Data Classification Endpoints
Use the references for REST API V8.0 data classification endpoints.
GET /data_classification/dsm_event_mappings
Retrieve a list of DSM event mappings.
Table 1: GET /data_classification/dsm_event_mappings Resource Details
MIME Type |
|---|
application/json |
Table 2: GET /data_classification/dsm_event_mappings Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
fields | query | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Range | header | Optional | String | text/plain | Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero. |
filter | query | Optional | String | text/plain | Optional - This parameter is used to restrict the elements in a list base on the contents of various fields. |
Table 3: GET /data_classification/dsm_event_mappings Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The requested list of DSM event mappings was retrieved. | |
500 | 1020 | An error occurred during the attempt to retrieve the list of DSM event mappings. |
Response Description
A list of DSM event mappings. A DSM event mapping contains the following fields:
id - Number - The ID of the DSM event mapping.
log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is associated with.
log_source_event_id - String - The primary identifying value parsed from an event to be used to look up the corresponding QID record.
log_source_event_category - String - The secondary identifying value parsed from an event to be used to look up the corresponding QID record.
custom_event - Boolean - Flag to identify if the DSM event mapping is system provided (custom_event=false) or user-provided (custom_event=true).
qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a mapping.
Response Sample
[ { "custom_event": true, "id": 42,
"log_source_event_category": "String", "log_source_event_id":
"String", "log_source_type_id": 42, "qid_record_id":
42 } ]POST /data_classification/dsm_event_mappings
Creates a new custom DSM event mapping.
Table 4: POST /data_classification/dsm_event_mappings Resource Details
MIME Type |
|---|
application/json |
Table 5: POST /data_classification/dsm_event_mappings Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
fields | header | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Table 6: POST /data_classification/dsm_event_mappings Request Body Details
Parameter | Data Type | MIME Type | Description | Sample |
|---|---|---|---|---|
data | Object | application/json | Required - A DSM event mapping that contains the following fields:
| { "log_source_event_category": "String", "log_source_event_id": "String", "log_source_type_id": 42, "qid_record_id": 42 } |
Table 7: POST /data_classification/dsm_event_mappings Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
201 | The new custom DSM event mapping was created. | |
409 | 1008 | There is an existing custom DSM event mapping with same the log_source_type_id, log_source_event_id and log_source_event_category combination. Cannot create duplicate DSM event mapping. |
422 | 1005 | Invalid parameter value provided for the new DSM event mapping. |
500 | 1020 | An error occurred during the attempt to create a new custom DSM event mapping. |
Response Description
The newly created DSM event mapping that contains the following fields:
id - Number - The ID of the DSM event mapping.
log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is associated with.
log_source_event_id - String - The primary identifying value parsed from an event to be used to look up the corresponding QID record.
log_source_event_category - String - The secondary identifying value parsed from an event to be used to look up the corresponding QID record.
custom_event - Boolean - Flag to identify if the DSM event mapping is system provided (custom_event=false) or user-provided (custom_event=true).
qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a mapping.
Response Sample
{ "custom_event": true, "id": 42, "log_source_event_category":
"String", "log_source_event_id": "String", "log_source_type_id":
42, "qid_record_id": 42 }GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
Retrieves a DSM event mapping based on the supplied DSM event mapping ID.
Table 8: GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Resource Details
MIME Type |
|---|
application/json |
Table 9: GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
dsm_event_mapping_id | path | Required | Number (Integer) | text/plain | Required - The ID of the DSM event mapping. |
fields | query | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Table 10: GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The requested DSM event mapping was retrieved. | |
404 | 1002 | The requested DSM event mapping was not found. |
500 | 1020 | An error occurred during the attempt to retrieve the DSM event mapping. |
Response Description
A DSM event mapping that contains the following fields:
id - Number - The ID of the DSM event mapping.
log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is associated with.
log_source_event_id - String - The primary identifying value parsed from an event to be used to look up the corresponding QID record.
log_source_event_category - String - The secondary identifying value parsed from an event to be used to look up the corresponding QID record.
custom_event - Boolean - Flag to identify if the DSM event mapping is system provided (custom_event=false) or user-provided (custom_event=true).
qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a mapping.
