Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

SIEM Endpoints

 

Use the references for REST API V8.0 SIEM endpoints.

GET /siem/local_destination_addresses

Retrieve a list offense local destination addresses currently in the system.

Table 1: GET /siem/local_destination_addresses Resource Details

MIME Type

application/json

Table 2: GET /siem/local_destination_addresses Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 3: GET /siem/local_destination_addresses Response Codes

HTTP Response Code

Unique Code

Description

200

 

The local destination address list was retrieved.

422

1005

A request parameter is not valid.

422

1010

The filter parameter is not valid.

500

1020

An error occurred while the local destination address list was being retrieved.

Response Description

An array of local destination address objects. A local destination address object contains the following fields:

  • id - Number - The ID of the destination address.

  • local_destination_ip - String - The IP address.

  • magnitude - Number - The magnitude of the destination address.

  • network - String - The network of the destination address.

  • offense_ids - Array of Numbers - List of offense IDs the destination address is part of.

  • source_address_ids - Array of Numbers - List of source address IDs associated with the destination address.

  • event_flow_count - Number - The number of events and flows that are associated with the destination address.

  • first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or flow was seen.

  • last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow was seen.

  • domain_id - Number - The ID of associated domain.

Response Sample

[ { "domain_id": 42, "event_flow_count": 42, "first_event_flow_seen": 42, "id": 42, "last_event_flow_seen": 42, "local_destination_ip": "String", "magnitude": 42, "network": "String", "offense_ids": [ 42 ], "source_address_ids": [ 42 ] } ]

GET /siem/local_destination_addresses/{local_destination_address_id}

Retrieve an offense local destination address.

Table 4: GET /siem/local_destination_addresses/{local_destination_address_id} Resource Details

MIME Type

application/json

Table 5: GET /siem/local_destination_addresses/{local_destination_address_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

local_destination_address_id

path

Required

Number (Integer)

text/plain

Required - The ID of the local destination address to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 6: GET /siem/local_destination_addresses/{local_destination_address_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The local destination was retrieved.

404

1002

No local destination address was found for the provided local_destination_address_id.

422

1005

A request parameter is not valid.

500

1020

An error occurred while the local destination address was being retrieved.

Response Description

A local destination address object. A local destination address object contains the following fields:

  • id - Number - The ID of the destination address.

  • local_destination_ip - String - The IP address.

  • magnitude - Number - The magnitude of the destination address.

  • network - String - The network of the destination address.

  • offense_ids - Array of Numbers - List of offense IDs the destination address is part of.

  • source_address_ids - Array of Numbers - List of source address IDs associated with the destination address.

  • event_flow_count - Number - The number of events and flows that are associated with the destination address.

  • first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or flow was seen.

  • last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow was seen.

  • domain_id - Number - The ID of associated domain.

Response Sample

{ "domain_id": 42, "event_flow_count": 42, "first_event_flow_seen": 42, "id": 42, "last_event_flow_seen": 42, "local_destination_ip": "String", "magnitude": 42, "network": "String", "offense_ids": [ 42 ], "source_address_ids": [ 42 ] }

GET /siem/offense_closing_reasons

Retrieve a list of all offense closing reasons.

Table 7: GET /siem/offense_closing_reasons Resource Details

MIME Type

application/json

Table 8: GET /siem/offense_closing_reasons Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

include_reserved

query

Optional

Boolean

text/plain

Optional - If true, reserved closing reasons are included in the response. Defaults to false. Reserved closing reasons cannot be used to close an offense.

include_deleted

query

Optional

Boolean

text/plain

Optional - If true, deleted closing reasons are included in the response. Defaults to false. Deleted closing reasons cannot be used to close an offense.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 9: GET /siem/offense_closing_reasons Response Codes

HTTP Response Code

Unique Code

Description

200

 

The closing reasons list was retrieved.

500

1020

An error occurred while the closing reasons list was being retrieved.

Response Description

An array of ClosingReason objects. A closing reason object contains the following fields:

  • id - Number - The ID of the closing reason.

  • text - String - The text of the closing reason.

  • is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot be used to close an offense.

  • is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons cannot be used to close an offense.

Response Sample

[ { "id": 42, "is_deleted": true, "is_reserved": true, "text": "String" } ]

POST /siem/offense_closing_reasons

Create an offense closing reason.

Table 10: POST /siem/offense_closing_reasons Resource Details

MIME Type

application/json

Table 11: POST /siem/offense_closing_reasons Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

reason

query

Required

String

text/plain

Required - The text of the offense closing reason must be 5 - 60 characters in length.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 12: POST /siem/offense_closing_reasons Response Codes

HTTP Response Code

Unique Code

Description

201

 

The closing reason was created.

409

1004

The closing reason already exists.

422

1005

A request parameter is not valid.

