Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuration Endpoints

 

Use the references for REST API V9.0 configuration endpoints.

GET /config/access/tenant_management/tenants

Retrieve the list of all tenants ordered by tenant ID.

Table 1: GET /config/access/tenant_management/tenants Resource Details

MIME Type

application/json

Table 2: GET /config/access/tenant_management/tenants Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 3: GET /config/access/tenant_management/tenants Response Codes

HTTP Response Code

Unique Code

Description

200

 

The tenant list was successfully retrieved.

500

1020

An error occurred while the tenant list was being retrieved.

Response Description

a list of all the tenants

Response Sample

[ { "deleted": true, "description": "String", "event_rate_limit": 42, "flow_rate_limit": 42, "id": 42, "name": "String" } ]

POST /config/access/tenant_management/tenants

Create a new tenant.

Table 4: POST /config/access/tenant_management/tenants Resource Details

MIME Type

application/json

Table 5: POST /config/access/tenant_management/tenants Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 6: POST /config/access/tenant_management/tenants Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

tenant

Object

application/json

Required - Tenant - includes name, event_rate_limit (unit eps), flow_rate_limit (unit fpm) and description

{ "deleted": true, "description": "String", "event_rate_limit": 42, "flow_rate_limit": 42, "name": "String" }

Table 7: POST /config/access/tenant_management/tenants Response Codes

HTTP Response Code

Unique Code

Description

201

 

A new tenant was created successfully and returned the new tenant object.

409

1004

A tenant with the given name already exists.

422

1005

A request parameter is invalid.

500

1020

Failed to create the tenant.

Response Description

a created tenant object

Response Sample

{ "deleted": true, "description": "String", "event_rate_limit": 42, "flow_rate_limit": 42, "id": 42, "name": "String" }

GET /config/access/tenant_management/tenants/{tenant_id}

Retrieve a tenant by tenant id.

Table 8: GET /config/access/tenant_management/tenants/{tenant_id} Resource Details

MIME Type

application/json

Table 9: GET /config/access/tenant_management/tenants/{tenant_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

tenant_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 10: GET /config/access/tenant_management/tenants/{tenant_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The tenant was successfully retrieved.

404

1002

No tenant was found for the provided tenant id.

500

1020

An error occurred while the tenant was being retrieved.

Response Description

the associated tenants object

Response Sample

{ "deleted": true, "description": "String", "event_rate_limit": 42, "flow_rate_limit": 42, "id": 42, "name": "String" }

POST /config/access/tenant_management/tenants/{tenant_id}

Update a tenant.

Table 11: POST /config/access/tenant_management/tenants/{tenant_id} Resource Details

MIME Type

application/json

Table 12: POST /config/access/tenant_management/tenants/{tenant_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

tenant_id

path

Required

Number (Integer)

text/plain

Required - Integer - the tenant id to modify

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 13: POST /config/access/tenant_management/tenants/{tenant_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

tenant

Object

application/json

Required - Tenant - includes name, event_rate_limit (unit eps), flow_rate_limit (unit fpm) and description

{ "deleted": true, "description": "String", "event_rate_limit": 42, "flow_rate_limit": 42, "name": "String" }

Table 14: POST /config/access/tenant_management/tenants/{tenant_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

A tenant profile that was updated successfully and returned the updated tenant object.

404

1002

The tenant profile does not exist.

409

1004

A tenant with the given name already exists.

422

1005

A request parameter is invalid.

500

1020

Failed to retrieve/update the given tenant profile.

Response Description

The updated tenant object.

Response Sample

{ "deleted": true, "description": "String", "event_rate_limit": 42, "flow_rate_limit": 42, "id": 42, "name": "String" }

DELETE /config/access/tenant_management/tenants/{tenant_id}

Deletes a tenant by tenant ID.

Table 15: DELETE /config/access/tenant_management/tenants/{tenant_id} Resource Details

MIME Type

application/json

Table 16: DELETE /config/access/tenant_management/tenants/{tenant_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

tenant_id

path

Required

Number (Integer)

text/plain

Required - String - id associated to a tenant

Table 17: DELETE /config/access/tenant_management/tenants/{tenant_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The tenant was deleted successfully (soft delete).

404

1002

The tenant does not exists.

500

1020

An error occurred while deleting tenant.

Response Description

the deleted tenant object with its parameter deleted set to true

Response Sample

{ "deleted": true, "description": "String", "event_rate_limit": 42, "flow_rate_limit": 42, "id": 42, "name": "String" }

GET /config/access/user_dependent_tasks/{task_id}

Retrieves the dependent user task status.

Table 18: GET /config/access/user_dependent_tasks/{task_id} Resource Details

MIME Type

application/json

Table 19: GET /config/access/user_dependent_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 20: GET /config/access/user_dependent_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The Delete Task Status was retrieved.

404

1002

The Delete Task Status does not exist.

500

1020

An error occurred during the attempt to retrieve the Delete Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/config/access/user_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. Value is null until task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state the sub-task is in.

    • sub_task_type - String - The type of the sub-task.

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING>" } ] }

POST /config/access/user_dependent_tasks/{task_id}

Cancels a dependent user task.

Table 21: POST /config/access/user_dependent_tasks/{task_id} Resource Details

MIME Type

application/json

Table 22: POST /config/access/user_dependent_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 23: POST /config/access/user_dependent_tasks/{task_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

task

Object

application/json

null

{ "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

Table 24: POST /config/access/user_dependent_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The Dependent Task Status was retrieved.

404

1002

The Dependent Task Status does not exist.

409

1004

The task is in a completed state.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to update the Dependent Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/config/access/user_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state that the task is in.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state the sub-task is in.

    • sub_task_type - String - The type of the sub-task.

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING>" } ] }

GET /config/access/user_dependent_tasks/{task_id}/results

Retrieves the user dependent task results.

Table 25: GET /config/access/user_dependent_tasks/{task_id}/results Resource Details

MIME Type

application/json

Table 26: GET /config/access/user_dependent_tasks/{task_id}/results Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 27: GET /config/access/user_dependent_tasks/{task_id}/results Response Codes

HTTP Response Code

Unique Code

Description

200

 

The User Dependents were retrieved.

404

1002

The Dependent Task Status does not exist.

500

1020

An error occurred during the attempt to retrieve the Users.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

  • dependent_id - String - The ID of the dependent resource.

  • dependent_name - String - The name of the dependent resource (default resources can have localized names).

  • dependent_owner - String - The owner of the dependent resource.

  • dependent_type - String - The type of the dependent resource.

  • dependent_database - String - The database of the dependent resource.

  • dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

  • user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this dependent resource.

Response Sample

[ { "blocking": true, "dependent_database": "String <one of: EVENTS, FLOWS>", "dependent_group_ids": [ 42 ], "dependent_id": "String", "dependent_name": "String", "dependent_owner": "String", "dependent_type": "String <one of: ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SAVED_SEARCH, QRM_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, CUSTOM_RULE_GROUP, EVENT_ARIEL_SAVED_SEARCH_GROUP, FLOW_ARIEL_SAVED_SEARCH_GROUP, LOG_SOURCE_GROUP, MODEL_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QUESTION_GROUP, REPORT_GROUP, SIMULATION_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP, ASSIGNED_OFFENSE, ASSIGNED_VULNERABILITY, AUTHORIZED_SERVICE, BUILDING_BLOCK, CRE_RULE, CRE_ADE_RULE, EVENT_REGEX_PROPERTY, EVENT_REGEX_PROPERTY_DEPENDENCY, EVENT_CALCULATED_PROPERTY, FLOW_REGEX_PROPERTY, FLOW_REGEX_PROPERTY_DEPENDENCY, FLOW_CALCULATED_PROPERTY, DASHBOARD, GV_REFERENCE, REPORT, REFERENCE_DATA, REFERENCE_DATA_MAP_OF_SETS, REFERENCE_DATA_MAPS, REFERENCE_DATA_SETS, REFERENCE_DATA_TABLES, REFERENCE_DATA_RESPONSE, REFERENCE_SET_RESPONSE, EVENT_RETENTION_BUCKET, FLOW_RETENTION_BUCKET, ROUTING_RULE, STORE_AND_FORWARD_POLICY, USER, HISTORICAL_PROFILE, OFFENSE, EVENT_AQL_PROPERTY, FLOW_AQL_PROPERTY, OFFENSE_TYPE, SECURITY_PROFILE, ARIEL_INDEX>", "user_has_edit_permissions": true } ]

GET /config/access/users

Retrieves a list of deployed users.

Table 28: GET /config/access/users Resource Details

MIME Type

application/json

Table 29: GET /config/access/users Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 30: GET /config/access/users Response Codes

HTTP Response Code

Unique Code

Description

200

 

The users were retrieved.

500

1020

An error occurred during the attempt to retrieve the Users.

Response Description

An array of User objects. An User object contains the following fields:

  • id - Long - The ID of the user.

  • name - String - The name of the user.

Response Sample

[ { "id": 42, "username": "String" } ]

GET /config/access/users/{id}/dependents

Retrieves the objects that depend on the user.

Table 31: GET /config/access/users/{id}/dependents Resource Details

MIME Type

application/json

Table 32: GET /config/access/users/{id}/dependents Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 33: GET /config/access/users/{id}/dependents Response Codes

HTTP Response Code

Unique Code

Description

202

 

The User dependents retrieval was accepted and is in progress.

404

1002

The User does not exist.

500

1020

An error occurred during the attempt to initiate the User dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/config/access/user_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested cancellation of the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. Value is null until task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING>" } ] }

GET /config/access/users/{id}

Retrieves a deployed user.

Table 34: GET /config/access/users/{id} Resource Details

MIME Type

application/json

Table 35: GET /config/access/users/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 36: GET /config/access/users/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The user was retrieved

404

1002

The User does not exist

500

1020

An error occurred while attempting to retrieve the User

Response Description

The User after it is retrieved. A User object contains the following fields:

  • id - Long - The ID of the user.

  • name - String - The name of the user.

Response Sample

{ "id": 42, "username": "String" }

GET /config/deployment/hosts

Retrieves a list of all deployed hosts.

Table 37: GET /config/deployment/hosts Resource Details

MIME Type

application/json

Table 38: GET /config/deployment/hosts Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 39: GET /config/deployment/hosts Response Codes

HTTP Response Code

Unique Code

Description

200

 

The host list was successfully retrieved.

500

1001

An error occurred during the attempt to retrieve the host list.

Response Description

A list of all the hosts. Each Host object has the following fields:

  • id - The ID of this managed host.

  • hostname - The host name of this managed host.

  • private_ip - The private IP of this managed host.

  • public_ip - The public IP of this managed host.

  • appliance - An object that represents the appliance type ID and description of this managed host.

  • version - The installed version on this managed host.

  • status - The status of this managed host.

  • eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this managed host.

  • eps_allocation - The allocated eps rate of this managed host.

  • average_eps - The average eps rate of this managed host over the previous month.

  • peak_eps - The peak eps rate that was experienced by this managed host over the previous month.

  • fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this managed host

  • fpm_allocation - The allocated fpm rate of this managed host.

  • average_fpm - The average fpm rate of this managed host over the previous month.

  • peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.

  • primary_server_id - The ID for the primary server host for this managed host.

  • secondary_server_id - If configured, the ID for the secondary server host for this managed host.

  • license_serial_number - The serial number that is associated with this managed host's license.

  • components - A list of components that are associated with this managed host.

  • compression_enabled - Whether or not compression is enabled for this managed host.

  • encryption_enabled - Whether or not encryption is enabled for this managed host.

Response Sample

[ { "appliance": { "id": "String", "type": "String" }, "average_eps": 42, "average_fpm": 42, "components": [ "String <one of: eventcollector, eventprocessor, dataNode, magistrate, ariel_query_server, ariel_proxy_server, vis, assetprofiler, qflow, hostcontext, tunnel, setuptunnel, ecs-ec, ecs-ep, resolveragent, resolver_manager, offsiteSource, offsiteTarget, accumulator, offline_forwarder, qvm, qvmprocessor, qvmscanner, qvmhostedscanner, qvmsiteprotector, arc_builder, tomcat-rm, ziptie-server, qrm, asset_change_publisher, forensicsnode, forensics_realtime, masterdaemon>" ], "compression_enabled": true, "encryption_enabled": true, "eps_allocation": 42, "eps_rate_hardware_limit": 42, "fpm_allocation": 42, "fpm_rate_hardware_limit": 42, "hostname": "String", "id": 42, "license_serial_number": "String", "peak_eps": 42, "peak_fpm": 42, "primary_server_id": 42, "private_ip": "String", "public_ip": "String", "secondary_server_id": 42, "status": "String <one of: Active, ADDING, Deleted, Deleting, ADD_FAILED, New, ADD_FAILED_VERSION_CHECK, ADD_FAILED_DEPLOY_IN_PROGRESS, ADD_FAILED_RETRY_CONNECTION, ADD_FAILED_HA, ADD_FAILED_CHECK_LOGS>", "version": "String" } ]

GET /config/deployment/hosts/{id}

Retrieves a deployed host by ID.

Table 40: GET /config/deployment/hosts/{id} Resource Details

MIME Type

application/json

Table 41: GET /config/deployment/hosts/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

Required - The ID of the deployed host to be retrieved.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 42: GET /config/deployment/hosts/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The host was successfully retrieved.

404

1002

No such host is deployed for the given ID

422

1003

The provided ID was a negative number or zero.

500

1004

An error occurred during the retrieval of the host.

Response Description

The associated deployed host object. The Host object has the following fields:

  • id - The ID of this managed host.

  • hostname - The host name of this managed host.

  • private_ip - The private IP of this managed host.

  • public_ip - The public IP of this managed host.

  • appliance - An object that represents the appliance type ID and description of this managed host.

  • version - The installed version on this managed host.

  • status - The status of this managed host.

  • eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this managed host.

  • eps_allocation - The allocated eps rate of this managed host.

  • average_eps - The average eps rate of this managed host over the previous month.

  • peak_eps - The peak eps rate that was experienced by this managed host over the previous month.

  • fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this managed host.

  • fpm_allocation - The allocated fpm rate of this managed host.

  • average_fpm - The average fpm rate of this managed host over the previous month.

  • peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.

  • primary_server_id - The ID for the primary server host for this managed host.

  • secondary_server_id - If configured, the ID for the secondary server host for this managed host.

  • license_serial_number - The serial number that is associated with this managed host's license.

  • components - A list of components that are associated with this managed host.

  • compression_enabled - Whether or not compression is enabled for this managed host.

  • encryption_enabled - Whether or not encryption is enabled for this managed host.