Response Sample
{ "custom_event": true, "id": 42, "log_source_event_category":
"String", "log_source_event_id": "String", "log_source_type_id":
42, "qid_record_id": 42 }POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
Updates an existing custom DSM event mapping.
Table 11: POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Resource Details
MIME Type |
|---|
application/json |
Table 12: POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
dsm_event_mapping_id | path | Required | Number (Integer) | text/plain | Required - The ID of the DSM event mapping. |
fields | header | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Table 13: POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Request Body Details
Parameter | Data Type | MIME Type | Description | Sample |
|---|---|---|---|---|
data | Object | application/json | Required - The DSM event mapping to be updated that might contain the following field:
| { "qid_record_id": 42 } |
Table 14: POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The DSM event mapping was updated. | |
404 | 1002 | The requested DSM event mapping was not found. |
422 | 1005 | Invalid parameter provided while updating the DSM event mapping. |
500 | 1020 | An error occurred during the attempt to update a DSM event mapping. |
Response Description
The updated DSM event mapping that contains the following fields:
id - Number - The ID of the DSM event mapping.
log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is associated with.
log_source_event_id - String - The primary identifying value parsed from an event to be used to look up the corresponding QID record.
log_source_event_category - String - The secondary identifying value parsed from an event to be used to look up the corresponding QID record.
custom_event - Boolean - Flag to identify if the DSM event mapping is system provided (custom_event=false) or user-provided (custom_event=true).
qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a mapping.
Response Sample
{ "custom_event": true, "id": 42, "log_source_event_category":
"String", "log_source_event_id": "String", "log_source_type_id":
42, "qid_record_id": 42 }GET /data_classification/high_level_categories
Retrieves a list of high level categories.
Table 15: GET /data_classification/high_level_categories Resource Details
MIME Type |
|---|
application/json |
Table 16: GET /data_classification/high_level_categories Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
fields | query | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
sort | query | Optional | String | text/plain | Optional - This parameter is used to sort the elements in a list. |
Range | header | Optional | String | text/plain | Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero. |
filter | query | Optional | String | text/plain | Optional - This parameter is used to restrict the elements in a list base on the contents of various fields. |
Table 17: GET /data_classification/high_level_categories Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The requested list of high level categories was retrieved. | |
422 | 23003 | Sorting is only supported for fields "id" or "name". |
422 | 23004 | The sort field that was provided does not exist. |
422 | 23005 | Sorting on multiple fields is not supported. |
500 | 1020 | An error occurred during the attempt to retrieve the list of high level categories. |
Response Description
A list of high level categories. A high level category contains the following fields:
id - Number - The ID of the high level category.
name - String - The name of the high level category.
description - String - The description of the high level category.
Response Sample
[ { "id": 19000, "name": "Audit", "description":
"Audit" }, { "id": 20000, "name": "Risk", "description":
"Risk" } ]GET /data_classification/high_level_categories/{high_level_category_id}
Retrieves a high level category based on the supplied high level category ID.
Table 18: GET /data_classification/high_level_categories/{high_level_category_id} Resource Details
MIME Type |
|---|
application/json |
Table 19: GET /data_classification/high_level_categories/{high_level_category_id} Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
high_level_category_id | path | Required | Number (Integer) | text/plain | Required - the ID of the high level category. |
fields | query | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Table 20: GET /data_classification/high_level_categories/{high_level_category_id} Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The requested high level category was retrieved. | |
404 | 1002 | The requested high level category was not found. |
422 | 1005 | High level category ID must be a positive integer. |
500 | 1020 | An error occurred during the attempt to retrieve the high level category. |
Response Description
A high level category that contains the following fields:
id - Number - The ID of the high level category.
name - String - The name of the high level category.
description - String - The description of the high level category.
Response Sample
{ "id": 19000, "name": "Audit", "description": "Audit",
}GET /data_classification/low_level_categories
Retrieves a list of low level categories.