500

1020

An error occurred while attempting to create the closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

  • id - Number - The ID of the closing reason.

  • text - String - The text of the closing reason.

  • is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot be used to close an offense.

  • is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons cannot be used to close an offense.

Response Sample

{ "id": 42, "is_deleted": true, "is_reserved": true, "text": "String" }

GET /siem/offense_closing_reasons/{closing_reason_id}

Retrieve an offense closing reason.

Table 13: GET /siem/offense_closing_reasons/{closing_reason_id} Resource Details

MIME Type

application/json

Table 14: GET /siem/offense_closing_reasons/{closing_reason_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

closing_reason_id

path

Required

Number (Integer)

text/plain

Required - The closing reason ID.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 15: GET /siem/offense_closing_reasons/{closing_reason_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The closing reason was retrieved.

404

1002

No closing reason was found for the provided closing_reason_id.

422

1005

A request parameter is not valid.

500

1020

An error occurred while attempting to retrieve the closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

  • id - Number - The ID of the closing reason.

  • text - String - The text of the closing reason.

  • is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted closing reasons cannot be used to close an offense.

  • is_reserved - Boolean - Determines whether the closing reason is reserved. Reserved closing reasons cannot be used to close an offense.

Response Sample

{ "id": 42, "is_deleted": true, "is_reserved": true, "text": "String" }

GET /siem/offense_saved_search_delete_tasks/{task_id}

Retrieves the delete the offense saved search task status.

Table 16: GET /siem/offense_saved_search_delete_tasks/{task_id} Resource Details

MIME Type

application/json

Table 17: GET /siem/offense_saved_search_delete_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 18: GET /siem/offense_saved_search_delete_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The delete task status was retrieved.

404

1002

The delete task status does not exist.

500

1020

An error occurred during the attempt to retrieve the delete task status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/siem/offense_saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", }

GET /siem/offense_saved_search_dependent_tasks/{task_id}

Retrieves the dependent the offense saved search task status.

Table 19: GET /siem/offense_saved_search_dependent_tasks/{task_id} Resource Details

MIME Type

application/json

Table 20: GET /siem/offense_saved_search_dependent_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 21: GET /siem/offense_saved_search_dependent_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The delete task status was retrieved.

404

1002

The delete task status does not exist.

500

1020

An error occurred during the attempt to retrieve the delete task status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/siem/offense_saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task.

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>" } ] }

POST /siem/offense_saved _search_dependent_tasks/{task_id}

Cancels the dependent the offense saved search task.

Table 22: POST /siem/offense_saved_search_dependent_tasks/{task_id} Resource Details

MIME Type

application/json

Table 23: POST /siem/offense_saved_search_dependent_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 24: POST /siem/offense_saved_search_dependent_tasks/{task_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

task

Object

application/json

null

{ "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

Table 25: POST /siem/offense_saved_search_dependent_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The dependent task status was retrieved.

404

1002

The dependent task status does not exist.

409

1004

The task is in a completed state.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to update the dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/siem/offense_saved_search_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state the sub-task is in.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>" } ] }

GET /siem/offense_saved _search_dependent_tasks/{task_id}/results

Retrieves the offense saved search dependent task results.

Table 26: GET /siem/offense_saved_search_dependent_tasks/{task_id}/results Resource Details

MIME Type

application/json

Table 27: GET /siem/offense_saved_search_dependent_tasks/{task_id}/results Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 28: GET /siem/offense_saved_search_dependent_tasks/{task_id}/results Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense saved search dependents were retrieved

404

1002

The dependent task status does not exist.

500

1020

An error occurred during the attempt to retrieve the offense saved searches.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

  • dependent_id - String - The ID of the dependent resource.

  • dependent_name - String - The name of the dependent resource (default resources can have localized names).

  • dependent_owner - String - The owner of the dependent resource

  • dependent_type - String - The type of the dependent resource

  • dependent_database - String - The database of the dependent resource.

  • dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

  • user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this dependent resource.

Response Sample

[ { "blocking": true, "dependent_database": "String <one of: EVENTS, FLOWS>", "dependent_group_ids": [ 42 ], "dependent_id": "String", "dependent_name": "String", "dependent_owner": "String", "dependent_type": "String <one of: ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SAVED_SEARCH, QRM_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, CUSTOM_RULE_GROUP, EVENT_ARIEL_SAVED_SEARCH_GROUP, FLOW_ARIEL_SAVED_SEARCH_GROUP, LOG_SOURCE_GROUP, MODEL_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QUESTION_GROUP, REPORT_GROUP, SIMULATION_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP, ASSIGNED_OFFENSE, ASSIGNED_VULNERABILITY, AUTHORIZED_SERVICE, BUILDING_BLOCK, CRE_RULE, CRE_ADE_RULE, EVENT_REGEX_PROPERTY, EVENT_CALCULATED_PROPERTY, FLOW_REGEX_PROPERTY, FLOW_CALCULATED_PROPERTY, DASHBOARD, GV_REFERENCE, REPORT, REFERENCE_DATA, REFERENCE_DATA_MAP_OF_SETS, REFERENCE_DATA_MAPS, REFERENCE_DATA_SETS, REFERENCE_DATA_TABLES, REFERENCE_DATA_RESPONSE, REFERENCE_SET_RESPONSE, EVENT_RETENTION_BUCKET, FLOW_RETENTION_BUCKET, ROUTING_RULE, STORE_AND_FORWARD_POLICY, USER, HISTORICAL_PROFILE, OFFENSE_TYPE>", "user_has_edit_permissions": true } ]