Response Sample

[ { "appliance": { "id": "String", "type": "String" }, "average_eps": 42, "average_fpm": 42, "components": [ "String <one of: eventcollector, eventprocessor, dataNode, magistrate, ariel_query_server, ariel_proxy_server, vis, assetprofiler, qflow, hostcontext, tunnel, setuptunnel, ecs-ec, ecs-ep, resolveragent, resolver_manager, offsiteSource, offsiteTarget, accumulator, offline_forwarder, qvm, qvmprocessor, qvmscanner, qvmhostedscanner, qvmsiteprotector, arc_builder, tomcat-rm, ziptie-server, qrm, asset_change_publisher, forensicsnode, forensics_realtime, masterdaemon>" ], "compression_enabled": true, "encryption_enabled": true, "eps_allocation": 42, "eps_rate_hardware_limit": 42, "fpm_allocation": 42, "fpm_rate_hardware_limit": 42, "hostname": "String", "id": 42, "license_serial_number": "String", "peak_eps": 42, "peak_fpm": 42, "primary_server_id": 42, "private_ip": "String", "public_ip": "String", "secondary_server_id": 42, "status": "String <one of: Active, ADDING, Deleted, Deleting, ADD_FAILED, New, ADD_FAILED_VERSION_CHECK, ADD_FAILED_DEPLOY_IN_PROGRESS, ADD_FAILED_RETRY_CONNECTION, ADD_FAILED_HA, ADD_FAILED_CHECK_LOGS>", "version": "String" } ]

POST /config/deployment/hosts/{id}

Updates a host by ID and sends a JMS message to update the pipeline.

Table 43: POST /config/deployment/hosts/{id} Resource Details

MIME Type

application/json

Table 44: POST /config/deployment/hosts/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

Required - The ID of the staged host to be updated.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 45: POST /config/deployment/hosts/{id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

host

Object

application/json

Required - The host values to be updated. At the moment, the only writable properties are eps_allocation and fpm_allocation.

{ "appliance": { "id": "String", "type": "String" }, "average_eps": 42, "average_fpm": 42, "components": [ "String <one of: eventcollector, eventprocessor, dataNode, magistrate, ariel_query_server, ariel_proxy_server, vis, assetprofiler, qflow, hostcontext, tunnel, setuptunnel, ecs-ec, ecs-ep, resolveragent, resolver_manager, offsiteSource, offsiteTarget, accumulator, offline_forwarder, qvm, qvmprocessor, qvmscanner, qvmhostedscanner, qvmsiteprotector, arc_builder, tomcat-rm, ziptie-server, qrm, asset_change_publisher, forensicsnode, forensics_realtime, masterdaemon>" ], "compression_enabled": true, "encryption_enabled": true, "eps_allocation": 42, "eps_rate_hardware_limit": 42, "fpm_allocation": 42, "fpm_rate_hardware_limit": 42, "hostname": "String", "id": 42, "license_serial_number": "String", "peak_eps": 42, "peak_fpm": 42, "primary_server_id": 42, "private_ip": "String", "public_ip": "String", "secondary_server_id": 42, "status": "String <one of: Active, ADDING, Deleted, Deleting, ADD_FAILED, New, ADD_FAILED_VERSION_CHECK, ADD_FAILED_DEPLOY_IN_PROGRESS, ADD_FAILED_RETRY_CONNECTION, ADD_FAILED_HA, ADD_FAILED_CHECK_LOGS, ADD_FAILED_QVMPROCESSOR_ALREADY_EXISTS>", "version": "String" }

Table 46: POST /config/deployment/hosts/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The host was successfully updated.

404

1010

Could not find the host to update.

417

1011

EPS values are expected to be a multiple of the set EPS block. By default the block size is 500.

417

1012

FPM values are expected to be a multiple of the set FPM block. By default the block size is 10000.

417

1013

The EPS value given does not meet the minimum required EPS 200.

417

1014

The FPM value given does not meet the minimum required FPM 200.

417

1016

Can't change EPS/FPM values for a host with a serialized license.

417

1017

EPS value exceeds hardware limit.

417

1018

FPM value exceeds hardware limit.

417

1019

EPS value is greater than that available in the license pool.

417

1020

FPM value is greater than that available in the license pool.

422

1009

null

500

1021

null

Response Description

The updated host object. The host object has the following fields:

  • id - The ID of this managed host.

  • hostname - The host name of this managed host.

  • private_ip - The private IP of this managed host.

  • public_ip - The public IP of this managed host.

  • appliance - An object that represents the appliance type ID and description of this managed host.

  • version - The installed version on this managed host.

  • status - The status of this managed host.

  • eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware constraints for this managed host.

  • eps_allocation - The allocated eps rate of this managed host.

  • average_eps - The average eps rate of this managed host over the previous month.

  • peak_eps - The peak eps rate that was experienced by this managed host over the previous month.

  • fpm_rate_hardware_limit - The upper limit for fpm_allocation based on hardware constraints for this managed host.

  • fpm_allocation - The allocated fpm rate of this managed host.

  • average_fpm - The average fpm rate of this managed host over the previous month.

  • peak_fpm - The peak fpm rate that was experienced by this managed host over the previous month.

  • primary_server_id - The ID for the primary server host for this managed host.

  • secondary_server_id - If configured, the ID for the secondary server host for this managed host.

  • license_serial_number - The serial number associated with this managed host's license.

  • components - A list of components that are associated with this managed host.

  • compression_enabled - Whether or not compression is enabled for this managed host.

  • encryption_enabled - Whether or not encryption is enabled for this managed host.

* @throws ServerProcessingException An unexpected exception occurred during the updating of the host.

Response Sample

[ { "appliance": { "id": "String", "type": "String" }, "average_eps": 42, "average_fpm": 42, "components": [ "String <one of: eventcollector, eventprocessor, dataNode, magistrate, ariel_query_server, ariel_proxy_server, vis, assetprofiler, qflow, hostcontext, tunnel, setuptunnel, ecs-ec, ecs-ep, resolveragent, resolver_manager, offsiteSource, offsiteTarget, accumulator, offline_forwarder, qvm, qvmprocessor, qvmscanner, qvmhostedscanner, qvmsiteprotector, arc_builder, tomcat-rm, ziptie-server, qrm, asset_change_publisher, forensicsnode, forensics_realtime, masterdaemon>" ], "compression_enabled": true, "encryption_enabled": true, "eps_allocation": 42, "eps_rate_hardware_limit": 42, "fpm_allocation": 42, "fpm_rate_hardware_limit": 42, "hostname": "String", "id": 42, "license_serial_number": "String", "peak_eps": 42, "peak_fpm": 42, "primary_server_id": 42, "private_ip": "String", "public_ip": "String", "secondary_server_id": 42, "status": "String <one of: Active, ADDING, Deleted, Deleting, ADD_FAILED, New, ADD_FAILED_VERSION_CHECK, ADD_FAILED_DEPLOY_IN_PROGRESS, ADD_FAILED_RETRY_CONNECTION, ADD_FAILED_HA, ADD_FAILED_CHECK_LOGS>", "version": "String" } ]

GET /config/deployment/license_pool

Retrieves the deployed license pool information.

Table 47: GET /config/deployment/license_pool Resource Details

MIME Type

application/json

Table 48: GET /config/deployment/license_pool Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 49: GET /config/deployment/license_pool Response Codes

HTTP Response Code

Unique Code

Description

200

 

The license pool was successfully retrieved.

500

1001

An error occurred during the retrieval of the license pool.

Response Description

The deployed license pool information.

  • eps(allocated) - The amount of EPS rate allocated from the pool.

  • eps(overallocated) - Whether EPS is overallocated or not in the pool.

  • eps(total) - The total EPS rate available in the pool.

  • fpm(allocated) - The amount of FPM rate allocated from the pool.

  • fpm(overallocated) - Whether FPM is overallocated or not in the pool.

  • fpm(total) - The total FPM rate available in the pool.

Response Sample

{ "eps": { "allocated": 42, "overallocated": true, "total": 42 }, "fpm": { "allocated": 42, "overallocated": true, "total": 42 } }

GET /config/domain_management/domains

The list is ordered by domain ID. If domains were never configured, only the default domain is returned.

Table 50: GET /config/domain_management/domains Resource Details

MIME Type

application/json

Table 51: GET /config/domain_management/domains Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 52: GET /config/domain_management/domains Response Codes

HTTP Response Code

Unique Code

Description

200

 

The domain list has been successfully retrieved.

500

1020

An error occurred while the domain list was being retrieved.

Response Description

The list of domain objects.

Response Sample

[ { "asset_scanner_ids": [ 42 ], "custom_properties": [ { "capture_result": "String", "id": 42 } ], "deleted": true, "description": "String", "event_collector_ids": [ 42 ], "flow_collector_ids": [ 42 ], "flow_source_ids": [ 42 ], "id": 42, "log_source_group_ids": [ 42 ], "log_source_ids": [ 42 ], "name": "String", "qvm_scanner_ids": [ 42 ], "tenant_id": 42 } ]

POST /config/domain_management/domains

Creates a new domain.

Table 53: POST /config/domain_management/domains Resource Details

MIME Type

application/json

Table 54: POST /config/domain_management/domains Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 55: POST /config/domain_management/domains Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

domain

Object

application/json

A domain JSON object (its id parameter is ignored).

{ "asset_scanner_ids": [42], "custom_properties": [{"capture_result": "String", "id": 42}], "deleted": true, "description": "String", "event_collector_ids": [42], "flow_collector_ids": [42], "flow_source_ids": [42], "log_source_group_ids": [42], "log_source_ids": [42], "name": "String", "qvm_scanner_ids": [42], "tenant_id": 42 }

Table 56: POST /config/domain_management/domains Response Codes

HTTP Response Code

Unique Code

Description

201

 

The domain has been successfully created.

409

1004

A domain object parameter already exists.

422

1005

A domain object parameter is invalid.

500

1020

An error occurred while the domain was being created.

Response Description

A created domain object.

Response Sample

{ "asset_scanner_ids": [ 42 ], "custom_properties": [ { "capture_result": "String", "id": 42 } ], "deleted": true, "description": "String", "event_collector_ids": [ 42 ], "flow_collector_ids": [ 42 ], "flow_source_ids": [ 42 ], "id": 42, "log_source_group_ids": [ 42 ], "log_source_ids": [ 42 ], "name": "String", "qvm_scanner_ids": [ 42 ], "tenant_id": 42 }

GET /config/domain_management/domains/{domain_id}

Retrieves a domain by domain ID.

Table 57: GET /config/domain_management/domains/{domain_id} Resource Details

MIME Type

application/json

Table 58: GET /config/domain_management/domains/{domain_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

domain_id

path

Required

Number (Integer)

text/plain

The ID of the domain object to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 59: GET /config/domain_management/domains/{domain_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The domain has been successfully retrieved.

404

1002

No domain was found for the provided domain id.

500

1020

An error occurred while the domain was being retrieved.

Response Description

A domain object.

Response Sample

{ "asset_scanner_ids": [ 42 ], "custom_properties": [ { "capture_result": "String", "id": 42 } ], "deleted": true, "description": "String", "event_collector_ids": [ 42 ], "flow_collector_ids": [ 42 ], "flow_source_ids": [ 42 ], "id": 42, "log_source_group_ids": [ 42 ], "log_source_ids": [ 42 ], "name": "String", "qvm_scanner_ids": [ 42 ], "tenant_id": 42 }

POST /config/domain_management/domains/{domain_id}

Updates an existing domain.

Table 60: POST /config/domain_management/domains/{domain_id} Resource Details

MIME Type

application/json

Table 61: POST /config/domain_management/domains/{domain_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

domain_id

path

Required

Number (Integer)

text/plain

The ID of the domain object to update.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 62: POST /config/domain_management/domains/{domain_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

domain

Object

application/json

A domain JSON object.

{ "asset_scanner_ids": [42], "custom_properties": [{"capture_result": "String", "id": 42}], "deleted": true, "description": "String", "event_collector_ids": [42], "flow_collector_ids": [42], "flow_source_ids": [42], "log_source_group_ids": [42], "log_source_ids": [42], "name": "String", "qvm_scanner_ids": [42], "tenant_id": 42 }

Table 63: POST /config/domain_management/domains/{domain_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The domain has been successfully updated.

404

1002

No domain was found for the provided domain id.

409

1004

A domain object parameter already exists.

422

1005

A domain object parameter is invalid.

500

1020

An error occurred while the domain was being updated.

Response Description

The updated domain object.

Response Sample

{ "asset_scanner_ids": [ 42 ], "custom_properties": [ { "capture_result": "String", "id": 42 } ], "deleted": true, "description": "String", "event_collector_ids": [ 42 ], "flow_collector_ids": [ 42 ], "flow_source_ids": [ 42 ], "id": 42, "log_source_group_ids": [ 42 ], "log_source_ids": [ 42 ], "name": "String", "qvm_scanner_ids": [ 42 ], "tenant_id": 42 }

DELETE /config/domain_management/domains/{domain_id}

Deletes a domain by domain ID.

Table 64: DELETE /config/domain_management/domains/{domain_id} Resource Details

MIME Type

application/json

Table 65: DELETE /config/domain_management/domains/{domain_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

domain_id

path

Required

Number (Integer)

text/plain

The ID of the domain object to delete.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 66: DELETE /config/domain_management/domains/{domain_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The domain has been successfully deleted.

404

1002

No domain was found for the provided domain id.

422

1005

Default domain cannot be deleted.

500

1020

An error occurred while the domain was being deleted.

Response Description

The deleted domain object with its parameter deleted set to true.

Response Sample

{ "asset_scanner_ids": [ 42 ], "custom_properties": [ { "capture_result": "String", "id": 42 } ], "deleted": true, "description": "String", "event_collector_ids": [ 42 ], "flow_collector_ids": [ 42 ], "flow_source_ids": [ 42 ], "id": 42, "log_source_group_ids": [ 42 ], "log_source_ids": [ 42 ], "name": "String", "qvm_scanner_ids": [ 42 ], "tenant_id": 42 }

GET /config/event_retention_buckets

Retrieves a list of event retention buckets.

Table 67: GET /config/event_retention_buckets Resource Details

MIME Type

application/json

Table 68: GET /config/event_retention_buckets Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 69: GET /config/event_retention_buckets Response Codes

HTTP Response Code

Unique Code

Description

200

 

The event retention buckets were retrieved.

422

1010

A request parameter is not valid.

500

1020

An error occurred during the attempt to retrieve the event retention buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the following fields:

  • id - Integer - The ID of the retention bucket.

  • bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )

  • priority - Integer - The priority of the retention bucket. ( 0 - 10 ).

