email": {
"cc": [
"string"
],
"delivered_to": "string",
"from": "string",
"message_uid": "string",
"raw_header": "string",
"reply_to": "string",
"size": 0,
"smtp_from": "string",
"smtp_to": [
"string"
],
"subject": "string",
"to": [
"string"
],
"uid": "string",
"x_originating_ip": [
"string"
]
},
"email_auth": {
"dkim": "string",
"dkim_domain": "string",
"dkim_signature": "string",
"dmarc": "string",
"dmarc_override": "string",
"dmarc_policy": "string",
"spf": "string"
},
"kill_chain": [
{
"phase": "string",
"phase_id": 0
}
],
"location": {
"city": "string",
"continent": "string",
"coordinates": [
0.1
],
"country": "string",
"desc": "string",
"geohash": "string",
"is_on_premises": true,
"isp": "string",
"lat": 0.1,
"long": 0.1,
"postal_code": "string",
"provider": "string",
"region": "string"
},
"name": "string",
"signatures": [
{
"algorithm": "string",
"algorithm_id": 0,
"certificate": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"expiration_time": 0,
"expiration_time_dt": "2019-08-24T14:15:22Z",
"fingerprints": [
null
],
"is_self_signed": true,
"issuer": "string",
"serial_number": "string",
"subject": "string",
"uid": "string",
"version": "string"
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"developer_uid": "string",
"digest": {
"algorithm": "string",
"algorithm_id": 0,
"value": "string"
},
"state": "string",
"state_id": 0
}
],
"src_url": "string",
"subdomains": [
"string"
],
"tlp": "string",
"type": "string",
"type_id": 0,
"uid": "string",
"value": "string",
"vendor_name": "string",
"vulnerabilities": [
{
"affected_code": [
{}
],
"affected_packages": [
{}
],
"cve": {
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"cvss": [
null
],
"cwe": {},
"cwe_uid": "string",
"cwe_url": "string",
"desc": "string",
"epss": {},
"modified_time": 0,
"modified_time_dt": "2019-08-24T14:15:22Z",
"product": {},
"references": [
null
],
"title": "string",
"type": "string",
"uid": "string"
},
"cwe": {
"caption": "string",
"src_url": "string",
"uid": "string"
},
"desc": "string",
"first_seen_time": 0,
"first_seen_time_dt": "2019-08-24T14:15:22Z",
"fix_available": true,
"is_exploit_available": true,
"is_fix_available": true,
"kb_article_list": [
{}
],
"kb_articles": [
"string"
],
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"packages": [
{}
],
"references": [
"string"
],
"related_vulnerabilities": [
"string"
],
"remediation": {
"desc": "string",
"kb_article_list": [
null
],
"kb_articles": [
null
],
"references": [
null
]
},
"severity": "string",
"title": "string",
"vendor_name": "string"
}
],
"whois": {
"autonomous_system": {
"name": "string",
"number": 0
},
"created_time": 0,
"created_time_dt": "2019-08-24T14:15:22Z",
"dnssec_status": "string",
"dnssec_status_id": 0,
"domain": "string",
"domain_contacts": [
{
"email_addr": "string",
"location": {
"coordinates": []
},
"name": "string",
"phone_number": "string",
"type": "string",
"type_id": 0,
"uid": "string"
}
],
"email_addr": "string",
"last_seen_time": 0,
"last_seen_time_dt": "2019-08-24T14:15:22Z",
"name_servers": [
"string"
],
"phone_number": "string",
"registrar": "string",
"status": "string",
"subdomains": [
"string"
],
"subnet": "string"
}
}
],
"raw_data": "string",
"severity": "string",
"severity_id": 0,
"start_time": 0,
"start_time_dt": "2019-08-24T14:15:22Z",
"status": "string",
"status_code": "string",
"status_detail": "string",
"status_id": 0,
"time": 0,
"time_dt": "2019-08-24T14:15:22Z",
"timezone_offset": 0,
"type_name": "string",
"type_uid": 0,
"unmapped": {}
},
"source_name": "string"
}'ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Log: The discovered information is via a log. 2 - Collect: The discovered information is via a collection process. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 5 - Discovery: Discovery events report the existence and state of devices, files, configurations, processes, registry keys, and other objects.