GET /siem/offense_saved_search_groups

Retrieves a list of offense saved search groups.

Table 29: GET /siem/offense_saved_search_groups Resource Details

MIME Type

application/json

Table 30: GET /siem/offense_saved_search_groups Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 31: GET /siem/offense_saved_search_groups Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense saved search groups were returned.

500

1020

An error occurred during the attempt to retrieve the offense saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:

  • id - Long - The ID of the group.

  • parent_id - Long - The ID of the parent group (default resources can have localized names).

  • type - String - The type of the group.

  • level - Long - The depth of the group in the group hierarchy.

  • name - String - The name of the group (default resources can have localized names).

  • description - String - The description of the group (default resources can have localized names).

  • owner - String - The owner of the group.

  • modified_time - Long - The time in milliseconds since epoch since the group was last modified.

  • child_group_ids - Array of Longs - List of the child group IDs.

Response Sample

[ { "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" } ]

GET /siem/offense_saved_search_groups/{group_id}

Retrieves an offense saved search group.

Table 32: GET /siem/offense_saved_search_groups/{group_id} Resource Details

MIME Type

application/json

Table 33: GET /siem/offense_saved_search_groups/{group_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

group_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 34: GET /siem/offense_saved_search_groups/{group_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense saved search group was retrieved.

404

1002

The offense saved search group does not exist.

500

1020

An error occurred during the attempt to retrieve the offense saved search group.

Response Description

A single Group object. A Group object contains the following fields:

  • id - Long - The ID of the group.

  • parent_id - Long - The ID of the parent group (default resources can have localized names).

  • type - String - The type of the group.

  • level - Long - The depth of the group in the group hierarchy.

  • name - String - The name of the group (default resources can have localized names).

  • description - String - The description of the group (default resources can have localized names).

  • owner - String - The owner of the group.

  • modified_time - Long - The time in milliseconds since epoch since the group was last modified.

  • child_group_ids - Array of Longs - List of the child group IDs.

Response Sample

{ "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" }

POST /siem/offense_saved_search_groups/{group_id}

Updates the owner of an offense saved search group.

Table 35: POST /siem/offense_saved_search_groups/{group_id} Resource Details

MIME Type

application/json

Table 36: POST /siem/offense_saved_search_groups/{group_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

group_id

path

Required

Number (Integer)

text/plain

null

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 37: POST /siem/offense_saved_search_groups/{group_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

group

Object

application/json

Required - Group object with the owner set to a valid deployed user.

{ "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 38: POST /siem/offense_saved_search_groups/{group_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense saved search group was updated.

404

1002

The offense saved search group does not exist.

409

1004

The provided user does not have the required capabilities to own the offense saved search group.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to update the offense saved search group.

Response Description

The updated Group object. A Group object contains the following fields:

  • id - Long - The ID of the group.

  • parent_id - Long - The ID of the parent group (default resources can have localized names).

  • type - String - The type of the group.

  • level - Long - The depth of the group in the group hierarchy.

  • name - String - The name of the group (default resources can have localized names).

  • description - String - The description of the group (default resources can have localized names).

  • owner - String - The owner of the group.

  • modified_time - Long - The time in milliseconds since epoch since the group was last modified.

  • child_group_ids - Array of Longs - List of the child group IDs.

Response Sample

{ "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" }

DELETE /siem/offense_saved_search_groups/{group_id}

Deletes an offense saved search group.

Table 39: DELETE /siem/offense_saved_search_groups/{group_id} Resource Details

MIME Type

text/plain

Table 40: DELETE /siem/offense_saved_search_groups/{group_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

group_id

path

Required

Number (Integer)

text/plain

null

Table 41: DELETE /siem/offense_saved_search_groups/{group_id} Response Codes

HTTP Response Code

Unique Code

Description

204

 

The offense saved search group has been deleted.

404

1002

The offense saved search group does not exist.

409

1004

null

500

1020

An error occurred during the attempt to delete the offense saved search group.

Response Description

Response Sample

GET /siem/offense_saved_searches

Retrieves a list of offense saved searches.