  • name - String - The name of the retention bucket.

  • database - String - The database of the retention bucket, EVENTS or FLOWS.

  • description - String - The description of the retention bucket.

  • period - Integer - The retention period in hours.

  • delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.

  • created - Long - The time in milliseconds since epoch since the retention bucket was created.

  • modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.

  • saved_search_id - String - The id of the saved search used by the retention bucket.

  • enabled - Boolean - True if the retention bucket is enabled.

Response Sample

[ { "bucket_id": 42, "created": 42, "database": "String", "deletion": "String <one of: ON_DEMAND, IMMEDIATELY>", "description": "String", "enabled": true, "id": 42, "modified": 42, "name": "String", "period": 42, "priority": 42, "saved_search_id": "String" } ]

GET /config/event_retention_buckets/{id}

Retrieves an event retention bucket.

Table 70: GET /config/event_retention_buckets/{id} Resource Details

MIME Type

application/json

Table 71: GET /config/event_retention_buckets/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 72: GET /config/event_retention_buckets/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The event retention bucket was retrieved.

404

1002

The event retention bucket does not exist.

500

1020

An error occurred during the attempt to retrieve the event retention bucket.

Response Description

The retention bucket after it has been retrieved. An Retention Bucket object contains the following fields:

  • id - Integer - The ID of the retention bucket.

  • bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).

  • priority - Integer - The priority of the retention bucket (0 - 10).

  • name - String - The name of the retention bucket.

  • database - String - The database of the retention bucket, EVENTS or FLOWS.

  • description - String - The description of the retention bucket.

  • period - Integer - The retention period in hours.

  • delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.

  • created - Long - The time in milliseconds since epoch since the retention bucket was created.

  • modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.

  • saved_search_id - String - The ID of the saved search that is used by the retention bucket.

  • enabled - Boolean - True if the retention bucket is enabled.

Response Sample

{ "bucket_id": 42, "created": 42, "database": "String", "deletion": "String <one of: ON_DEMAND, IMMEDIATELY>", "description": "String", "enabled": true, "id": 42, "modified": 42, "name": "String", "period": 42, "priority": 42, "saved_search_id": "String" }

POST /config/event_retention_buckets/{id}

Updates the event retention bucket owner or enabled/disabled only.

Table 73: POST /config/event_retention_buckets/{id} Resource Details

MIME Type

application/json

Table 74: POST /config/event_retention_buckets/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 75: POST /config/event_retention_buckets/{id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

retention_bucket

Object

application/json

null

{ "id": 1, "name": "String", "description": "String", "priority": 1, "period": 1, "deletion": "String", "created": 123123, "modified": 123123, "saved_search_id": "String", "enabled": true }

Table 76: POST /config/event_retention_buckets/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The event retention bucket has been updated.

404

1002

The event retention bucket does not exist.

409

1004

The provided user does not have the required capabilities to own the event retention bucket.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to update the event retention bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the following fields:

  • id - Integer - The ID of the retention bucket.

  • bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).

  • priority - Integer - The priority of the retention bucket (0 - 10).

  • name - String - The name of the retention bucket.

  • database - String - The database of the retention bucket, EVENTS or FLOWS.

  • description - String - The description of the retention bucket.

  • period - Integer - The retention period in hours.

  • delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.

  • created - Long - The time in milliseconds since epoch since the retention bucket was created.

  • modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.

  • saved_search_id - String - The ID of the saved search that is used by the retention bucket.

  • enabled - Boolean - True if the retention bucket is enabled.

Response Sample

{ "bucket_id": 42, "created": 42, "database": "String", "deletion": "String <one of: ON_DEMAND, IMMEDIATELY>", "description": "String", "enabled": true, "id": 42, "modified": 42, "name": "String", "period": 42, "priority": 42, "saved_search_id": "String" }

DELETE /config/event_retention_buckets/{id}

Deletes an event retention bucket.

Table 77: DELETE /config/event_retention_buckets/{id} Resource Details

MIME Type

text/plain

Table 78: DELETE /config/event_retention_buckets/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

Table 79: DELETE /config/event_retention_buckets/{id} Response Codes

HTTP Response Code

Unique Code

Description

204

 

The Event Retention Bucket was deleted.

403

1009

You do not have the proper capabilities to delete the event retention bucket.

404

1002

The Event Retention Bucket does not exist.

500

1020

An error occurred during the attempt to delete the event retention bucket.

Response Description

Response Sample

DELETE /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}

Deletes the event calculated property. To ensure safe deletion, a dependency check is carried out. This check might take some time. An asynchronous task to do is started for this check.

Table 80: DELETE /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Resource Details

MIME Type

application/json

Table 81: DELETE /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

calculated_property_id

path

Required

Number (Integer)

text/plain

Required - String - The ID of the event calculated property to delete.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 82: DELETE /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Response Codes

HTTP Response Code

Unique Code

Description

202

 

The calculated event property deletion task was accepted and is in progress.

403

1009

The requested delete action is unauthorized.

404

1002

The requested calculated event property cannot be found.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to delete a calculated event property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents

Retrieves the objects that depend on the event calculated property.

Table 83: GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents Resource Details

MIME Type

application/json

Table 84: GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

calculated_property_id

path

Required

Number (Integer)

text/plain

Required - The ID of the event calculated property to get the dependents for.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 85: GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents Response Codes

HTTP Response Code

Unique Code

Description

202

 

The calculated event property dependents retrieval was accepted and is in progress.

403

1009

The user does not have the required authorization to start the task for finding dependents of calculated event property.

404

1002

The requested calculated event property cannot be found.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to initiate the calculated event property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/calculated_property_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING>" } ] }

GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}

Retrieves a calculated event property based on the supplied calculated property ID.

Table 86: GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Resource Details

MIME Type

application/json

Table 87: GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

calculated_property_id

path

Required

Number (Integer)

text/plain

Required - String - The ID of the calculated event property.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 88: GET /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested calculated event property was retrieved.

404

1002

The requested calculated event property cannot be found.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to retrieve the requested calculated event property.

Response Description

A calculated event property that contains the following fields:

  • id - Number - A sequence id for the calculated event property.

  • identifier - String - A string that uniquely identifies the calculated event property.

  • name - String - The name of the calculated event property.

  • description - String - The description of the calculated event property.

  • enabled - Boolean - Whether the calculated event property is enabled.

  • first_operand - String - An operand object describing the first operand in the expression.

  • second_operand - String - An operand object describing the second operand in the expression.

  • operator - String - A string that represents one of the basic arithmetic operations in the expression.

  • username - String - The username of the creator of the calculated event property.

  • creation_date - Number - The time stamp for when the calculated event property is created in milliseconds since epoch.

  • modification_date - Number - The time stamp for when the calculated event property is last modified in milliseconds since epoch.

An operand object contains the following fields:

  • type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).

  • numeric_value - Number - when property_type is "STATIC", this is the value of the operand; otherwise, it is suppressed.

  • property_name - String - when property_type is "PROPERTY", this is the name of the property that is being used as the operand; otherwise, it is suppressed.

Response Sample

{ "creation_date": 42, "description": "String", "enabled": true, "first_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "id": 42, "identifier": "String", "modification_date": 42, "name": "String", "operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>", "second_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "username": "String" }

POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id}

Updates an existing calculated event property.

Table 89: POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Resource Details

MIME Type

application/json

Table 90: POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

calculated_property_id

path

Required

Number (Integer)

text/plain

Required - The ID of the calculated event property.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 91: POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A JSON structure that contains the field_name-value pairs of the calculated event property that is to be updated.

  • description - Optional - String - The description of the calculated event property. Defaults to an empty string.

  • enabled - Optional - Boolean - Whether the calculated event property is enabled. Defaults to true.

  • first_operand - Optional - Operand Object - An object describing the first operand in the expression.

  • second_operand - Optional - Operand Object - An object describing the second operand in the expression.

  • operator - Optional -String - A string that represents one of the basic arithmetic operations in the expression. Defaults to "ADD".

{ "description": "String", "enabled": true, "first_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "name": "String", "operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>", "second_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "username": "String" }

Table 92: POST /config/event_sources/custom_properties/calculated_properties/{calculated_property_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The calculated event property was updated.

403

1009

The requested update action is unauthorized.

404

1002

The requested calculated event property can not be found.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to update a calculated event property.

Response Description

The updated calculated event property that contains the following fields:

  • id - Number - A sequence id for the calculated event property.

  • identifier - String - A string that uniquely identifies the calculated event property.

  • name - String - The name of the calculated event property.

  • description - String - The description of the calculated event property.

  • enabled - Boolean - Whether the calculated event property is enabled.

  • first_operand - String - An operand object describing the first operand in the expression.

  • second_operand - String - An operand object describing the second operand in the expression.

  • operator - String - A string that represents one of the basic arithmetic operations in the expression.

  • username - String - The username of the creator of the calculated event property.

  • creation_date - Number - The time stamp for when the calculated event property is created in milliseconds since epoch.

  • modification_date - Number - The time stamp for when the calculated event property is last modified in milliseconds since epoch.

An operand object contains the following fields:

  • type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).

  • numeric_value - Number - when property_type is "STATIC", this is the value of the operand; otherwise, it is suppressed.

  • property_name - String - when property_type is "PROPERTY", this is the name of the property that is being used as the operand; otherwise, it is suppressed.

Response Sample

{ "creation_date": 42, "description": "String", "enabled": true, "first_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "id": 42, "identifier": "String", "modification_date": 42, "name": "String", "operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>", "second_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "username": "String" }

GET /config/event_sources/custom_properties/calculated_properties

Retrieves a list of calculated event properties.

Table 93: GET /config/event_sources/custom_properties/calculated_properties Resource Details

MIME Type

application/json

Table 94: GET /config/event_sources/custom_properties/calculated_properties Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 95: GET /config/event_sources/custom_properties/calculated_properties Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested list of calculated event properties was retrieved.

500

1020

An error occurred during the attempt to retrieve the list of calculated event properties.

Response Description

A list of calculated event properties. Each calculated event property contains the following fields:

  • id - Number - A sequence id for the calculated event property.

  • identifier - String - A string that uniquely identifies the calculated event property.

  • name - String - The name of the calculated event property.

  • description - String - The description of the calculated event property.

  • enabled - Boolean - Whether the calculated event property is enabled.

  • first_operand - String - An operand object describing the first operand in the expression.

  • second_operand - String - An operand object describing the second operand in the expression.

  • operator - String - A string that represents one of the basic arithmetic operations in the expression.

  • username - String - The username of the creator of the calculated event property.

  • creation_date - Number - The time stamp for when the calculated event property is created in milliseconds since epoch.

  • modification_date - Number - The time stamp for when the calculated event property is last modified in milliseconds since epoch.

An operand object contains the following fields:

  • type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).

  • numeric_value - Number - when property_type is "STATIC", this is the value of the operand; otherwise, it is suppressed.

  • property_name - String - when property_type is "PROPERTY", this is the name of the property that is being used as the operand; otherwise, it is suppressed.

Response Sample

[ { "creation_date": 42, "description": "String", "enabled": true, "first_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "id": 42, "identifier": "String", "modification_date": 42, "name": "String", "operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>", "second_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "username": "String" } ]

POST /config/event_sources/custom_properties/calculated_properties

Creates a new calculated event property.

Table 96: POST /config/event_sources/custom_properties/calculated_properties Resource Details

MIME Type

application/json

Table 97: POST /config/event_sources/custom_properties/calculated_properties Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 98: POST /config/event_sources/custom_properties/calculated_properties Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A JSON structure that contains the field_name-value pairs of the calculated event property that is to be created.

  • name - Required - String - The name of the calculated event property.

  • description - Optional - String - The description of the calculated event property. Defaults to an empty string.

  • enabled - Optional - Boolean - Whether the calculated event property is enabled. Defaults to true.

  • first_operand - Required - Operand Object - An object describing the first operand in the expression.

  • second_operand - Required - Operand Object - An object describing the second operand in the expression.

  • operator - Optional -String - A string that represents one of the basic arithmetic operations in the expression. Defaults to "ADD".

{ "description": "String", "enabled": true, "first_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "name": "String", "operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>", "second_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "username": "String" }

Table 99: POST /config/event_sources/custom_properties/calculated_properties Response Codes

HTTP Response Code

Unique Code

Description

201

 

The new calculated event property was created.

403

1009

The requested create action is unauthorized.

409

1004

The name of the calculated property has been used.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to create a new calculated event property.

Response Description

The newly created calculated event property that contains the following fields:

  • id - Number - A sequence id for the calculated event property.

  • identifier - String - A string that uniquely identifies the calculated event property.

  • name - String - The name of the calculated event property.

  • description - String - The description of the calculated event property.

  • enabled - Boolean - Whether the calculated event property is enabled.

  • first_operand - String - An operand object describing the first operand in the expression.

  • second_operand - String - An operand object describing the second operand in the expression.

  • operator - String - A string that represents one of the basic arithmetic operations in the expression.

  • username - String - The username of the creator of the calculated event property.

  • creation_date - Number - The time stamp for when the calculated event property is created in milliseconds since epoch.

  • modification_date - Number - The time stamp for when the calculated event property is last modified in milliseconds since epoch.

An operand object contains the following fields:

  • type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).

  • numeric_value - Number - when property_type is "STATIC", this is the value of the operand; otherwise, it is suppressed.

  • property_name - String - when property_type is "PROPERTY", this is the name of the property that is being used as the operand; otherwise, it is suppressed.

Response Sample

{ "creation_date": 42, "description": "String", "enabled": true, "first_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "id": 42, "identifier": "String", "modification_date": 42, "name": "String", "operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>", "second_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "username": "String" }

GET /config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id}

Retrieves the status of the event calculated property delete task.

Table 100: GET /config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id} Resource Details

MIME Type

application/json

Table 101: GET /config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

Required - The ID of the calculated property delete task.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 102: GET /config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The status of the event calculated property delete task was retrieved.

404

1002

The requested task status can not be found.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to retrieve the status of the deletion task.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/calculated_property_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}

Retrieves the status of the event calculated property dependents task.

Table 103: GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} Resource Details

MIME Type

application/json

Table 104: GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

Required - The ID of the calculated property dependent task status to retrieve

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 105: GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The status of the find dependents task was retrieved.

404

1002

The requested task status can not be found.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to retrieves the details of a task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING>" } ] }

POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}

Cancels the event calculated property dependent task.

Table 106: POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} Resource Details

MIME Type

application/json

Table 107: POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

Required - The ID of the calculated property dependent task status to cancel

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 108: POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

task

Object

application/json

Required - Dependent Task Status object with the status set to "CANCEL_REQUESTED" is the only acceptable input.