ClassUid is an enum, and the following values are allowed. 5001 - DeviceInventoryInfo: Device Inventory Info events report device inventory data that is either logged or proactively collected. For example, when collecting device information from a CMDB or running a network sweep of connected devices.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
DeviceTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Server: A server. 2 - Desktop: A desktop computer. 3 - Laptop: A laptop computer. 4 - Tablet: A tablet computer. 5 - Mobile: A mobile phone. 6 - Virtual: A virtual machine. 7 - IOT: An IOT (Internet of Things) device. 8 - Browser: A web browser. 9 - Firewall: A networking firewall. 10 - Switch: A networking switch. 11 - Hub: A networking hub. 12 - Router: A networking router. 13 - IDS: An intrusion detection system. 14 - IPS: An intrusion prevention system. 15 - LoadBalancer: A Load Balancer device. 89 - ImagingEquipment: Equipment for processing optical data, such as a camera. 90 - PLC: A Programmable logic controller. 91 - SCADA: A supervisory control and data acquisition system. 92 - DCS: A distributed control system. 93 - CNC: A computer numerical control system, including computerized machine tools. 94 - ScientificEquipment: A piece of scientific equipment such as an oscilloscope or spectrometer. 95 - MedicalDevice: A medical device such as an MRI machine or infusion pump. 96 - LightingControls: A lighting control for internal or external applications. 97 - EnergyMonitoringSystem: An energy monitoring, security or safety system. 98 - TransportationDevice: A transportation device or transportation supporting device. 99 - Other: The type is not mapped. See the type attribute, which contains a data source specific value.
A list of agent objects associated with a device, endpoint, or resource.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the device was known to have been created.
The description of the device, ordinarily as reported by the operating system.
The network domain where the device resides. For example: work.example.com.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"].
Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: r2-d2.example.com.
The Device Hardware Information object contains details and specifications of the physical components that make up a device. This information provides an overview of the hardware capabilities, configuration, and characteristics of the device.
The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc.
The Image object provides a description of a specific Virtual Machine (VM) or Container image. Defined by D3FEND d3f:ContainerImage.
The International Mobile Station Equipment Identifier that is associated with the device.
Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, 192.168.200.24 or 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND d3f:PhysicalLocation.
Media Access Control (MAC) address. For example: 18:36:F3:98:4F:9A.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the device was last known to have been modified.
The alternate device name, ordinarily as assigned by an administrator.
Note: The Name could be any other string that helps to identify the device, such as a phone number; for example 310-555-1234.
If running under a process namespace (such as in a container), the process identifier within that process namespace.
The network interfaces that are associated with the device, one for each unique MAC address/IP address/hostname/name combination.
Note: The first element of the array is the network information that pertains to the event.
DeviceNetworkStatusId is an enum, and the following values are allowed. 1 - NotIsolated: Device is not isolated from the network. 2 - Isolated: Device is isolated from the network. 99 - Unknown: The network isolation status is unknown.
The Organization object describes characteristics of an organization or company and its division if any.
The Operating System (OS) object describes characteristics of an OS, such as Linux or Windows. Defined by D3FEND d3f:OperatingSystem.
The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND d3f:UserAccount.
The region where the virtual machine is located. For example, an AWS Region.
The risk level, normalized to the caption of the risk_level_id value.
DeviceRiskLevelId is an enum, and the following values are allowed. 0 - Info 1 - Low 2 - Medium 3 - High 4 - Critical 99 - Other: The risk level is not mapped. See the risk_level attribute, which contains a data source specific value.
The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet.
The list of software contained on a device
The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, plc, scada, dcs, cnc, scientific, medical, lighting, energy, transportation other.
The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN.
An alternate unique identifier of the device if any. For example the ActiveDirectory DN.
The Organization object describes characteristics of an organization or company and its division if any.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
TypeUid is an enum, and the following values are allowed. 500100 - Unknown 500101 - Log: The discovered information is via a log. 500102 - Collect: The discovered information is via a collection process. 500199 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The end time of a time period, or the time of the most recent event included in the aggregate event.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The start time of a time period, or the time of the least recent event included in the aggregate event.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