Table 42: GET /siem/offense_saved_searches Resource Details

MIME Type

application/json

Table 43: GET /siem/offense_saved_searches Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 44: GET /siem/offense_saved_searches Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense saved searches were retrieved.

500

1020

An error occurred during the attempt to retrieve the offense saved searches.

Response Description

An array of offense saved search objects. An offense saved search object contains the following fields:

  • id - Long - The ID of the offense saved search.

  • name - String - The name of the offense saved search.

  • owner - String - The owner of the offense saved search.

Response Sample

[ { "id": 42, "name": "String", "owner": "String" } ]

GET /siem/offense_saved_searches/{id}

Retrieves an offense saved search.

Table 45: GET /siem/offense_saved_searches/{id} Resource Details

MIME Type

application/json

Table 46: GET /siem/offense_saved_searches/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 47: GET /siem/offense_saved_searches/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense saved search was retrieved.

404

1002

The offense saved search does not exist.

500

1020

An error occurred during the attempt to retrieve the offense saved search.

Response Description

The offense saved search after it has been retrieved. An offense saved search object contains the following fields:

  • id - Long - The ID of the offense saved search.

  • name - String - The name of the offense saved search.

  • owner - String - The owner of the offense saved search.

Response Sample

{ "id": 42, "name": "String", "owner": "String" }

POST /siem/offense_saved_searches/{id}

Updates the offense saved search owner only.

Table 48: POST /siem/offense_saved_searches/{id} Resource Details

MIME Type

application/json

Table 49: POST /siem/offense_saved_searches/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

header

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 50: POST /siem/offense_saved_searches/{id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

saved_search

Object

application/json

null

{ "id": "1", "name": "String", "is_shared": true, "owner": "String" }

Table 51: POST /siem/offense_saved_searches/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense saved search was updated.

403

1009

You do not have the required capabilities to update the offense saved search.

404

1002

The offense saved search does not exist.

409

1004

The provided user does not have the required capabilities to own the offense saved search.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to update the offense saved search.

Response Description

The offense saved search after it is updated. An offense saved search object contains the following fields:

  • id - Long - The ID of the offense saved search.

  • name - String - The name of the offense saved search.

  • owner - String - The owner of the offense saved search.

Response Sample

{ "id": 42, "name": "String", "owner": "String" }

DELETE /siem/offense_saved_searches/{id}

Deletes an offense saved search. To ensure safe deletion, a dependency check is carried out. This check might take some time. An asynchronous task to do is started for this check.

Table 52: DELETE /siem/offense_saved_searches/{id} Resource Details

MIME Type

application/json

Table 53: DELETE /siem/offense_saved_searches/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 54: DELETE /siem/offense_saved_searches/{id} Response Codes

HTTP Response Code

Unique Code

Description

202

 

The offense saved search delete command was accepted and is in progress.

403

1009

You do not have the required capabilities to delete the offense saved search.

404

1002

The offense saved search does not exist.

500

1020

An error occurred during the attempt to delete the offense saved search.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/siem/offense_saved_search_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /siem/offense_saved_searches/{id}/dependents

Retrieves the objects that depend on an offense saved search.

Table 55: GET /siem/offense_saved_searches/{id}/dependents Resource Details

MIME Type

application/json

Table 56: GET /siem/offense_saved_searches/{id}/dependents Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 57: GET /siem/offense_saved_searches/{id}/dependents Response Codes

HTTP Response Code

Unique Code

Description

202

 

The offense saved search dependents retrieval was accepted and is in progress.

404

1002

The offense saved search does not exist.

500

1020

An error occurred during the attempt to initiate the offense saved search dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/siem/offense_saved_search_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>" } ] }

GET /siem/offenses

Retrieve a list of offenses currently in the system.

Table 58: GET /siem/offenses Resource Details

MIME Type

application/json

Table 59: GET /siem/offenses Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 60: GET /siem/offenses Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense list was retrieved.

422

1005

A request parameter is not valid.

422

1010

The filter parameter is not valid.

500

1020

An error occurred while the offense list was being retrieved.

Response Description

An array of Offense objects. An Offense object contains the following fields:

  • id - Number - The ID of the offense.

  • description - String - The description of the offense. Filtering is not supported on this field.

  • assigned_to - String - The user the offense is assigned to.

  • categories - Array of strings - Event categories that are associated with the offense.

  • category_count - Number - The number of event categories that are associated with the offense.

  • policy_category_count - Number - The number of policy event categories that are associated with the offense.

  • security_category_count - Number - The number of security event categories that are associated with the offense.

  • close_time - Number - The number of milliseconds since epoch when the offense was closed.

  • closing_user - String - The user that closed the offense.

  • closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.

  • credibility - Number - The credibility of the offense.

  • relevance - Number - The relevance of the offense.