{ "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

Table 109: POST /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The dependent task status was retrieved.

404

1002

The dependent task status does not exist.

409

1004

The task is in a completed state.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to update the dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING>" } ] }

GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results

Retrieves the calculated property dependent task results.

Table 110: GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results Resource Details

MIME Type

application/json

Table 111: GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

Required - The ID of the calculated property dependent task to retrieve results for.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 112: GET /config/event_sources/custom_properties/calculated_property_dependent_tasks/{task_id}/results Response Codes

HTTP Response Code

Unique Code

Description

200

 

The result of the find dependents task was retrieved.

404

1002

The result of the task can not be found.

500

1020

An error occurred during the attempt to retrieves the result of a task.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

  • dependent_id - String - The ID of the dependent resource.

  • dependent_name - String - The name of the dependent resource (default resources can have localized names).

  • dependent_owner - String - The owner of the dependent resource

  • dependent_type - String - The type of the dependent resource

  • dependent_database - String - The database of the dependent resource.

  • dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

  • user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this dependent resource.

Response Sample

[ { "blocking": true, "dependent_database": "String <one of: EVENTS, FLOWS>", "dependent_group_ids": [ 42 ], "dependent_id": "String", "dependent_name": "String", "dependent_owner": "String", "dependent_type": "String <one of: ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SAVED_SEARCH, QRM_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, CUSTOM_RULE_GROUP, EVENT_ARIEL_SAVED_SEARCH_GROUP, FLOW_ARIEL_SAVED_SEARCH_GROUP, LOG_SOURCE_GROUP, MODEL_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QUESTION_GROUP, REPORT_GROUP, SIMULATION_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP, ASSIGNED_OFFENSE, ASSIGNED_VULNERABILITY, AUTHORIZED_SERVICE, BUILDING_BLOCK, CRE_RULE, CRE_ADE_RULE, EVENT_REGEX_PROPERTY, EVENT_REGEX_PROPERTY_DEPENDENCY, EVENT_CALCULATED_PROPERTY, FLOW_REGEX_PROPERTY, FLOW_REGEX_PROPERTY_DEPENDENCY, FLOW_CALCULATED_PROPERTY, DASHBOARD, GV_REFERENCE, REPORT, REFERENCE_DATA, REFERENCE_DATA_MAP_OF_SETS, REFERENCE_DATA_MAPS, REFERENCE_DATA_SETS, REFERENCE_DATA_TABLES, REFERENCE_DATA_RESPONSE, REFERENCE_SET_RESPONSE, EVENT_RETENTION_BUCKET, FLOW_RETENTION_BUCKET, ROUTING_RULE, STORE_AND_FORWARD_POLICY, USER, HISTORICAL_PROFILE, OFFENSE, EVENT_AQL_PROPERTY, FLOW_AQL_PROPERTY, OFFENSE_TYPE, SECURITY_PROFILE, ARIEL_INDEX>", "user_has_edit_permissions": true } ]

GET /config/event_sources/custom_properties/calculated_property_operands

Retrieves the list of available options for calculated event property operand.

Table 113: GET /config/event_sources/custom_properties/calculated_property_operands Resource Details

MIME Type

application/json

Table 114: GET /config/event_sources/custom_properties/calculated_property_operands Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 115: GET /config/event_sources/custom_properties/calculated_property_operands Response Codes

HTTP Response Code

Unique Code

Description

200

 

The list of available options for calculated event property operand was retrieved.

500

1020

An error occurred during the attempt to retrieve the available options for calculated event property operand.

Response Description

An array that contains the available options for calculated event property operand.

Response Sample

[ "String" ]

GET /config/event_sources/custom_properties/property_expressions

Retrieves a list of event regex property expressions.

Table 116: GET /config/event_sources/custom_properties/property_expressions Resource Details

MIME Type

application/json

Table 117: GET /config/event_sources/custom_properties/property_expressions Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 118: GET /config/event_sources/custom_properties/property_expressions Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested list of event regex property expressions was retrieved.

422

1010

An error occurred while building the filter.

500

1020

An error occurred during the attempt to retrieve the list of event regex property expressions.

Response Description

A list of event regex property expressions. Each regex property expression contains the following fields:

  • id - Integer - The sequence ID of the event regex property expression.

  • identifier - String - The ID of the event regex property expression.

  • regex_property_identifier - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Boolean - Flag that indicates whether this expression is enabled.

  • regex - String - The regex to extract the property from the payload.

  • capture_group - Integer - The capture group to capture.

  • payload - String - Test payload. This parameter is only used in the UI so that the user can verify their regex matches the expected payload.

  • log_source_type_id - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Integer - The expression is only applied to events with this low level category.

  • username - String - The owner of the event regex property expression.

Response Sample

[ { "capture_group": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex": "String", "regex_property_identifier": "String", "username": "String" } ]

POST /config/event_sources/custom_properties/property_expressions

Creates a new event regex property expression.

Table 119: POST /config/event_sources/custom_properties/property_expressions Resource Details

MIME Type

application/json

Table 120: POST /config/event_sources/custom_properties/property_expressions Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 121: POST /config/event_sources/custom_properties/property_expressions Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A JSON representation of the regex property expression object

  • regex_property_identifier - Required - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Optional - Boolean - Flag that indicates whether this expression is enabled. It defaults to true if not provided.

  • regex - Required - String - The regex to extract the property from the payload.

  • capture_group - Optional - Integer - The capture group to capture. It defaults to 1 if not provided.

  • payload - Optional - String - Test payload. This parameter is only used in the UI so that the user can verify their regex matches the expected payload.

  • log_source_type_id - Required - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Optional - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Optional - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Optional - Integer - The expression is only applied to events with this low level category.

{ "capture_group": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex": "String", "regex_property_identifier": "String", "username": "String" }

Table 122: POST /config/event_sources/custom_properties/property_expressions Response Codes

HTTP Response Code

Unique Code

Description

201

 

A new event regex property expression was created.

422

1005

One or more request parameter are invalid in request.

500

1020

An error occurred during the attempt to create a new event regex property expression.

Response Description

The newly created event regex property expression that contains the following fields:

  • id - Integer - The sequence ID of the event regex property expression.

  • identifier - String - The ID of the event regex property expression.

  • regex_property_identifier - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Boolean - Flag that indicates whether this expression is enabled.

  • regex - String - The regex to extract the property from the payload.

  • capture_group - Integer - The capture group to capture.

  • payload - String - Test payload. This parameter is only used in the UI so that the user can verify their regex matches the expected payload.

  • log_source_type_id - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Integer - The expression is only applied to events with this low level category.

  • username - String - The owner of the event regex property expression.

Response Sample

{ "capture_group": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex": "String", "regex_property_identifier": "String", "username": "String" }

GET /config/event_sources/custom_properties/property_expressions/{expression_id}

Retrieves an event regex property expression based on the supplied expression ID.

Table 123: GET /config/event_sources/custom_properties/property_expressions/{expression_id} Resource Details

MIME Type

application/json

Table 124: GET /config/event_sources/custom_properties/property_expressions/{expression_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

expression_id

path

Required

Number (Integer)

text/plain

Required - The Guid ID of the event_regex_property_expression.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 125: GET /config/event_sources/custom_properties/property_expressions/{expression_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested event regex property expression was successfully retrieved.

404

1002

The requested event regex property expression cannot be found.

500

1020

An error occurred during the attempt to retrieve the requested event regex property expression.

Response Description

A event regex property expression that contains the following fields:

  • id - Integer - The sequence ID of the event regex property expression.

  • identifier - String - The ID of the event regex property expression.

  • regex_property_identifier - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Boolean - Flag that indicates whether this expression is enabled.

  • regex - String - The regex to extract the property from the payload.

  • capture_group - Integer - The capture group to capture.

  • payload - String - Test payload. This parameter is only used in the UI so that the user can verify their regex matches the expected payload.

  • log_source_type_id - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Integer - The expression is only applied to events with this low level category.

  • username - String - The owner of the event regex property expression.

Response Sample

{ "capture_group": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex": "String", "regex_property_identifier": "String", "username": "String" }

POST /config/event_sources/custom_properties/property_expressions/{expression_id}

Updates an existing event regex property expression.

Table 126: POST /config/event_sources/custom_properties/property_expressions/{expression_id} Resource Details

MIME Type

application/json

Table 127: POST /config/event_sources/custom_properties/property_expressions/{expression_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

expression_id

path

Required

Number (Integer)

text/plain

Required - The sequence ID of the event regex property expression.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 128: POST /config/event_sources/custom_properties/property_expressions/{expression_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A JSON representation of the event regex property expression object.

  • regex_property_identifier - Optional - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Optional - Boolean - Flag that indicates whether this expression is enabled.

  • regex - Optional - String - The regex to extract the property from the payload.

  • capture_group - Optional - Integer - The capture group to capture.

  • payload - Optional - String - Test payload. This parameter is only used in the UI so that the user can verify their regex matches the expected payload.

  • log_source_type_id - Optional - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Optional - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Optional - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Optional - Integer - The expression is only applied to events with this low level category.

  • username - Optional - String - The owner of the event regex property expression. If the input username is authorized service, the prefix "API_token: " is required.

{ "capture_group": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex": "String", "regex_property_identifier": "String", "username": "String" }

Table 129: POST /config/event_sources/custom_properties/property_expressions/{expression_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The event regex property expression was updated.

403

1009

The user cannot update the resource because it only can be updated by the owner or admin user.

404

1002

The requested event regex property expression cannot be found.

422

1005

One or more parameters are invalid in request.

500

1020

An error occurred during the attempt to update an event regex property expression.

Response Description

The updated event regex property expression object contains the following fields:

  • id - Integer - The sequence ID of the event regex property expression.

  • identifier - String - The ID of the event regex property expression.

  • regex_property_identifier - String - The ID of the event regex property that this expression belongs to.

  • enabled - Boolean - Flag that indicates whether this expression is enabled.

  • regex - String - The regex to extract the property from the payload.

  • capture_group - Integer - The capture group to capture.

  • payload - String - Test payload. This parameter is only used in the UI so that the user can verify their regex matches the expected payload.

  • log_source_type_id - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Integer - The expression is only applied to events with this low level category.

  • username - String - The owner of the event regex property expression.

Response Sample

{ "capture_group": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex": "String", "regex_property_identifier": "String", "username": "String" }

DELETE /config/event_sources/custom_properties/property_expressions/{expression_id}

Deletes an event regex property expression based on the supplied expression ID.

Table 130: DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} Resource Details

MIME Type

text/plain

Table 131: DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

expression_id

path

Required

Number (Integer)

text/plain

Required - The sequence ID of the event_regex_property_expression.

Table 132: DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} Response Codes

HTTP Response Code

Unique Code

Description

204

 

The requested event regex property expression was successfully deleted.

403

1009

The user cannot delete the resource because it only can be deleted by the owner or admin user.

404

1002

The requested event regex property expression cannot be found.

500

1020

An error occurred during the attempt to delete the requested event regex property expression.

Response Sample

DELETE /config/event_sources/custom_properties/property_json_expressions/{expression_id}

Deletes an Ariel property JSON expression based on the supplied expression ID.

Table 133: DELETE /config/event_sources/custom_properties/property_json_expressions/{expression_id} Resource Details

MIME Type

text/plain

Table 134: DELETE /config/event_sources/custom_properties/property_json_expressions/{expression_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

expression_id

path

Required

Number (Integer)

text/plain

Required - The sequence ID of the event_regex_property_expression.

Table 135: DELETE /config/event_sources/custom_properties/property_json_expressions/{expression_id} Response Codes

HTTP Response Code

Unique Code

Description

204

 

The requested ariel property JSON expression was successfully deleted.

403

1009

The user cannot delete the resource because it only can be deleted by the owner or admin user.

404

1002

The requested ariel property json expression cannot be found.

500

1020

An error occurred during the attempt to delete the requested ariel property json expression.

Response Description

Response Sample

GET /config/event_sources/custom_properties/property_json_expressions/{expression_id}

Retrieves an Ariel property JSON expression based on the supplied expression ID.

Table 136: GET /config/event_sources/custom_properties/property_json_expressions/{expression_id} Resource Details

MIME Type

application/json

Table 137: GET /config/event_sources/custom_properties/property_json_expressions/{expression_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

expression_id

path

Required

Number (Integer)

text/plain

Required - The Sequence ID of the Ariel_property_JSON_expression.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 138: GET /config/event_sources/custom_properties/property_json_expressions/{expression_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested ariel property json expression was successfully retrieved.

404

1002

The requested ariel property json expression cannot be found.

500

1020

An error occurred during the attempt to retrieve the requested ariel property json expression.

Response Description

An Ariel property JSON expression that contains the following fields:

  • id - Integer - The sequence ID of the Ariel property JSON expression.

  • identifier - String - The ID of the Ariel property JSON expression.

  • regex_property_identifier - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Boolean - Flag that indicates whether this expression is enabled.

  • expression - String - The JSON expression path to find the property value from the JSON payload.

  • payload - String - Test payload. This parameter is only used in the UI so that you can verify your expression matches the expected payload.

  • log_source_type_id - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Integer - The expression is only applied to events with this low level category.

  • username - String - The owner of the Ariel property JSON expression.

Response Sample

{ "creation_date": 42, "enabled": true, "expression": "String", "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex_property_identifier": "String", "username": "String" }

POST /config/event_sources/custom_properties/property_json_expressions/{expression_id}

Updates an existing Ariel property JSON expression.

Table 139: POST /config/event_sources/custom_properties/property_json_expressions/{expression_id} Resource Details

MIME Type

application/json

Table 140: POST /config/event_sources/custom_properties/property_json_expressions/{expression_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

expression_id

path

Required

Number (Integer)

text/plain

Required - The sequence ID of the Ariel property JSON expression.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 141: POST /config/event_sources/custom_properties/property_json_expressions/{expression_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A JSON representation of the Ariel property JSON expression object.

  • regex_property_identifier - Optional - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Optional - Boolean - Flag that indicates whether this expression is enabled.

  • expression - Optional - String - The JSON expression path to find the property value from the JSON payload.

  • payload - Optional - String - Test payload. This parameter is only used in the UI so that you can verify your expression matches the expected payload.

  • log_source_type_id - Optional - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Optional - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Optional - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Optional - Integer - The expression is only applied to events with this low level category.

  • username - Optional - String - The owner of the Ariel property JSON expression. If the input username is an authorized service, the prefix "API_token: " is required.