{ "activity_id": 0, "activity_name": "string", "actor": { "app_name": "string", "app_uid": "string", "authorizations": [ … ], "idp": { … }, "invoked_by": "string", "process": { … }, "session": { … }, "user": { … } }, "api": { "group": { … }, "operation": "string", "request": { … }, "response": { … }, "service": { … }, "version": "string" }, "category_name": "string", "category_uid": 0, "class_uid": 0, "cloud": { "account": { … }, "org": { … }, "project_uid": "string", "provider": "string", "region": "string", "zone": "string" }, "count": 0, "custom_fields": {}, "device": { "agent_list": [ … ], "autoscale_uid": "string", "boot_time": 0, "boot_time_dt": "2019-08-24T14:15:22Z", "container": { … }, "created_time": 0, "created_time_dt": "2019-08-24T14:15:22Z", "desc": "string", "domain": "string", "first_seen_time": 0, "first_seen_time_dt": "2019-08-24T14:15:22Z", "groups": [ … ], "hostname": "string", "hw_info": { … }, "hypervisor": "string", "image": { … }, "imei": "string", "instance_uid": "string", "interface_name": "string", "interface_uid": "string", "ip": "string", "ip_addresses": [ … ], "is_compliant": true, "is_managed": true, "is_personal": true, "is_trusted": true, "last_seen_time": 0, "last_seen_time_dt": "2019-08-24T14:15:22Z", "location": { … }, "mac": "string", "mac_addresses": [ … ], "modified_time": 0, "modified_time_dt": "2019-08-24T14:15:22Z", "name": "string", "namespace_pid": 0, "netbios_names": [ … ], "network_interfaces": [ … ], "network_status": "string", "network_status_id": 0, "org": { … }, "os": { … }, "owner": { … }, "region": "string", "risk_level": "string", "risk_level_id": 0, "risk_score": 0, "subnet": "string", "subnet_uid": "string", "sw_info": [ … ], "type": "string", "type_id": 0, "uid": "string", "uid_alt": "string", "vendor": { … }, "vlan_uid": "string", "vpc_uid": "string", "zone": "string" }, "duration": 0, "end_time": 0, "end_time_dt": "2019-08-24T14:15:22Z", "enrichments": [ { … } ], "message": "string", "metadata": { "correlation_uid": "string", "event_code": "string", "extension": { … }, "extensions": [ … ], "labels": [ … ], "log_level": "string", "log_name": "string", "log_provider": "string", "log_version": "string", "logged_time": 0, "logged_time_dt": "2019-08-24T14:15:22Z", "loggers": [ … ], "modified_time": 0, "modified_time_dt": "2019-08-24T14:15:22Z", "original_time": "string", "processed_time": 0, "processed_time_dt": "2019-08-24T14:15:22Z", "product": { … }, "profiles": [ … ], "sequence": 0, "tenant_uid": "string", "uid": "string", "version": "string" }, "observables": [ { … } ], "osint": [ { … } ], "raw_data": "string", "severity": "string", "severity_id": 0, "start_time": 0, "start_time_dt": "2019-08-24T14:15:22Z", "status": "string", "status_code": "string", "status_detail": "string", "status_id": 0, "time": 0, "time_dt": "2019-08-24T14:15:22Z", "timezone_offset": 0, "type_name": "string", "type_uid": 0, "unmapped": {} }
curl -i -X GET \
'https://api.synqly.com/v1/vulnerabilities/scans?cursor=string&limit=0&meta=string' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'{ "result": [ { … } ], "cursor": "string", "meta": { "stats": { … }, "api": { … } } }
curl -i -X GET \
'https://api.synqly.com/v1/vulnerabilities/scans/{scan_id}/activity' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.
ActivityId is an enum, and the following values are allowed. 0 - Unknown: The event activity is unknown. 1 - Started: The scan was started. 2 - Completed: The scan was completed. 3 - Cancelled: The scan was cancelled. 4 - DurationViolation: The allocated scan time was insufficient to complete the requested scan. 5 - PauseViolation: The scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time. 6 - Error: The scan could not be completed due to an internal error. 7 - Paused: The scan was paused. 8 - Resumed: The scan was resumed from the pause point. 9 - Restarted: The scan restarted from the beginning of the file enumeration. 10 - Delayed: The user delayed the scan. 99 - Other: The event activity is not mapped. See the activity_name attribute, which contains a data source specific value.
CategoryUid is an enum, and the following values are allowed. 6 - ApplicationActivity: Application Activity events report detailed information about the behavior of applications and services.
ClassUid is an enum, and the following values are allowed. 6007 - ScanActivity: Scan events report the start, completion, and results of a scan job. The scan event includes the number of items that were scanned and the number of detections that were resolved.
The Metadata object describes the metadata associated with the event. Defined by D3FEND d3f:Metadata.
The Product object describes characteristics of a software product.
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2.
The Feature object provides information about the software product feature that generated a specific event. It encompasses details related to the capabilities, components, user interface (UI) design, and performance upgrades associated with the feature.
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).
Uniform Resource Locator (URL) string. For example: http://www.example.com/download/trouble.exe.
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.
The Event ID or Code that the product uses to describe the event.
The OCSF Schema Extension object provides detailed information about the schema extension used to construct the event. The schema extensions are registered in the extensions.md file.
The schema extensions used to create the event.
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
For example:["network", "connection.ip:destination", "device.ip:source"]The event log name. For example, syslog file name or Windows logging subsystem: Security.
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the logging system collected and logged the event.
This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The time when the event was last modified or enriched.
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The event processed time, such as an ETL operation.
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions.
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
The Scan object describes characteristics of a proactive scan.