  • severity - Number - The severity of the offense.

  • magnitude - Number - The magnitude of the offense.

  • destination_networks - Array of strings - The destination networks that are associated with the offense.

  • source_network - String - The source network that is associated with the offense. Filtering is not supported on this field.

  • device_count - Number - The number of devices that are associated with the offense.

  • event_count - Number - The number of events that are associated with the offense.

  • flow_count - Number - The number of flows that are associated with the offense.

  • inactive - Boolean - True if the offense is inactive.

  • last_updated_time - Number - The number of milliseconds since epoch when the offense was last updated.

  • local_destination_count - Number - The number of local destinations that are associated with the offense.

  • offense_source - String - The source of the offense. Filtering is not supported on this field.

  • offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to retrieve the list.

  • protected - Boolean - True if the offense is protected.

  • follow_up - Boolean - True if the offense is marked for follow up.

  • remote_destination_count - Number - The number of remote destinations that are associated wit the offense.

  • source_count - Number - The number of sources that are associated with the offense.

  • start_time - Number - The number of milliseconds since epoch when the offense was started.

  • status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". The following operators are not supported when you filter on this field: "<", ">", "<=", ">=", "BETWEEN".

  • username_count - The number of usernames that are associated with the offense.

  • source_address_ids - Array of numbers -The source address IDs that are associated with the offense.

  • local_destination_address_ids - Array of numbers - The local destination address IDs that are associated with the offense.

  • domain_id - Number - Optional. ID of associated domain if the offense is associated with a single domain.

Response Sample

[{"credibility": 42, "source_address_ids": [42], "remote_destination_count": 42, "local_destination_address_ids": [42], "assigned_to": "String", "local_destination_count": 42, "source_count": 42, "start_time": 42, "id": 42, "destination_networks": ["String"], "inactive": true, "protected": true, "policy_category_count": 42, "description": "String", "category_count": 42, "domain_id": 42, "relevance": 42, "device_count": 42, "security_category_count": 42, "flow_count": 42, "event_count": 42, "offense_source": "String", "status": "String <one of: OPEN, HIDDEN, CLOSED>", "magnitude": 42, "severity": 42, "username_count": 42, "closing_user": "String", "follow_up": true, "closing_reason_id": 42, "close_time": 42, "source_network": "String", "last_updated_time": 42, "categories": ["String"], "offense_type": 42 }]

GET /siem/offenses/{offense_id}

Retrieve an offense structure that describes properties of an offense.

Table 61: GET /siem/offenses/{offense_id} Resource Details

MIME Type

application/json

Table 62: GET /siem/offenses/{offense_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

offense_id

path

Required

Number (Integer)

text/plain

Required - The offense ID.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 63: GET /siem/offenses/{offense_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense was retrieved.

404

1002

No offense was found for the provided offense_id.

422

1005

A request parameter is not valid.

500

1020

An error occurred while the offense was being retrieved.

Response Description

An Offense object. An Offense object contains the following fields:

  • id - Number - The ID of the offense.

  • description - String - The description of the offense.

  • assigned_to - String - The user the offense is assigned to.

  • categories - Array of strings - Event categories that are associated with the offense.

  • category_count - Number - The number of event categories that are associated with the offense.

  • policy_category_count - Number - The number of policy event categories that are associated with the offense.

  • security_category_count - Number - The number of security event categories that are associated with the offense.

  • close_time - Number - The number of milliseconds since epoch when the offense was closed.

  • closing_user - String - The user that closed the offense.

  • closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.

  • credibility - Number - The credibility of the offense.

  • relevance - Number - The relevance of the offense.

  • severity - Number - The severity of the offense.

  • magnitude - Number - The magnitude of the offense.

  • destination_networks - Array of strings - The destination networks that are associated with the offense.

  • source_network - String - The source network that is associated with the offense.

  • device_count - Number - The number of devices that are associated with the offense.

  • event_count - Number - The number of events that are associated with the offense.

  • flow_count - Number - The number of flows that are associated with the offense.

  • inactive - Boolean - True if the offense is inactive.

  • last_updated_time - Number - The number of milliseconds since epoch when the offense was last updated.

  • local_destination_count - Number - The number of local destinations that are associated with the offense.

  • offense_source - String - The source of the offense.

  • offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to retrieve the list.

  • protected - Boolean - True if the offense is protected.

  • follow_up - Boolean - True if the offense is marked for follow up.

  • remote_destination_count - Number - The number of remote destinations that are associated wit the offense.

  • source_count - Number - The number of sources that are associated with the offense.

  • start_time - Number - The number of milliseconds since epoch when the offense was started.

  • status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".

  • username_count - The number of usernames that are associated with the offense.

  • source_address_ids - Array of numbers -The source address IDs that are associated with the offense.

  • local_destination_address_ids - Array of numbers - The local destination address IDs that are associated with the offense.