{ "creation_date": 42, "enabled": true, "expression": "String", "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex_property_identifier": "String", "username": "String" }

Table 142: POST /config/event_sources/custom_properties/property_json_expressions/{expression_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The ariel property JSON expression was updated.

403

1009

The user cannot update the resource because it only can be updated by the owner or admin user.

404

1002

The requested ariel property json expression cannot be found.

422

1005

One or more parameters are invalid in request.

500

1020

An error occurred during the attempt to update an ariel property json expression.

Response Description

The updated Ariel property JSON expression object contains the following fields:

  • id - Integer - The sequence ID of the Ariel property JSON expression.

  • identifier - String - The ID of the Ariel property JSON expression.

  • regex_property_identifier - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Boolean - Flag that indicates whether this expression is enabled.

  • expression - String - The JSON expression path to find the property value from the JSON payload.

  • payload - String - Test payload. This parameter is only used in the UI so that you can verify your expression matches the expected payload.

  • log_source_type_id - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Integer - The expression is only applied to events with this low level category.

  • username - String - The owner of the Ariel property JSON expression.

Response Sample

{ "creation_date": 42, "enabled": true, "expression": "String", "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex_property_identifier": "String", "username": "String" }

GET /config/event_sources/custom_properties/property_json_expressions

Retrieves a list of Ariel property JSON expressions.

Table 143: GET /config/event_sources/custom_properties/property_json_expressions Resource Details

MIME Type

application/json

Table 144: GET /config/event_sources/custom_properties/property_json_expressions Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 145: GET /config/event_sources/custom_properties/property_json_expressions Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested list of ariel property json expressions was retrieved.

422

1010

An error occurred while building the filter.

500

1020

An error occurred during the attempt to retrieve the list of ariel property json expressions.

Response Description

A list of Ariel property JSON expressions. Each Ariel property JSON expression contains the following fields:

  • id - Integer - The sequence ID of the Ariel property JSON expression.

  • identifier - String - The ID of the Ariel property JSON expression.

  • regex_property_identifier - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Boolean - Flag that indicates whether this expression is enabled.

  • expression - String - The JSON expression path to find the property value from the JSON payload.

  • payload - String - Test payload. This parameter is only used in the UI so that you can verify your expression matches the expected payload.

  • log_source_type_id - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Integer - The expression is only applied to events with this low level category.

  • username - String - The owner of the Ariel property JSON expression.

Response Sample

[ { "creation_date": 42, "enabled": true, "expression": "String", "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex_property_identifier": "String", "username": "String" } ]

POST /config/event_sources/custom_properties/property_json_expressions

Creates a new Ariel property JSON expression.

Table 146: POST /config/event_sources/custom_properties/property_json_expressions Resource Details

MIME Type

application/json

Table 147: POST /config/event_sources/custom_properties/property_json_expressions Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 148: POST /config/event_sources/custom_properties/property_json_expressions Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A JSON representation of the Ariel property JSON expression object

  • regex_property_identifier - Required - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Optional - Boolean - Flag that indicates whether this expression is enabled. It defaults to true if not provided.

  • expression - Required - String - The JSON expression path to find the property value from the JSON payload.

  • payload - Optional - String - Test payload. This parameter is only used in the UI so that you can verify your expression matches the expected payload.

  • log_source_type_id - Required - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Optional - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Optional - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Optional - Integer - The expression is only applied to events with this low level category.

{ "creation_date": 42, "enabled": true, "expression": "String", "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex_property_identifier": "String", "username": "String" }

Table 149: POST /config/event_sources/custom_properties/property_json_expressions Response Codes

HTTP Response Code

Unique Code

Description

201

 

A new ariel property JSON expression was created.

422

1005

One or more request parameter are invalid in request.

500

1020

An error occurred during the attempt to create a new ariel property json expression.

Response Description

The newly created Ariel property JSON expression that contains the following fields:

  • id - Integer - The sequence ID of the Ariel property JSON expression.

  • identifier - String - The ID of the Ariel property JSON expression.

  • regex_property_identifier - String - The identifier of the event regex property that this expression belongs to.

  • enabled - Boolean - Flag that indicates whether this expression is enabled.

  • expression - String - The JSON expression path to find the property value from the JSON payload.

  • payload - String - Test payload. This parameter is only used in the UI so that you can verify your expression matches the expected payload.

  • log_source_type_id - Integer - The expression is only applied to events for this log source type.

  • log_source_id - Integer - The expression is only applied to events for this log source (more specific than type alone).

  • qid - Integer - The expression is only applied to events associated with this QID record.

  • low_level_category_id - Integer - The expression is only applied to events with this low level category.

  • username - String - The owner of the Ariel property JSON expression.

Response Sample

{ "creation_date": 42, "enabled": true, "expression": "String", "id": 42, "identifier": "String", "log_source_id": 42, "log_source_type_id": 42, "low_level_category_id": 42, "modification_date": 42, "payload": "String", "qid": 42, "regex_property_identifier": "String", "username": "String" }

GET /config/event_sources/custom_properties/regex_properties

Retrieves a list of event regex properties.

Table 150: GET /config/event_sources/custom_properties/regex_properties Resource Details

MIME Type

application/json

Table 151: GET /config/event_sources/custom_properties/regex_properties Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 152: GET /config/event_sources/custom_properties/regex_properties Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested list of event regex properties was retrieved.

422

1010

An error occurred while building the filter.

500

1020

An error occurred during the attempt to retrieve the list of event regex properties.

Response Description

A list of event regex properties. Each regex property contains the following fields:

  • id - Integer - The sequence ID of the event regex property.

  • identifier - String - The ID of the event regex property.

  • name - String - The name of the event regex property.

  • username - String - The owner of the event regex property.

  • description - String - The description of the event regex property.

  • property_type - String - The property type (STRING, NUMERIC, IP, PORT, TIME) of event regex property.

  • use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the event is received.

  • datetime_format - String - The date/time pattern that the event regex property matches.

  • locale - String - The Language tag of what locale the Property matches.

  • auto_discovered - Boolean - The flag to indicate if the event regex property is generated by custom properties discovery engine.

Response Sample

[ { "auto_discovered": true, "creation_date": 42, "datetime_format": "String", "description": "String", "id": 42, "identifier": "String", "locale": "String", "modification_date": 42, "name": "String", "property_type": "String <one of: string, numeric, ip, port, time>", "use_for_rule_engine": true, "username": "String" } ]

POST /config/event_sources/custom_properties/regex_properties

Creates a new event regex property.

Table 153: POST /config/event_sources/custom_properties/regex_properties Resource Details

MIME Type

application/json

Table 154: POST /config/event_sources/custom_properties/regex_properties Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 155: POST /config/event_sources/custom_properties/regex_properties Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A JSON representation of the event regex property object.

  • name - Required - String - The name of the event regex property.

  • description - Optional - String - The description of the event regex property.

  • property_type - Required - String - The property type (string, numeric, ip, port, time) of event regex property.

  • use_for_rule_engine - Optional - Boolean - The flag to indicate if the event regex property is parsed when the event is received. It is false if no value supplied.

  • datetime_format - Optional - String - The date/time pattern that the event regex property matches.. It is required when property type is TIME.

  • locale - Optional - String - The language tag of the locale that the property matches. The locale is required when the property type is TIME.

{ "auto_discovered": true, "creation_date": 42, "datetime_format": "String", "description": "String", "id": 42, "identifier": "String", "locale": "String", "modification_date": 42, "name": "String", "property_type": "String <one of: string, numeric, ip, port, time>", "use_for_rule_engine": true, "username": "String" }

Table 156: POST /config/event_sources/custom_properties/regex_properties Response Codes

HTTP Response Code

Unique Code

Description

201

 

A new event regex property was created.

422

1005

One or more request parameter are invalid in the request.

500

1020

An error occurred during the attempt to create a new event regex property.

Response Description

The newly created event regex property that contains the following fields:

  • id - Integer - The sequence ID of the event regex property.

  • identifier - String - The ID of the event regex property.

  • name - String - The name of the event regex property.

  • username - String - The owner of the event regex property.

  • description - String - The description of the event regex property.

  • property_type - String - The property type (string, numeric, ip, port, time) of event regex property.

  • use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the event is received.

  • datetime_format - String - The date/time pattern that the event regex property matches.

  • locale - String - The language tag of the locale that the property matches.

  • auto_discovered - Boolean - The flag to indicate if the event regex property is generated by custom properties discovery engine.

Response Sample

{ "auto_discovered": true, "creation_date": 42, "datetime_format": "String", "description": "String", "id": 42, "identifier": "String", "locale": "String", "modification_date": 42, "name": "String", "property_type": "String <one of: string, numeric, ip, port, time>", "use_for_rule_engine": true, "username": "String" }

GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}

Retrieves a event regex property based on the supplied regex property ID.

Table 157: GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} Resource Details

MIME Type

application/json

Table 158: GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

regex_property_id

path

Required

Number (Integer)

text/plain

Required - The sequence ID of the event_regex_property.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 159: GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested event regex property was successfully retrieved.

404

1002

The requested event regex property cannot be found.

500

1020

An error occurred during the attempt to retrieve the requested event regex property.

Response Description

A event regex property that contains the following fields:

  • id - Integer - The sequence ID of the event regex property.

  • identifier - String - The ID of the event regex property.

  • name - String - The name of the event regex property.

  • username - String - The owner of the event regex property.

  • description - String - The description of the event regex property.

  • property_type - String - The property type (string, numeric, ip, port, time) of the event regex property.

  • use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the event is received.

  • datetime_format - String - The date/time pattern that the event regex property matches.

  • locale - String - The language tag of the locale that the property matches.

  • auto_discovered - Boolean - The flag to indicate if the event regex property is generated by custom properties discovery engine.

Response Sample

{ "auto_discovered": true, "creation_date": 42, "datetime_format": "String", "description": "String", "id": 42, "identifier": "String", "locale": "String", "modification_date": 42, "name": "String", "property_type": "String <one of: string, numeric, ip, port, time>", "use_for_rule_engine": true, "username": "String" }

POST /config/event_sources/custom_properties/regex_properties/{regex_property_id}

Updates an existing event regex property.

Table 160: POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} Resource Details

MIME Type

application/json

Table 161: POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

regex_property_id

path

Required

Number (Integer)

text/plain

Required - The sequence ID of the event regex property.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 162: POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A JSON representation of the event regex property object.

  • description - Optional - String - The description of the event regex property.

  • property_type - Optional - String - The property type (string, numeric, ip, port, time) of event regex property.

  • use_for_rule_engine - Optional - Boolean - The flag to indicate if the event regex property is parsed when the event is received.

  • datetime_format - Optional - String - The date/time pattern that the event regex property matches. It is required when property type is TIME.

  • locale - Optional - String - The language tag of the locale that the property matches. The locale is required when the property type is TIME.

  • username - Optional - String - The owner of the event regex property. If the input username is authorized service, the prefix "API_token: " is required.

{ "auto_discovered": true, "creation_date": 42, "datetime_format": "String", "description": "String", "id": 42, "identifier": "String", "locale": "String", "modification_date": 42, "name": "String", "property_type": "String <one of: string, numeric, ip, port, time>", "use_for_rule_engine": true, "username": "String" }

Table 163: POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The event regex property was updated.

403

1009

The user cannot update the resource because it only can be updated by the owner or admin user.

404

1002

The requested event regex property cannot be found.

422

1005

One or more parameters are invalid in request.

500

1020

An error occurred during the attempt to update an event regex property.

Response Description

The updated event regex property object contains the following fields:

  • id - Integer - The sequence ID of the event regex property.

  • identifier - String - The ID of the event regex property.

  • name - String - The name of the event regex property.

  • username - String - The owner of the event regex property.

  • description - String - The description of the event regex property.

  • property_type - String - The property type (string, numeric, ip, port, time) of event regex property.

  • use_for_rule_engine - Boolean - The flag to indicate if the event regex property is parsed when the event is received.

  • datetime_format - String - The date/time pattern that the event regex property matches.

  • locale - String - The language tag of the locale the the property matches.

  • auto_discovered - Boolean - The flag to indicate if the event regex property is generated by custom properties discovery engine.

Response Sample

{ "auto_discovered": true, "creation_date": 42, "datetime_format": "String", "description": "String", "id": 42, "identifier": "String", "locale": "String", "modification_date": 42, "name": "String", "property_type": "String <one of: string, numeric, ip, port, time>", "use_for_rule_engine": true, "username": "String" }

DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id}

Deletes an event regex property. To ensure safe deletion, a dependency check is carried out. This check might take some time. An asynchronous task is started to do this check.

Table 164: DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} Resource Details

MIME Type

application/json

Table 165: DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

regex_property_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 166: DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} Response Codes

HTTP Response Code

Unique Code

Description

202

 

The event regex property delete request was accepted and is in progress.

403

1009

The user cannot delete the regex_property because it only can be deleted by the owner or admin user.

404

1002

The requested event regex property cannot be found.

500

1020

An error occurred while attempting to delete the event regex property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents

Retrieves the objects that depend on the event regex property.

Table 167: GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents Resource Details

MIME Type

application/json

Table 168: GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

regex_property_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 169: GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents Response Codes

HTTP Response Code

Unique Code

Description

202

 

The event regex property dependents retrieval was accepted and is in progress.

404

1002

The event regex property does not exist.

500

1020

An error occurred while attempting to initiate the event regex property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/regex_property_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>" } ] }

GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id}

Retrieves the event regex property delete task status.

Table 170: GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} Resource Details

MIME Type

application/json

Table 171: GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 172: GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The delete task status was retrieved.

404

1002

The requested delete task status cannot be found.

422

1005

The task ID is invalid in the request.

500

1020

An error occurred during the attempt to retrieve the delete task status.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/regex_property_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}

Retrieves the event regex property dependent task status.

Table 173: GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} Resource Details

MIME Type

application/json

Table 174: GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 175: GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The dependent task status was retrieved.

404

1002

The requested dependent task status cannot be found.

422

1005

The task ID is invalid in the request.

500

1020

An error occurred during the attempt to retrieve the task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>" } ] }

POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}

Cancels the regex property dependent task.

Table 176: POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} Resource Details

MIME Type

application/json

Table 177: POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 178: POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

task

Object

application/json

null

{ "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

Table 179: POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The dependent task was cancelled.

404

1002

The dependent task status does not exist.

409

1004

The task is in a completed state.

422

1005

A request parameter is not valid.

500

1020

An error occurred while attempting to update the dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL "/api/config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>" } ] }

GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results

Retrieves the regex property dependent task results.

Table 180: GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results Resource Details

MIME Type

application/json

Table 181: GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

task_id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 182: GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results Response Codes

HTTP Response Code

Unique Code

Description

200

 

The regex property dependents were retrieved.