ScanTypeId is an enum, and the following values are allowed. 0 - Unknown: The type is unknown. 1 - Manual: The scan was manually initiated by the user or administrator. 2 - Scheduled: The scan was started based on scheduler. 3 - UpdatedContent: The scan was triggered by a content update. 4 - QuarantinedItems: The scan was triggered by newly quarantined items. 5 - AttachedMedia: The scan was triggered by the attachment of removable media. 6 - UserLogon: The scan was started due to a user logon. 7 - ELAM: The scan was triggered by an Early Launch Anti-Malware (ELAM) detection. 99 - Other: The scan type id is not mapped. See the type attribute, which contains a data source specific value.
The administrator-supplied or application-generated name of the scan. For example: "Home office weekly user database scan", "Scan folders for viruses", "Full system virus scan"
SeverityId is an enum, and the following values are allowed. 0 - Unknown: The event/finding severity is unknown. 1 - Informational: Informational message. No action required. 2 - Low: The user decides if action is needed. 3 - Medium: Action is required but the situation is not serious at this time. 4 - High: Action is required immediately. 5 - Critical: Action is required immediately and the scope is broad. 6 - Fatal: An error occurred but it is too late to take remedial action. 99 - Other: The event/finding severity is not mapped. See the severity attribute, which contains a data source specific value.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
TypeUid is an enum, and the following values are allowed. 600700 - Unknown 600701 - Started: The scan was started. 600702 - Completed: The scan was completed. 600703 - Cancelled: The scan was cancelled. 600704 - DurationViolation: The allocated scan time was insufficient to complete the requested scan. 600705 - PauseViolation: The scan was paused, either by the user or by program constraints (e.g. scans that are suspended during certain time intervals), and not resumed within the allotted time. 600706 - Error: The scan could not be completed due to an internal error. 600707 - Paused: The scan was paused. 600708 - Resumed: The scan was resumed from the pause point. 600709 - Restarted: The scan restarted from the beginning of the file enumeration. 600710 - Delayed: The user delayed the scan. 600799 - Other
The Actor object contains details about the user, role, application, service, or process that initiated or performed a specific activity.
The agents that were used to scan the devices.
The API, or Application Programming Interface, object represents information pertaining to an API request and response.
The event category name, as defined by category_uid value: Application Activity.
The Cloud object contains information about a cloud account such as AWS Account ID, regions, etc.
The command identifier that is associated with this scan event. This ID uniquely identifies the proactive scan command, e.g., if remotely initiated.
The number of times that events in the same logical group occurred during the event Start Time to End Time period.
An unordered collection of attributes. It defines a set of attributes available in all objects. It can be also used as a generic object to log objects that are not otherwise defined by the schema.
The Device object represents an addressable computer system or host, which is typically connected to a computer network and participates in the transmission or processing of data within the computer network. Defined by D3FEND d3f:Host.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The additional information from an external data source, which is associated with the event or a finding. For example add location information for the IP address in the DNS answers:
[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]The observables associated with the event or a finding.
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
The Policy object describes the policies that are applicable.
Policy attributes provide traceability to the operational state of the security product at the time that the event was captured, facilitating forensics, troubleshooting, and policy tuning/adjustments.
The event/finding severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the source.
The timestamp format is the number of milliseconds since the Epoch 01/01/1970 00:00:00 UTC. For example 1618524549901.
The event status, normalized to the caption of the status_id value. In the case of 'Other', it is defined by the event source.
The event status code, as reported by the event source.
For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.
The status detail contains additional information about the event/finding outcome.
StatusId is an enum, and the following values are allowed. 0 - Unknown: The status is unknown. 1 - Success 2 - Failure 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.
The normalized event occurrence time or the finding creation time.
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
The total number of items that were scanned; zero if no items were scanned.
{ "result": { "activity_id": 0, "activity_name": "string", "actor": { … }, "agent_list": [ … ], "api": { … }, "category_name": "string", "category_uid": 0, "class_uid": 0, "cloud": { … }, "command_uid": "string", "count": 0, "custom_fields": {}, "device": { … }, "duration": 0, "end_time": 0, "end_time_dt": "2019-08-24T14:15:22Z", "enrichments": [ … ], "message": "string", "metadata": { … }, "num_detections": 0, "num_files": 0, "num_folders": 0, "num_hosts": 0, "num_network_items": 0, "num_processes": 0, "num_registry_items": 0, "num_resolutions": 0, "num_skipped_items": 0, "num_trusted_items": 0, "observables": [ … ], "osint": [ … ], "policy": { … }, "raw_data": "string", "scan": { … }, "schedule_uid": "string", "severity": "string", "severity_id": 0, "start_time": 0, "start_time_dt": "2019-08-24T14:15:22Z", "status": "string", "status_code": "string", "status_detail": "string", "status_id": 0, "time": 0, "time_dt": "2019-08-24T14:15:22Z", "timezone_offset": 0, "total": 0, "type_name": "string", "type_uid": 0, "unmapped": {} }, "meta": { "stats": { … }, "api": { … } } }