  • domain_id - Number - Optional. ID of associated domain if the offense is associated with a single domain.

Response Sample

{ "assigned_to": "String", "categories": [ "String" ], "category_count": 42, "close_time": 42, "closing_reason_id": 42, "closing_user": "String", "credibility": 42, "description": "String", "destination_networks": [ "String" ], "device_count": 42, "domain_id": 42, "event_count": 42, "flow_count": 42, "follow_up": true, "id": 42, "inactive": true, "last_updated_time": 42, "local_destination_address_ids": [ 42 ], "local_destination_count": 42, "magnitude": 42, "offense_source": "String", "offense_type": 42, "policy_category_count": 42, "protected": true, "relevance": 42, "remote_destination_count": 42, "security_category_count": 42, "severity": 42, "source_address_ids": [ 42 ], "source_count": 42, "source_network": "String", "start_time": 42, "status": "String <one of: OPEN, HIDDEN, CLOSED>", "username_count": 42 }

GET /siem/offenses/{offense_id}/notes

Retrieve a list of notes for an offense.

Table 64: GET /siem/offenses/{offense_id}/notes Resource Details

MIME Type

application/json

Table 65: GET /siem/offenses/{offense_id}/notes Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

offense_id

path

Required

Number (Integer)

text/plain

Required - The offense ID to retrieve the notes for.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 66: GET /siem/offenses/{offense_id}/notes Response Codes

HTTP Response Code

Unique Code

Description

200

 

The note list was retrieved.

404

1002

No offense was found for the provided offense_id.

422

1005

A request parameter is not valid.

500

1020

An error occurred while the note list was being retrieved.

Response Description

An array of Note objects. A Note object contains the following fields:

  • id - Number - The ID of the note.

  • create_time - Number - The number of milliseconds since epoch when the note was created.

  • username - String - The user or authorized service that created the note.

  • note_text - String - The note text.

Response Sample

[ { "create_time": 42, "id": 42, "note_text": "String", "username": "String" } ]

GET /siem/offenses/{offense_id}/notes/{note_id}

Retrieve a note for an offense.

Table 67: GET /siem/offenses/{offense_id}/notes/{note_id} Resource Details

MIME Type

application/json

Table 68: GET /siem/offenses/{offense_id}/notes/{note_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

offense_id

path

Required

Number (Integer)

text/plain

Required - The offense ID to retrieve the note from.

note_id

path

Required

Number (Integer)

text/plain

Required - The note ID.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 69: GET /siem/offenses/{offense_id}/notes/{note_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The note was retrieved.

404

1002

No offense was found for the provided offense_id.

404

1003

No note was found for the provided note_id.

422

1005

A request parameter is not valid.

500

1020

An error occurred while attempting to retrieve the note.

Response Description

The Note object for the note ID. A Note object contains the following fields:

  • id - Number - The ID of the note.

  • create_time - Number - The number of milliseconds since epoch when the note was created.

  • username - String - The user or authorized service that created the note.

  • note_text - String - The note text.

Response Sample

{ "create_time": 42, "id": 42, "note_text": "String", "username": "String" }

POST /siem/offenses/{offense_id}/notes

Create a note on an offense.

Table 70: POST /siem/offenses/{offense_id}/notes Resource Details

MIME Type

application/json

Table 71: POST /siem/offenses/{offense_id}/notes Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

offense_id

path

Required

Number (Integer)

text/plain

Required - The offense ID to add the note to.

note_text

query

Required

String

text/plain

Required - The note text.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 72: POST /siem/offenses/{offense_id}/notes Response Codes

HTTP Response Code

Unique Code

Description

201

 

The note was created.

404

1002

No offense was found for the provided offense_id.

422

1005

A request parameter is not valid.

500

1020

An error occurred while attempting to create the note.

Response Description

The Note object that was created. A Note object contains the following fields:

  • id - Number - The ID of the note.

  • create_time - Number - The number of milliseconds since epoch when the note was created.

  • username - String - The user or authorized service that created the note.

  • note_text - String - The note text.

Response Sample

{ "create_time": 42, "id": 42, "note_text": "String", "username": "String" }

POST /siem/offenses/{offense_id}

Update an offense.

Table 73: POST /siem/offenses/{offense_id} Resource Details

MIME Type

application/json

Table 74: POST /siem/offenses/{offense_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

offense_id

path

Required

Number (Integer)

text/plain

Required - The ID of the offense to update.

protected

query

Optional

Boolean

text/plain

Optional - Set to true to protect the offense.

follow_up

query

Optional

Boolean

text/plain

Optional - Set to true to set the follow up flag on the offense.

status

query

Optional

String

text/plain

Optional - The new status for the offense. Set to one of: OPEN, HIDDEN, CLOSED. When the status of an offense is being set to CLOSED, a valid closing_reason_id must be provided. To hide an offense, use the HIDDEN status. To show a previously hidden offense, use the OPEN status.

closing_reason_id

query

Optional

Number (Integer)

text/plain

Optional - The ID of a closing reason. You must provide a valid closing_reason_id when you close an offense.

assigned_to

query

Optional

String

text/plain

Optional - A user to assign the offense to.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 75: POST /siem/offenses/{offense_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense was updated.