404

1002

The requested task status cannot be found.

500

1020

An error occurred during the attempt to retrieve the task results.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

  • dependent_id - String - The ID of the dependent resource.

  • dependent_name - String - The name of the dependent resource )default resources can have localized names).

  • dependent_owner - String - The owner of the dependent resource

  • dependent_type - String - The type of the dependent resource

  • dependent_database - String - The database of the dependent resource.

  • dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

  • user_has_edit_permissions - Boolean - True if the user who created the task has permission to edit this dependent resource.

Response Sample

[ { "blocking": true, "dependent_database": "String <one of: EVENTS, FLOWS>", "dependent_group_ids": [ 42 ], "dependent_id": "String", "dependent_name": "String", "dependent_owner": "String", "dependent_type": "String <one of: ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SAVED_SEARCH, QRM_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, CUSTOM_RULE_GROUP, EVENT_ARIEL_SAVED_SEARCH_GROUP, FLOW_ARIEL_SAVED_SEARCH_GROUP, LOG_SOURCE_GROUP, MODEL_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QUESTION_GROUP, REPORT_GROUP, SIMULATION_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP, ASSIGNED_OFFENSE, ASSIGNED_VULNERABILITY, AUTHORIZED_SERVICE, BUILDING_BLOCK, CRE_RULE, CRE_ADE_RULE, EVENT_REGEX_PROPERTY, EVENT_CALCULATED_PROPERTY, FLOW_REGEX_PROPERTY, FLOW_CALCULATED_PROPERTY, DASHBOARD, GV_REFERENCE, REPORT, REFERENCE_DATA, REFERENCE_DATA_MAP_OF_SETS, REFERENCE_DATA_MAPS, REFERENCE_DATA_SETS, REFERENCE_DATA_TABLES, REFERENCE_DATA_RESPONSE, REFERENCE_SET_RESPONSE, EVENT_RETENTION_BUCKET, FLOW_RETENTION_BUCKET, ROUTING_RULE, STORE_AND_FORWARD_POLICY, USER, HISTORICAL_PROFILE, OFFENSE_TYPE>", "user_has_edit_permissions": true } ]

GET /config/event_sources/event_collectors

Retrieves the list of event collectors.

Table 183: GET /config/event_sources/event_collectors Resource Details

MIME Type

application/json

Table 184: GET /config/event_sources/event_collectors Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 185: GET /config/event_sources/event_collectors Response Codes

HTTP Response Code

Unique Code

Description

200

 

The event collectors were retrieved successfully.

500

1020

An error occurred during the attempt to retrieve the event collectors.

Response Description

The list of all event collectors. A event collector contains the following fields:

  • id - Long - The ID of the event collector.

  • name - String - The display name of the event collector entity. Not localized because it is derived from a process/component name and the hostname of the managed host it runs on.

  • component_name - String - The name of the component backing this event collector process. Also contained in the 'name' field.

  • host_id - Long - The ID of the host on which this event collector process runs. See Hosts API.

Response Sample

[ { "component_name": "String", "host_id": 42, "id": 42, "name": "String" } ]

GET /config/event_sources/event_collectors/{id}

Retrieves an individual event collector by ID.

Table 186: GET /config/event_sources/event_collectors/{id} Resource Details

MIME Type

application/json

Table 187: GET /config/event_sources/event_collectors/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the event collector to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 188: GET /config/event_sources/event_collectors/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The event collector was retrieved successfully.

404

1002

The requested event collector cannot be found.

500

1020

An error occurred during the attempt to retrieve the event collector.

Response Description

The event collector after it is retrieved. A event collector contains the following fields:

  • id - Long - The ID of the event collector.

  • name - String - The display name of the event collector entity. Not localized because it is derived from a process/component name and the hostname of the managed host it runs on, neither of which are translatable.

  • component_name - String - The name of the component backing this event collector process. Also contained in the 'name' field.

  • host_id - Long - The ID of the host on which this event collector process runs. See Hosts API.

Response Sample

{ "component_name": "String", "host_id": 42, "id": 42, "name": "String" }

GET /config/event_sources/log_source_management/autodetection/config_records/{config_id}

Retrieves an Autodetection Config Record.

Table 189: GET /config/event_sources/log_source_management/autodetection/config_records/{config_id} Resource Details

MIME Type

application/json

Table 190: GET /config/event_sources/log_source_management/autodetection/config_records/{config_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

config_id

path

Required

Number (Integer)

text/plain

Required. The ID of the Autodetection Config Record to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 191: GET /config/event_sources/log_source_management/autodetection/config_records/{config_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The Autodetection Config Record was retrieved.

404

1002

The Autodetection Config Record does not exist.

500

1020

An error occurred during the attempt to retrieve the Autodetection Config Record.

Response Description

The Autodetection Config Record containing the following fields:

  • id - Number - The ID of the Autodetection Config Record.

  • log_source_type_id - Number - The ID of the Log Source Type corresponding to the Autodetection Config Record.

  • enabled - Boolean - Returns true if Traffic Analysis is enabled for the given log source type.

Response Sample

{ "enabled": true, "id": 42, "log_source_type_id": 42 }

POST /config/event_sources/log_source_management/autodetection/config_records/{config_id}

Updates the Autodetection Config Record enabled/disabled only.

Table 192: POST /config/event_sources/log_source_management/autodetection/config_records/{config_id} Resource Details

MIME Type

application/json

Table 193: POST /config/event_sources/log_source_management/autodetection/config_records/{config_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

config_id

path

Required

Number (Integer)

text/plain

Required. The ID of the Autodetection Config Record to update.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 194: POST /config/event_sources/log_source_management/autodetection/config_records/{config_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

config_record

Object

application/json

Required. A single Autodetection Config Record object has the following modifiable fields:

  • enabled - Boolean - Returns true if Traffic Analysis is enabled for the given log source type.

Any other set fields will be ignored.

{ "enabled": true, "id": 42, "log_source_type_id": 42 }

Table 195: POST /config/event_sources/log_source_management/autodetection/config_records/{config_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The Autodetection Config Record was updated.

404

1002

The Autodetection Config Record does not exist.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to update the Autodetection Config Record.

Response Description

The updated Autodetection Config Record containing the following fields:

  • id - Number - The ID of the Autodetection Config Record.

  • log_source_type_id - Number - The ID of the Log Source Type corresponding to the Autodetection Config Record.

  • enabled - Boolean - Returns true if Traffic Analysis is enabled for the given log source type.

Response Sample

{ "enabled": true, "id": 42, "log_source_type_id": 42 }

GET /config/event_sources/log_source_management/autodetection/config_records

Retrieves the list of Autodetection Config Records.

Table 196: GET /config/event_sources/log_source_management/autodetection/config_records Resource Details

MIME Type

application/json

Table 197: GET /config/event_sources/log_source_management/autodetection/config_records Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 198: GET /config/event_sources/log_source_management/autodetection/config_records Response Codes

HTTP Response Code

Unique Code

Description

200

 

The Autodetection Config Records were retrieved.

422

1010

A request parameter is not valid.

500

1020

An error occurred during the attempt to retrieve the Autodetection Config Records.

Response Description

An array of Autodetection Config Record objects. An Autodetection Config Record object contains the following fields:

  • id - Number - The ID of the Autodetection Config Record.

  • log_source_type_id - Number - The ID of the Log Source Type corresponding to the Autodetection Config Record.

  • enabled - Boolean - Returns true if Autodetection is enabled for the given log source type.

Response Sample

[ { "enabled": true, "id": 42, "log_source_type_id": 42 } ]

GET /config/event_sources/log_source_management/log_source_extensions

Retrieves the list of log source extensions.

Table 199: GET /config/event_sources/log_source_management/log_source_extensions Resource Details

MIME Type

application/json

Table 200: GET /config/event_sources/log_source_management/log_source_extensions Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 201: GET /config/event_sources/log_source_management/log_source_extensions Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source extensions were retrieved successfully.

500

1020

An error occurred during the attempt to retrieve the log source extensions.

Response Description

The list of all log source extensions. A log source extension contains the following fields:

  • id - Long - The ID of the extension.

  • name - String - The name of the log source extension. Not localized, because it's user-provided.

  • description - String - The description of the extension. Not localized, because it's user-provided.

Response Sample

[ { "description": "String", "id": 42, "name": "String" } ]

GET /config/event_sources/log_source_management/log_source_extensions/{id}

Retrieves a log source extension by ID.

Table 202: GET /config/event_sources/log_source_management/log_source_extensions/{id} Resource Details

MIME Type

application/json

Table 203: GET /config/event_sources/log_source_management/log_source_extensions/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the log source extension to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 204: GET /config/event_sources/log_source_management/log_source_extensions/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source extension was retrieved successfully.

404

1002

The requested log source extension cannot be found.

500

1020

An error occurred during the attempt to retrieve the log source extension.

Response Description

The log source extension after it is retrieved. A log source extension contains the following fields:

  • id - Long - The ID of the extension.

  • name - String - The name of the log source extension. Not localized, because it's user-provided.

  • description - String - The description of the extension. Not localized, because it's user-provided.

Response Sample

{ "description": "String", "id": 42, "name": "String" }

GET /config/event_sources/log_source_management/log_source_groups

Retrieves the list of log source groups.

Table 205: GET /config/event_sources/log_source_management/log_source_groups Resource Details

MIME Type

application/json

Table 206: GET /config/event_sources/log_source_management/log_source_groups Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 207: GET /config/event_sources/log_source_management/log_source_groups Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source groups were retrieved successfully.

500

1020

An error occurred during the attempt to retrieve the log source groups.

Response Description

The list of all log source groups. A log source group contains the following fields:

  • id - Long - The ID of the group.

  • name - String - The name of the group.

  • description - String - The description of the group.

  • parent_id - Long - The ID of the group's parent. Note that the root group node will have a null parent_ID.

  • owner - String - The name of the user who owns the group.

  • modification_date - Long - The date and time (expressed as milliseconds since epoch) that the group was last modified.

  • assignable - Boolean - True if log sources can be assigned to this group, false if they cannot. Log sources cannot be assigned directly to the Other group or to the root log source group node.

  • child_groups - Array<Long> - The list of IDs of any child log source groups of which this group is a parent.

Response Sample

[ { "assignable": true, "child_group_ids": [ 42 ], "description": "String", "id": 42, "modification_date": 42, "name": "String", "owner": "String", "parent_id": 42 } ]

GET /config/event_sources/log_source_management/log_source_groups/{id}

Retrieves a log source group by ID.

Table 208: GET /config/event_sources/log_source_management/log_source_groups/{id} Resource Details

MIME Type

application/json

Table 209: GET /config/event_sources/log_source_management/log_source_groups/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the log source group to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 210: GET /config/event_sources/log_source_management/log_source_groups/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source group was retrieved successfully.

404

1002

The requested log source group cannot be found.

500

1020

An error occurred during the attempt to retrieve the log source group.

Response Description

The log source group after it is retrieved. A log source group contains the following fields:

  • id - Long - The ID of the group.

  • name - String - The name of the group.

  • description - String - The description of the group.

  • parent_id - Long - The ID of the group's parent. Note that the root group node will have a null parent_ID.

  • owner - String - The name of the user who owns the group.

  • modification_date - Long - The date and time (expressed as milliseconds since epoch) that the group was last modified.

  • assignable - Boolean - True if log sources can be assigned to this group, false if they cannot. Log sources cannot be assigned directly to the Other group or to the root log source group node.

  • child_groups - Array<Long> - The list of IDs of any child log source groups of which this group is a parent.

Response Sample

{ "assignable": true, "child_group_ids": [ 42 ], "description": "String", "id": 42, "modification_date": 42, "name": "String", "owner": "String", "parent_id": 42 }

GET /config/event_sources/log_source_management/log_source_languages

Retrieves the list of log source languages.

Table 211: GET /config/event_sources/log_source_management/log_source_languages Resource Details

MIME Type

application/json

Table 212: GET /config/event_sources/log_source_management/log_source_languages Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 213: GET /config/event_sources/log_source_management/log_source_languages Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source languages were retrieved successfully.

500

1020

An error occurred during the attempt to retrieve the log source languages.

Response Description

The list of all log source languages. A log source language contains the following fields:

  • id - Integer - The ID of the language. This ID does not change across deployments.

  • name - String - The display name of the language. Should be localized.

Response Sample

[ { "id": 42, "name": "String" } ]

GET /config/event_sources/log_source_management/log_source_languages/{id}

Retrieves a log source language by ID.

Table 214: GET /config/event_sources/log_source_management/log_source_languages/{id} Resource Details

MIME Type

application/json

Table 215: GET /config/event_sources/log_source_management/log_source_languages/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the log source language to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 216: GET /config/event_sources/log_source_management/log_source_languages/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source language was retrieved successfully.

404

1002

The requested log source language cannot be found.

500

1020

An error occurred during the attempt to retrieve the log source language.

Response Description

The log source language after it is retrieved. A log source language contains the following fields:

  • id - Integer - The ID of the language. This ID does not change across deployments.

  • name - String - The display name of the language. Should be localized.

Response Sample

{ "id": 42, "name": "String" }

GET /config/event_sources/log_source_management/log_source_types

Retrieves the list of log source types.

Table 217: GET /config/event_sources/log_source_management/log_source_types Resource Details

MIME Type

application/json

Table 218: GET /config/event_sources/log_source_management/log_source_types Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 219: GET /config/event_sources/log_source_management/log_source_types Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source types were retrieved successfully.

500

1020

An error occurred during the attempt to retrieve the log source types.

Response Description

The list of all log source types. A log source type contains the following fields:

  • id - Integer - The ID of the log source type.

  • name - String - The name of the log source type.

  • internal - Boolean - Indicates whether the log source type is an internal one (e.g. System Notification, SIM Audit, Asset Profiler, etc) for which log sources cannot be created, edited or deleted.

  • custom - Boolean - Indicates whether the log source type is a custom one.

  • protocol_types - Array - The type of protocols available for the log source type.

  • default_protocol_id - Long - The protocol option that should be the default solution for this log source type.

  • log_source_extension_id - Long - The optional log source extension that is associated with the log source type.

  • supported_language_ids - Array - The supported languages for the log source type.

Response Sample

[ { "custom": true, "default_protocol_id": 42, "id": 42, "internal": true, "log_source_extension_id": 42, "name": "String", "protocol_types": [ { "documented": true, "protocol_id": 42 } ], "supported_language_ids": [ 42 ] } ]

DELETE /config/event_sources/log_source_management/log_source_types/{id}

Delete a custom log source type by ID. This is only permitted for custom log source types.