Table 21: GET /data_classification/low_level_categories Resource Details
MIME Type |
|---|
application/json |
Table 22: GET /data_classification/low_level_categories Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
fields | query | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
sort | query | Optional | String | text/plain | Optional - This parameter is used to sort the elements in a list. |
Range | header | Optional | String | text/plain | Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero. |
filter | query | Optional | String | text/plain | Optional - This parameter is used to restrict the elements in a list base on the contents of various fields. |
Table 23: GET /data_classification/low_level_categories Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The requested list of low level categories was retrieved. | |
422 | 23053 | Sorting is only supported for fields "id" or "name" |
422 | 23054 | The sort field that was provided does not exist. |
422 | 23055 | Sorting on multiple fields is not supported. |
500 | 1020 | An error occurred during the attempt to retrieve the list of low level categories. |
Response Description
A list of low level category objects. A low level category contains the following fields:
id - Number - The ID of the low level category.
name - String - The name of the low level category.
description - String - The description of the low level category.
severity - Number - The severity of the low level category.
high_level_category_id - Number - The ID of the parent high level category.
Response Sample
[ { "id": 19001, "name": "General Audit Event",
"description": "General Audit Event", "high_level_category_id":
19000, "severity" : 0 }, { "id": 19002, "name":
"Built-in Execution", "description": " Built-in Execution",
"high_level_category_id": 19000, "severity" : 0 } ]GET /data_classification/low_level_categories/{low_level_category_id}
Retrieves a low level category based on the supplied low level category ID.
Table 24: GET /data_classification/low_level_categories/{low_level_category_id} Resource Details
MIME Type |
|---|
application/json |
Table 25: GET /data_classification/low_level_categories/{low_level_category_id} Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
low_level_category_id | path | Required | Number (Integer) | text/plain | Required - The id of the low level category. |
fields | query | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Table 26: GET /data_classification/low_level_categories/{low_level_category_id} Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The requested low level category was retrieved. | |
404 | 1002 | The requested low level category was not found. |
422 | 1005 | Low level category ID must be a positive integer. |
500 | 1020 | An error occurred during the attempt to retrieve the low level category. |
Response Description
A low level category that contains the following fields:
id - Number - The ID of the low level category.
name - String - The name of the low level category.
description - String - The description of the low level category.
severity - Number - The severity of the low level category.
high_level_category_id - Number - The ID of the parent high level category.
Response Sample
{ "id": 19001, "name": "General Audit Event", "description":
"General Audit Event", "high_level_category_id": 19000, "severity"
: 0 }GET /data_classification/qid_records
Retrieves a list of QID records.
Table 27: GET /data_classification/qid_records Resource Details
MIME Type |
|---|
application/json |
Table 28: GET /data_classification/qid_records Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
fields | query | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Range | header | Optional | String | text/plain | Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero. |
filter | query | Optional | String | text/plain | Optional - This parameter is used to restrict the elements in a list base on the contents of various fields. |
Table 29: GET /data_classification/qid_records Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The requested list of QID records was retrieved. | |
500 | 1020 | An error occurred during the attempt to retrieve the list of QID records. |
Response Description
A list of QID records. A QID record contains the following fields:
id - Number - The ID of the QID record.
qid - Number - The QID of the QID record.
name - String - The name of the QID record.
description - String - The description of the QID record.
severity - Number - The severity of the QID record.
low_level_category_id - Number - The low level category ID of the QID record.
log_source_type_id - Number - A placeholder with null value to ensure data structure consistency among endpoints.
Response Sample
[ { "id": 64280, "qid": 2500283, "name": "DELETED
WEB-MISC O'Reilly args.bat access", "description": "DELETED WEB-MISC
O'Reilly args.bat access", "severity": 2 , "low_level_category_id":
1011, "log_source_type_id": null }, { "id": 64297,
"qid": 2500300, "name": "DELETED WEB-MISC Cisco Web DOS attempt",
"description": "DELETED WEB-MISC Cisco Web DOS attempt", "severity":
8, "low_level_category_id": 2009 "log_source_type_id": null
} ]POST /data_classification/qid_records
Creates a new QID record.