403

1009

User does not have the required capability to assign an offense.

404

1002

No offense was found for the provided offense_id.

409

1008

Request cannot be completed due to the state of the offense.

422

1005

A request parameter is not valid.

500

1020

An error occurred while the offense was being updated.

Response Description

An updated Offense object. An Offense object contains the following fields:

  • id - Number - The ID of the offense.

  • description - String - The description of the offense.

  • assigned_to - String - The user the offense is assigned to.

  • categories - Array of strings - Event categories that are associated with the offense.

  • category_count - Number - The number of event categories that are associated with the offense.

  • policy_category_count - Number - The number of policy event categories that are associated with the offense.

  • security_category_count - Number - The number of security event categories that are associated with the offense.

  • close_time - Number - The number of milliseconds since epoch when the offense was closed.

  • closing_user - String - The user that closed the offense.

  • closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.

  • credibility - Number - The credibility of the offense.

  • relevance - Number - The relevance of the offense.

  • severity - Number - The severity of the offense.

  • magnitude - Number - The magnitude of the offense.

  • destination_networks - Array of strings - The destination networks that are associated with the offense.

  • source_network - String - The source network that is associated with the offense.

  • device_count - Number - The number of devices that are associated with the offense.

  • event_count - Number - The number of events that are associated with the offense.

  • flow_count - Number - The number of flows that are associated with the offense.

  • inactive - Boolean - True if the offense is inactive.

  • last_updated_time - Number - The number of milliseconds since epoch when the offense was last updated.

  • local_destination_count - Number - The number of local destinations that are associated with the offense.

  • offense_source - String - The source of the offense.

  • offense_type - Number - A number that represents the offense type. See the Offense Type Codes table for the code to offense type mapping.

  • protected - Boolean - True if the offense is protected.

  • follow_up - Boolean - True if the offense is marked for follow up.

  • remote_destination_count - Number - The number of remote destinations that are associated wit the offense.

  • source_count - Number - The number of sources that are associated with the offense.

  • start_time - Number - The number of milliseconds since epoch when the offense was started.

  • status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".

  • username_count - The number of usernames that are associated with the offense.

  • source_address_ids - Array of numbers -The source address IDs that are associated with the offense.

  • local_destination_address_ids - Array of numbers - The local destination address IDs that are associated with the offense.

  • domain_id - Number - Optional. ID of associated domain if the offense is associated with a single domain.

Table 76: Offense Type Codes

Code

Offense Type

0

Source IP

1

Destination IP

2

Event Name

3

Username

4

Source MAC Address

5

Destination MAC Address

6

Log Source

7

Hostname

8

Source Port

9

Destination Port

10

Source IPv6

11

Destination IPv6

12

Source ASN

13

Destination ASN

14

Rule

15

App Id

18

Scheduled Search

Response Sample

{ "assigned_to": "String", "categories": [ "String" ], "category_count": 42, "close_time": 42, "closing_reason_id": 42, "closing_user": "String", "credibility": 42, "description": "String", "destination_networks": [ "String" ], "device_count": 42, "domain_id": 42, "event_count": 42, "flow_count": 42, "follow_up": true, "id": 42, "inactive": true, "last_updated_time": 42, "local_destination_address_ids": [ 42 ], "local_destination_count": 42, "magnitude": 42, "offense_source": "String", "offense_type": 42, "policy_category_count": 42, "protected": true, "relevance": 42, "remote_destination_count": 42, "security_category_count": 42, "severity": 42, "source_address_ids": [ 42 ], "source_count": 42, "source_network": "String", "start_time": 42, "status": "String <one of: OPEN, HIDDEN, CLOSED>", "username_count": 42 }

GET /siem/offense_types

Retrieve all the Offense Types.

Table 77: GET /siem/offense_types Resource Details

MIME Type

application/json

Table 78: GET /siem/offense_types Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

sort

query

Optional

String

text/plain

Optional - This parameter is used to sort the elements in a list.

Table 79: GET /siem/offense_types Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested offense types list has been retrieved.

422

1005

A request parameter is not valid.

422

1012

The selected field cannot be used for sorting or it does not exist.

500

1020

An error occurred while attempting to retrieve the offense type list.

Response Description

The Offense Types that exist at the moment. Offense types may include custom flow/event properties only if they have been selected as part of a rule action or rule response limiter.