Table 220: DELETE /config/event_sources/log_source_management/log_source_types/{id} Resource Details

MIME Type

text/plain

Table 221: DELETE /config/event_sources/log_source_management/log_source_types/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the custom log source type to delete.

Table 222: DELETE /config/event_sources/log_source_management/log_source_types/{id} Response Codes

HTTP Response Code

Unique Code

Description

204

 

The log source type was deleted successfully.

404

1010

The requested log source type cannot be found.

409

1015

The requested log source type is not a custom type and thus cannot be deleted.

500

1020

An error occurred while attempting to delete the log source.

Response Description

Response Sample

GET /config/event_sources/log_source_management/log_source_types/{id}

Retrieves a log source type by ID.

Table 223: GET /config/event_sources/log_source_management/log_source_types/{id} Resource Details

MIME Type

application/json

Table 224: GET /config/event_sources/log_source_management/log_source_types/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the log source type to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 225: GET /config/event_sources/log_source_management/log_source_types/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source type was retrieved successfully.

404

1002

The requested log source type cannot be found.

500

1020

An error occurred during the attempt to retrieve the log source type.

Response Description

The log source type after it is retrieved. A log source type contains the following fields:

  • id - Integer - The ID of the log source type.

  • name - String - The name of the log source type.

  • internal - Boolean - Indicates whether the log source type is an internal one (e.g. System Notification, SIM Audit, Asset Profiler, etc) for which log sources cannot be created, edited or deleted.

  • custom - Boolean - Indicates whether the log source type is a custom one.

  • protocol_types - Array - The type of protocols available for the log source type.

  • default_protocol_id - Long - The protocol option that should be the default solution for this log source type.

  • log_source_extension_id - Long - The optional log source extension that is associated with the log source type.

  • supported_language_ids - Array - The supported languages for the log source type.

Response Sample

{ "custom": true, "default_protocol_id": 42, "id": 42, "internal": true, "log_source_extension_id": 42, "name": "String", "protocol_types": [ { "documented": true, "protocol_id": 42 } ], "supported_language_ids": [ 42 ] }

POST /config/event_sources/log_source_management/log_source_types/{id}

Update a log source type.

The following fields can be provided in the body of this request, all other log source type fields will be ignored:

  • name - String - The name of the log source type. Cannot be empty. Must be 241 characters or less. Must not have been used before. This is only editable for custom log source types.

  • protocol_types - Array - The protocols that can be used for the log source type. All protocol ids must exist, list cannot be empty. This is only editable for custom log source types.

  • default_protocol_id - Long - The protocol option that should be the default solution for this log source type.

  • log_source_extension_id - Long - The log source extension that is associated with the log source type. If specified, this must correspond to an existing log source extension. This field can have a value of 'null', which will remove the extension on this log source type.

Table 226: POST /config/event_sources/log_source_management/log_source_types/{id} Resource Details

MIME Type

application/json

Table 227: POST /config/event_sources/log_source_management/log_source_types/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the log source to be updated.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 228: POST /config/event_sources/log_source_management/log_source_types/{id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

log_source_type_data

Object

application/json

The updated log source type data. Any field not provided will be ignored.

{ "default_protocol_id": 42, "log_source_extension_id": 42, "name": "String", "protocol_types": [ { "protocol_id": 42 } ] }

Table 229: POST /config/event_sources/log_source_management/log_source_types/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source type was updated successfully.

404

1010

The requested log source type cannot be found.

422

1001

The provided name is already in use.

422

1002

The provided name is empty.

422

1003

The provided name exceeds 241 characters.

422

1004

The provided protocol_types array is empty.

422

1005

The provided protocol_types array contains one or more ProtocolMapping's whose protocol_ids do not correspond to an existing protocol type.

422

1006

The provided log_source_extension_id does not correspond to an existing log source extension.

500

1020

An error occurred while attempting to update the log source.

Response Description

The updated log source type which will have the following fields:

  • id - Integer - The ID of the log source type.

  • name - String - The name of the log source type.

  • internal - Boolean - Indicates whether the log source type is an internal one.

  • custom - Boolean - Indicates whether the log source type is a custom one.

  • protocol_types - Array - The type of protocols available for the log source type.

  • default_protocol_id - Long - The protocol option that should be the default solution for this log source type.

  • log_source_extension_id - Long - The optional log source extension that is associated with the log source type.

  • supported_language_ids - Array - The supported languages for the log source type.

Response Sample

{ "custom": true, "default_protocol_id": 42, "id": 42, "internal": true, "log_source_extension_id": 42, "name": "String", "protocol_types": [ { "documented": true, "protocol_id": 42 } ], "supported_language_ids": [ 42 ] }

POST /config/event_sources/log_source_management/log_source_types

Create a new custom log source type.

Log source types do not need to be deployed. The following fields can be provided in the body of this request, all other log source type fields will be ignored:

  • name - String - The name of the log source type. Cannot be empty. Must be 241 characters or less. Must not have been used before.

  • protocol_types - Array - The optional protocols that can be used for the log source type. All protocol ids must exist, list cannot be empty. If this field is not provided, all protocols will be available for this log source type.

  • default_protocol_id - Long - The protocol option that should be the default solution for this log source type.

  • log_source_extension_id - Long - The optional log source extension that is associated with the log source type. If specified, this must correspond to an existing log source extension.

Table 230: POST /config/event_sources/log_source_management/log_source_types Resource Details

MIME Type

application/json

Table 231: POST /config/event_sources/log_source_management/log_source_types Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 232: POST /config/event_sources/log_source_management/log_source_types Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

log_source_data

Object

application/json

The new log source type data.

{ "default_protocol_id": 42, "log_source_extension_id": 42, "name": "String", "protocol_types": [ { "protocol_id": 42 } ] }

Table 233: POST /config/event_sources/log_source_management/log_source_types Response Codes

HTTP Response Code

Unique Code

Description

201

 

The log source type was created successfully.

422

1001

The provided name is already in use.

422

1002

The provided name is empty.

422

1003

The provided name exceeds 241 characters.

422

1004

The provided protocol_types array is empty.

422

1005

The provided protocol_types array contains one or more ProtocolMapping's whose protocol_ids do not correspond to an existing protocol type.

422

1006

The provided log_source_extension_id does not correspond to an existing log source extension.

500

1100

An error occurred while attempting to create the log source.

Response Description

The newly created log source type which will have the following fields:

  • id - Integer - The ID of the log source type.

  • name - String - The name of the log source type.

  • internal - Boolean - Indicates whether the log source type is an internal one. This will be set to false for custom log source types.

  • custom - Boolean - Indicates whether the log source type is a custom one. This will always be set to true for custom log source types.

  • protocol_types - Array - The type of protocols available for the log source type.

  • default_protocol_id - Long - The protocol option that should be the default solution for this log source type.

  • log_source_extension_id - Long - The optional log source extension that is associated with the log source type.

  • supported_language_ids - Array - The supported languages for the log source type. This will always be empty for custom log source types.

Response Sample

{ "custom": true, "default_protocol_id": 42, "id": 42, "internal": true, "log_source_extension_id": 42, "name": "String", "protocol_types": [ { "documented": true, "protocol_id": 42 } ], "supported_language_ids": [ 42 ] }

GET /config/event_sources/log_source_management/log_sources

Retrieves the list of log sources.

Table 234: GET /config/event_sources/log_source_management/log_sources Resource Details

MIME Type

application/json

Table 235: GET /config/event_sources/log_source_management/log_sources Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

sort

query

Optional

String

text/plain

Optional - This parameter is used to sort the elements in a list.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 236: GET /config/event_sources/log_source_management/log_sources Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log sources were retrieved successfully.

422

1000

Sorting not supported on the provided field.

422

1001

An invalid filter criteria was specified.

500

1020

An error occurred during the attempt to retrieve the log sources.

Response Description

The list of all log sources. A log source contains the following fields:

  • id - Number - The ID of the log source.

  • name - String - The name of the log source.

  • description - String - The description of the log source.

  • type_id - Number - The type of the log source.

  • protocol_type_id - Number - The type of protocol used by the log source.

  • protocol_parameters - Array - The protocol parameters. This is a collection of ProtocolParameter. The content is defined by Protocol Type used by the log source (see Protocol Type API endpoints).

  • enabled - Boolean - Indicates whether the log source is enabled.

  • gateway - Boolean - Indicates whether the log source is configured as a gateway. A gateway log source is essentially a standalone protocol configuration. The log source receives no events itself, instead it serves only as a host for a protocol configuration which retrieves event data to feed other log sources. It serves as a "gateway" for events from multiple systems to enter the event pipeline.

  • internal - Boolean - Indicates whether the log source is internal (i.e. has an internal log source type).

  • credibility - Short - The credibility of the log source.

  • target_event_collector_id - Number - The id of the event collector where the log source will send its data.

  • coalesce_events - Boolean - Indicates whether the log source will coalesce events.

  • store_event_payloads - Boolean - Indicates whether to store event payloads for this log source.

  • log_source_extension_id - Long - The log source extension (if any) associated with the log source.

  • language_id - Integer - The language of the events being processed by this log source.

  • group_ids - Array - The set of log source group ids this log source is a member of. Could be an empty list.

  • requires_deploy Boolean - Indicates if a deploy action is required to enable the log source for use.

  • status - Object - The status of the log source. This is a LogSourceStatus structure.

  • auto_discovered - Boolean - Indicates whether this log source was auto-discovered.

  • average_eps - Number - The average EPS of the log source (over the last 60 seconds).

  • creation_date - Number - The creation date of the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • modified_date - Number - The last modified date of the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • last_event_time - Number - The time of the last event received by the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • wincollect_internal_destination_id - Long - The internal WinCollect destination for this log source, if applicable.

  • wincollect_external_destination_ids - Array<Long> - If provided, must be a list of valid WinCollect destination IDs, where each corresponding WinCollect Destination resource has internal=false.

  • legacy_bulk_group_name - Array<Long> - The name of the legacy bulk group that the log source belongs to.

Response Sample

[{"internal": true, "legacy_bulk_group_name": "String", "protocol_parameters": [{"name": "String", "id": 42, "value": "String"}], "description": "String", "coalesce_events": true, "enabled": true, "group_ids": [42], "average_eps": 42, "credibility": 42, "id": 42, "store_event_payload": true, "target_event_collector_id": 42, "protocol_type_id": 42, "language_id": 42, "creation_date": 42, "log_source_extension_id": 42, "wincollect_external_destination_ids": [42], "name": "String", "auto_discovered": true, "modified_date": 42, "type_id": 42, "last_event_time": 42, "requires_deploy": true, "gateway": true, "wincollect_internal_destination_id": 42, "status": {"last_updated": 42, "messages": [{"severity": "String", "text": "String"}], "status": "String"}}]

DELETE /config/event_sources/log_source_management/log_sources/{id}

Removes the specified log source from the system.

Table 237: DELETE /config/event_sources/log_source_management/log_sources/{id} Resource Details

MIME Type

text/plain

Table 238: DELETE /config/event_sources/log_source_management/log_sources/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the log source to delete.

Table 239: DELETE /config/event_sources/log_source_management/log_sources/{id} Response Codes

HTTP Response Code

Unique Code

Description

204

 

The log source was deleted successfully.

403

1000

The endpoint cannot be used by users associated with a tenant.

404

1010

The requested log source cannot be found.

422

1001

The requested log source cannot be deleted because its type_id corresponds to an internal log source type.

422

1002

This method is not supported for this log source because it is part of a bulk group.

500

1020

An error occurred while attempting to delete the log source.

Response Description

Response Sample

GET /config/event_sources/log_source_management/log_sources/{id}

Retrieves a log source by ID.

Table 240: GET /config/event_sources/log_source_management/log_sources/{id} Resource Details

MIME Type

application/json

Table 241: GET /config/event_sources/log_source_management/log_sources/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the log source to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 242: GET /config/event_sources/log_source_management/log_sources/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source was retrieved successfully.

404

1002

The requested log source cannot be found.

500

1020

An error occurred during the attempt to retrieve the log source.

Response Description

The retrieved log source. A log source contains the following fields:

  • id - Number - The ID of the log source.

  • name - String - The name of the log source.

  • description - String - The description of the log source.

  • type_id - Number - The type of the log source.

  • protocol_type_id - Number - The type of protocol used by the log source.

  • protocol_parameters - Array - The protocol parameters. This is a collection of ProtocolParameter. The content is defined by Protocol Type used by the log source (see Protocol Type API endpoints).

  • enabled - Boolean - Indicates whether the log source is enabled.

  • gateway - Boolean - Indicates whether the log source is configured as a gateway. A gateway log source is essentially a standalone protocol configuration. The log source receives no events itself, instead it serves only as a host for a protocol configuration which retrieves event data to feed other log sources. It serves as a "gateway" for events from multiple systems to enter the event pipeline.

  • internal - Boolean - Indicates whether the log source is internal (i.e. has an internal log source type).

  • credibility - Short - The credibility of the log source.

  • target_event_collector_id - Number - The id of the event collector where the log source will send its data.

  • coalesce_events - Boolean - Indicates whether the log source will coalesce events.

  • store_event_payloads - Boolean - Indicates whether to store event payloads for this log source.

  • log_source_extension_id - Long - The log source extension (if any) associated with the log source.

  • language_id - Integer - The language of the events being processed by this log source.

  • group_ids - Array - The set of log source group ids this log source is a member of. Could be an empty list.

  • requires_deploy Boolean - Indicates if a deploy action is required to enable the log source for use.

  • status - Object - The status of the log source. This is a LogSourceStatus structure.

  • auto_discovered - Boolean - Indicates whether this log source was auto-discovered.

  • average_eps - Number - The average EPS of the log source (over the last 60 seconds).

  • creation_date - Number - The creation date of the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • modified_date - Number - The last modified date of the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • last_event_time - Number - The time of the last event received by the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • wincollect_internal_destination_id - Long - The internal WinCollect destination for this log source, if applicable.

  • wincollect_external_destination_ids - Array<Long> - If provided, must be a list of valid WinCollect destination IDs, where each corresponding WinCollect Destination resource has internal=false.

  • legacy_bulk_group_name - Array<Long> - The name of the legacy bulk group that the log source belongs to.