Table 30: POST /data_classification/qid_records Resource Details
MIME Type |
|---|
application/json |
Table 31: POST /data_classification/qid_records Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
fields | header | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Table 32: POST /data_classification/qid_records Request Body Details
Parameter | Data Type | MIME Type | Description | Sample |
|---|---|---|---|---|
data | Object | application/json | Required - A QID record containing the following fields:
| { "log_source_type_id": 199, "name": "spp_portscan: Portscan Detected", "description": "spp_portscan: Portscan Detected", "severity": 4, "low_level_category_id":1008 } |
Table 33: POST /data_classification/qid_records Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
201 | The new QID record was created. | |
422 | 1005 | Invalid parameter value provided for the new QID record. |
500 | 1020 | An error occurred during the attempt to create a new QID record. |
Response Description
The newly created QID record containing the following fields:
id - Number - The ID of the QID record.
qid - Number - The QID of the QID record.
name - String - The name of the QID record.
description - String - The description of the QID record.
severity - Number - The severity of the QID record.
low_level_category_id - Number - The low level category ID of the QID record.
log_source_type_id - Number - A placeholder with null value to ensure data structure consistency among endpoints.
Response Sample
{ "id": 63998, "qid": 2500001, "name": "spp_portscan:
Portscan Detected", "description": "spp_portscan: Portscan Detected",
"severity": 4, "low_level_category_id": 1008, "log_source_type_id":
null }GET /data_classification/qid_records/{qid_record_id}
Retrieves a QID record that is based on the supplied qid_record_id.
Table 34: GET /data_classification/qid_records/{qid_record_id} Resource Details
MIME Type |
|---|
application/json |
Table 35: GET /data_classification/qid_records/{qid_record_id} Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
qid_record_id | path | Required | Number (Integer) | text/plain | Required - the ID of the QID record. |
fields | query | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Table 36: GET /data_classification/qid_records/{qid_record_id} Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The requested QID record was retrieved. | |
404 | 1002 | The requested QID record was not found. |
422 | 1005 | qid_record_id must be a positive integer. |
500 | 1020 | An error occurred during the attempt to retrieve the QID record. |
Response Description
A QID record containing the following fields:
id - Number - The ID of the QID record.
qid - Number - The QID of the QID record.
name - String - The name of the QID record.
description - String - The description of the QID record.
severity - Number - The severity of the QID record.
low_level_category_id - Number - The low level category ID of the QID record.
log_source_type_id - Number - A placeholder with null value to ensure data structure consistency among endpoints.
Response Sample
{ "id": 63998, "qid": 2500001, "name": "spp_portscan:
Portscan Detected", "description": "spp_portscan: Portscan Detected",
"severity": 4, "low_level_category_id": 1008, "log_source_type_id":
null }POST /data_classification/qid_records/{qid_record_id}
Updates an existing QID record.
Table 37: POST /data_classification/qid_records/{qid_record_id} Resource Details
MIME Type |
|---|
application/json |
Table 38: POST /data_classification/qid_records/{qid_record_id} Request Parameter Details
Parameter | Type | Optionality | Data Type | MIME Type | Description |
|---|---|---|---|---|---|
qid_record_id | path | Required | Number (Integer) | text/plain | Required - The ID of the QID record. |
fields | header | Optional | String | text/plain | Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. |
Table 39: POST /data_classification/qid_records/{qid_record_id} Request Body Details
Parameter | Data Type | MIME Type | Description | Sample |
|---|---|---|---|---|
qid_record | Object | application/json | Required - The QID record to be updated, which may contain the following fields:
| { "name": "spp_portscan: Portscan Detected", "description": "spp_portscan: Portscan Detected", "severity": 4, "low_level_category_id":1008 } |
Table 40: POST /data_classification/qid_records/{qid_record_id} Response Codes
HTTP Response Code | Unique Code | Description |
|---|---|---|
200 | The QID record was updated. | |
404 | 1002 | The requested QID record was not found. |
409 | 1008 | The QID record that was provided cannot be updated because it is a system-provided QID. |
422 | 1005 | Invalid parameter was provided during the update to the QID record. |
500 | 1020 | An error occurred during the attempt to update a QID record. |
Response Description
The updated QID record containing the following fields:
id - Number - The ID of the QID record.
qid - Number - The QID of the QID record.
name - String - The name of the QID record.
description - String - The description of the QID record.
severity - Number - The severity of the QID record.
low_level_category_id - Number - The low level category ID of the QID record.
log_source_type_id - Number - A placeholder with null value to ensure data structure consistency among endpoints.
Response Sample
{ "id": 63998, "qid": 2500001, "name": "spp_portscan:
Portscan Detected", "description": "spp_portscan: Portscan Detected",
"severity": 4, "low_level_category_id": 1008, "log_source_type_id":
null }