  • id - Number - The ID of the offense type and what is presented in the offense's offense_type.

  • property_name - String - The name of the event or flow property represented by this offense type for flow or event properties or the unique identifier for custom flow or event properties.

  • name - String - The offense type's name.

  • database_type - String - Database where this type is present. Possible values are: EVENTS, FLOWS, or COMMON (if it belongs to both events and flows)

  • custom - boolean - True if the offense type is based on a custom flow or event property.

The following field can be sorted on: id.

Response Sample

[ { "custom": true, "database_type": "String <one of: EVENTS, FLOWS, COMMON>", "id": 42, "name": "String", "property_name": "String" } ]

GET /siem/offense_types/{offense_type_id}

Retrieve an offense type structure that describes the properties of an offense type.

Table 80: GET /siem/offense_types/{offense_type_id} Resource Details

MIME Type

application/json

Table 81: GET /siem/offense_types/{offense_type_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

offense_type_id

path

Required

Number (Integer)

text/plain

Required - int - The offense type id.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 82: GET /siem/offense_types/{offense_type_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested offense type has been retrieved.

404

1002

The requested offense type cannot be found.

422

1005

A request parameter is not valid.

500

1020

An error occurred while attempting to retrieve the requested offense type.

Response Description

The Offense Type with the entered offense_type_id.

  • id - Number - The ID of the offense type and what is presented in the offense's offense_type.

  • property_name - String - The name of the of the event or flow property represented by this offense type for flow or event properties or the unique identifier for custom flow or event properties.

  • name - String - The offense type's name.

  • database_type - String - Database where this type is present. Possible values are: EVENTS, FLOWS, or COMMON (if it belongs to both events and flows)

  • custom - boolean - True if the offense type is based on a custom flow or event property.

Response Sample

{ "custom": true, "database_type": "String <one of: EVENTS, FLOWS, COMMON>", "id": 42, "name": "String", "property_name": "String" }

GET /siem/source_addresses

Retrieve a list offense source addresses currently in the system.

Table 83: GET /siem/source_addresses Resource Details

MIME Type

application/json

Table 84: GET /siem/source_addresses Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 85: GET /siem/source_addresses Response Codes

HTTP Response Code

Unique Code

Description

200

 

The source address list was retrieved.

422

1005

A request parameter is not valid.

422

1010

The filter parameter is not valid.

500

1020

An error occurred while the source address list was being retrieved.

Response Description

An array of source address objects. A source address object contains the following fields:

  • id - Number - The ID of the source.

  • source_ip - String - The IP address.

  • magnitude - Number - The magnitude of the source address.

  • network - String - The network of the source address.

  • offense_ids - Array of Numbers - List of offense IDs the source is part of.

  • local_destination_address_ids - Array of Numbers - List of local destination address IDs associated with the source address.

  • event_flow_count - Number - The number of events and flows that are associated with the source.

  • first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or flow was seen.

  • last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow was seen.

  • domain_id - Number - The ID of associated domain.

Response Sample

[ { "domain_id": 42, "event_flow_count": 42, "first_event_flow_seen": 42, "id": 42, "last_event_flow_seen": 42, "local_destination_address_ids": [ 42 ], "magnitude": 42, "network": "String", "offense_ids": [ 42 ], "source_ip": "String" } ]

GET /siem/source_addresses/{source_address_id}

Retrieve an offense source address.

Table 86: GET /siem/source_addresses/{source_address_id} Resource Details

MIME Type

application/json

Table 87: GET /siem/source_addresses/{source_address_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

source_address_id

path

Required

Number (Integer)

text/plain

Required - The ID of the source address to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 88: GET /siem/source_addresses/{source_address_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The source address was retrieved.

404

1002

No source address was found for the provided source_address_id.

422

1005

A request parameter is not valid.

500

1020

An error occurred while the source address was being retrieved.

Response Description

A source address object. A source address object contains the following fields:

  • id - Number - The ID of the source.

  • source_ip - String - The IP address.

  • magnitude - Number - The magnitude of the source address.

  • network - String - The network of the source address.

  • offense_ids - Array of Numbers - List of offense IDs the source is part of.

  • local_destination_address_ids - Array of Numbers - List of local destination address IDs associated with the source address.

  • event_flow_count - Number - The number of events and flows that are associated with the source.

  • first_event_flow_seen - Number - The number of milliseconds since epoch when the first event or flow was seen.

  • last_event_flow_seen - Number - The number of milliseconds since epoch when the last event or flow was seen.

  • domain_id - Number - The ID of associated domain.

Response Sample

{ "domain_id": 42, "event_flow_count": 42, "first_event_flow_seen": 42, "id": 42, "last_event_flow_seen": 42, "local_destination_address_ids": [ 42 ], "magnitude": 42, "network": "String", "offense_ids": [ 42 ], "source_ip": "String" }