Response Sample

{ "auto_discovered": true, "average_eps": 42, "coalesce_events": true, "creation_date": 42, "credibility": 42, "description": "String", "enabled": true, "gateway": true, "group_ids": [ 42 ], "id": 42, "internal": true, "language_id": 42, "last_event_time": 42, "legacy_bulk_group_name": "String", "log_source_extension_id": 42, "modified_date": 42, "name": "String", "protocol_parameters": [ { "id": 42, "name": "String", "value": "String" } ], "protocol_type_id": 42, "requires_deploy": true, "status": { "last_updated": 42, "messages": [ { "severity": "String", "text": "String" } ], "status": "String" }, "store_event_payload": true, "target_event_collector_id": 42, "type_id": 42, "wincollect_external_destination_ids": [ 42 ], "wincollect_internal_destination_id": 42 }

POST /config/event_sources/log_source_management/log_sources/{id}

Updates a log source.

Table 243: POST /config/event_sources/log_source_management/log_sources/{id} Resource Details

MIME Type

application/json

Table 244: POST /config/event_sources/log_source_management/log_sources/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the log source to update.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 245: POST /config/event_sources/log_source_management/log_sources/{id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

log_source_data

Object

application/json

The updated log source data. Any field not provided will be ignored.

{ "coalesce_events": true, "credibility": 42, "description": "String", "enabled": true, "gateway": true, "group_ids": [ 42 ], "id": 42, "language_id": 42, "legacy_bulk_group_name": "String", "log_source_extension_id": 42, "name": "String", "protocol_parameters": [ { "id": 42, "name": "String", "value": "String" } ], "protocol_type_id": 42, "store_event_payload": true, "target_event_collector_id": 42, "type_id": 42, "wincollect_external_destination_ids": [ 42 ], "wincollect_internal_destination_id": 42 }

Table 246: POST /config/event_sources/log_source_management/log_sources/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The log source was updated successfully.

403

1000

The endpoint cannot be used by users associated with a tenant.

404

1050

The requested log source cannot be found.

409

1001

The 'name' parameter must be unique.

409

1002

The combination of 'type_id','protocol_type_id' and 'identifier' (from 'protocol_parameters') must be unique.

422

1004

The 'name' parameter is required.

422

1005

The 'name' parameter must not exceed 255 characters.

422

1006

The 'description' parameter must not exceed 255 characters.

422

1007

The 'type_id' parameter does not match any of the available log source types.

422

1008

The 'type_id' parameter cannot correspond to an internal log source type.

422

1009

The 'protocol_type_id' parameter does not match any of the available protocol types.

422

1010

The combination of 'type_id' and 'protocol_type_id' is not supported.

422

1011

The requested log source cannot be updated because its type_id corresponds to an internal log source type.

422

1012

The protocol parameter is invalid.

422

1013

The protocol parameter id or name is invalid.

422

1014

The protocol parameter value format is incorrect.

422

1015

The protocol parameter is required but the value is missing.

422

1016

The protocol parameter value does not match one of the allowed values.

422

1017

The protocol parameter value is too short.

422

1018

The protocol parameter value is too long.

422

1019

The protocol parameter value is too big.

422

1020

The protocol parameter value is too small.

422

1021

The protocol parameter value does not match the allowed pattern.

422

1022

The protocol parameter is not a supported encoding.

422

1023

At least one protocol parameter from the group must be set.

422

1024

The 'credibility' parameter must be a value between 0 and 10 inclusive.

422

1025

The 'target_event_collector_id' parameter does not match any of the available event collectors.

422

1026

The 'log_source_extension_id' parameter does not match any of the available log source extensions.

422

1027

The 'language_id' parameter does not match any of the available log source languages.

422

1028

The 'language_id' parameter does not match a supported language for the selected log source type.

422

1029

The 'group_ids' parameter contains one or more group IDs that cannot be found.

422

1030

The 'group_ids' parameter contains unassignable groups (IDs 0 or 1).

422

1031

The 'wincollect_internal_destination_id' parameter does not match any available internal WinCollect destination.

422

1032

The 'wincollect_external_destination_ids' parameter contains one or more IDs that do not match an available external WinCollect destination.

422

1033

For log sources associated with a WinCollect agent, at least one internal or external WinCollect destination must be provided.

422

1034

This method is not supported for this log source because it is part of a bulk group.

422

1035

This legacy_bulk_group_name field can only be set to null.

422

1036

A log source using this protocol cannot be used as a gateway.

500

1100

An error occurred during the attempt to create the log source.

Response Description

The updated log source identified by the id specified in the request. A log source contains the following fields:

  • id - Number - The ID of the log source.

  • name - String - The name of the log source.

  • description - String - The description of the log source.

  • type_id - Number - The type of the log source.

  • protocol_type_id - Number - The type of protocol used by the log source.

  • protocol_parameters - Array - The protocol parameters. This is a collection of ProtocolParameter. The content is defined by Protocol Type used by the log source (see Protocol Type API endpoints).

  • enabled - Boolean - Indicates whether the log source is enabled.

  • gateway - Boolean - Indicates whether the log source is configured as a gateway. A gateway log source is essentially a standalone protocol configuration. The log source receives no events itself, instead it serves only as a host for a protocol configuration which retrieves event data to feed other log sources. It serves as a "gateway" for events from multiple systems to enter the event pipeline.

  • internal - Boolean - Indicates whether the log source is internal (i.e. has an internal log source type).

  • credibility - Short - The credibility of the log source.

  • target_event_collector_id - Number - The id of the event collector where the log source will send its data.

  • coalesce_events - Boolean - Indicates whether the log source will coalesce events.

  • store_event_payloads - Boolean - Indicates whether to store event payloads for this log source.

  • log_source_extension_id - Long - The log source extension (if any) associated with the log source.

  • language_id - Integer - The language of the events being processed by this log source.

  • group_ids - Array - The set of log source group ids this log source is a member of. Could be an empty list.

  • requires_deploy Boolean - Indicates if a deploy action is required to enable the log source for use.

  • status - Object - The status of the log source. This is a LogSourceStatus structure.

  • auto_discovered - Boolean - Indicates whether this log source was auto-discovered.

  • average_eps - Number - The average EPS of the log source (over the last 60 seconds).

  • creation_date - Number - The creation date of the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • modified_date - Number - The last modified date of the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • last_event_time - Number - The time of the last event received by the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • wincollect_internal_destination_id - Long - The internal WinCollect destination for this log source, if applicable.

  • wincollect_external_destination_ids - Array<Long> - If provided, must be a list of valid WinCollect destination IDs, where each corresponding WinCollect Destination resource has internal=false.

  • legacy_bulk_group_name - Array<Long> - The name of the legacy bulk group that the log source belongs to.

Response Sample

{ "auto_discovered": true, "average_eps": 42, "coalesce_events": true, "creation_date": 42, "credibility": 42, "description": "String", "enabled": true, "gateway": true, "group_ids": [ 42 ], "id": 42, "internal": true, "language_id": 42, "last_event_time": 42, "legacy_bulk_group_name": "String", "log_source_extension_id": 42, "modified_date": 42, "name": "String", "protocol_parameters": [ { "id": 42, "name": "String", "value": "String" } ], "protocol_type_id": 42, "requires_deploy": true, "status": { "last_updated": 42, "messages": [ { "severity": "String", "text": "String" } ], "status": "String" }, "store_event_payload": true, "target_event_collector_id": 42, "type_id": 42, "wincollect_external_destination_ids": [ 42 ], "wincollect_internal_destination_id": 42 }

POST /config/event_sources/log_source_management/log_sources

Creates a new log source.

A log source contains the following fields:

  • id - Number - The ID of the log source.

  • name - String - The name of the log source.

  • description - String - The description of the log source.

  • type_id - Number - The type of the log source.

  • protocol_type_id - Number - The type of protocol used by the log source.

  • protocol_parameters - Array - The protocol parameters. This is a collection of ProtocolParameter. The content is defined by Protocol Type used by the log source (see Protocol Type API endpoints).

  • enabled - Boolean - Indicates whether the log source is enabled.

  • gateway - Boolean - Indicates whether the log source is configured as a gateway. A gateway log source is essentially a standalone protocol configuration. The log source receives no events itself, instead it serves only as a host for a protocol configuration which retrieves event data to feed other log sources. It serves as a "gateway" for events from multiple systems to enter the event pipeline.

  • internal - Boolean - Indicates whether the log source is internal (i.e. has an internal log source type).

  • credibility - Short - The credibility of the log source.

  • target_event_collector_id - Number - The id of the event collector where the log source will send its data.

  • coalesce_events - Boolean - Indicates whether the log source will coalesce events.

  • store_event_payloads - Boolean - Indicates whether to store event payloads for this log source.

  • log_source_extension_id - Long - The log source extension (if any) associated with the log source.

  • language_id - Integer - The language of the events being processed by this log source.

  • group_ids - Array - The set of log source group ids this log source is a member of. Could be an empty list.

  • requires_deploy Boolean - Indicates if a deploy action is required to enable the log source for use.

  • status - Object - The status of the log source. This is a LogSourceStatus structure.

  • auto_discovered - Boolean - Indicates whether this log source was auto-discovered.

  • average_eps - Number - The average EPS of the log source (over the last 60 seconds).

  • creation_date - Number - The creation date of the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • modified_date - Number - The last modified date of the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • last_event_time - Number - The time of the last event received by the log source. The value represents the number of milliseconds since epoch (Jan 1, 1970).

  • wincollect_internal_destination_id - Long - The internal WinCollect destination for this log source, if applicable.

  • wincollect_external_destination_ids - Array<Long> - If provided, must be a list of valid WinCollect destination IDs, where each corresponding WinCollect Destination resource has internal=false.

  • legacy_bulk_group_name - Array<Long> - The name of the legacy bulk group that the log source belongs to.

A protocol parameter contains the following fields:

  • id - Number - The id of the parameter. The id matches one of the ProtocolParameterType defined by the Protocol Type used by the log source (see Protocol Type API endpoints).

  • name - String - The ID of the log source.

  • value - String - The ID of the log source.

Table 247: POST /config/event_sources/log_source_management/log_sources Resource Details

MIME Type

application/json

Table 248: POST /config/event_sources/log_source_management/log_sources Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 249: POST /config/event_sources/log_source_management/log_sources Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

log_source_data

Object

application/json

The new log source data.

{ "coalesce_events": true, "credibility": 42, "description": "String", "enabled": true, "gateway": true, "group_ids": [ 42 ], "id": 42, "language_id": 42, "legacy_bulk_group_name": "String", "log_source_extension_id": 42, "name": "String", "protocol_parameters": [ { "id": 42, "name": "String", "value": "String" } ], "protocol_type_id": 42, "store_event_payload": true, "target_event_collector_id": 42, "type_id": 42, "wincollect_external_destination_ids": [ 42 ], "wincollect_internal_destination_id": 42 }

Table 250: POST /config/event_sources/log_source_management/log_sources Response Codes

HTTP Response Code

Unique Code

Description

201

 

The log source was created successfully.

403

1000

The endpoint cannot be used by users associated with a tenant.

409

1001

The 'name' parameter must be unique.

409

1002

The combination of 'type_id','protocol_type_id' and 'identifier' (from 'protocol_parameters') must be unique.

422

1003

The 'name' parameter is required.

422

1004

The 'name' parameter must not exceed 255 characters.

422

1005

The 'description' parameter must not exceed 255 characters.

422

1006

null

422

1007

The 'type_id' parameter does not match any of the available log source types.

422

1008

The 'type_id' parameter cannot correspond to an internal log source type.

422

1009

null

422

1010

The 'protocol_type_id' parameter does not match any of the available protocol types.

422

1011

The combination of 'type_id' and 'protocol_type_id' is not supported.

422

1012

The protocol parameter is invalid.

422

1013

The protocol parameter id or name is invalid.

422

1014

The protocol parameter value format is incorrect.

422

1015

The protocol parameter is required but the value is missing.

422

1016

The protocol parameter value does not match one of the allowed values.

422

1017

The protocol parameter value is too short.

422

1018

The protocol parameter value is too long.

422

1019

The protocol parameter value is too big.

422

1020

The protocol parameter value is too small.

422

1021

The protocol parameter value does not match the allowed pattern.

422

1022

The protocol parameter is not a supported encoding.

422

1023

At least one protocol parameter from the group must be set.

422

1024

The 'credibility' parameter must be a value between 0 and 10 inclusive.

422

1025

The 'target_event_collector_id' parameter does not match any of the available event collectors.

422

1026

The 'log_source_extension_id' parameter does not match any of the available log source extensions.

422

1027

The 'language_id' parameter does not match any of the available log source languages.

422

1028

The 'language_id' parameter does not match a supported language for the selected log source type.

422

1029

The 'group_ids' parameter contains one or more group IDs that cannot be found.

422

1031

The 'group_ids' parameter contains unassignable groups (IDs 0 or 1).

422

1032

The 'wincollect_internal_destination_id' parameter does not match any available internal WinCollect destination.

422

1033

The 'wincollect_external_destination_ids' parameter contains one or more IDs that do not match an available external WinCollect destination.

422

1034

For log sources associated with a WinCollect agent, at least one internal or external WinCollect destination must be provided.

422

1035

This method is not supported for this log source because it is part of a bulk group.

422

1036

This 'legacy_bulk_group_name' parameter can only be set to null.

422

1037

A log source using this protocol cannot be used as a gateway.

500

1100

An error occurred during the attempt to create the log source.

Response Description

The newly created log source.

Response Sample

{ "auto_discovered": true, "average_eps": 42, "coalesce_events": true, "creation_date": 42, "credibility": 42, "description": "String", "enabled": true, "gateway": true, "group_ids": [ 42 ], "id": 42, "internal": true, "language_id": 42, "last_event_time": 42, "legacy_bulk_group_name": "String", "log_source_extension_id": 42, "modified_date": 42, "name": "String", "protocol_parameters": [ { "id": 42, "name": "String", "value": "String" } ], "protocol_type_id": 42, "requires_deploy": true, "status": { "last_updated": 42, "messages": [ { "severity": "String", "text": "String" } ], "status": "String" }, "store_event_payload": true, "target_event_collector_id": 42, "type_id": 42, "wincollect_external_destination_ids": [ 42 ], "wincollect_internal_destination_id": 42 }

GET /config/event_sources/log_source_management/protocol_types

Retrieves the list of protocol types.

Table 251: GET /config/event_sources/log_source_management/protocol_types Resource Details

MIME Type

application/json

Table 252: GET /config/event_sources/log_source_management/protocol_types Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 253: GET /config/event_sources/log_source_management/protocol_types Response Codes

HTTP Response Code

Unique Code

Description

200

 

The protocol types were retrieved successfully.

500

1020

An error occurred during the attempt to retrieve the protocols.

Response Description

The list of all protocol types. A protocol type contains the following fields:

  • id - Long - The ID of the protocol type.

  • name - String - The name of the protocol type.

  • version - String - The version of the protocol component.

  • gateway_supported - Boolean - Indicates whether this protocol can be configured for a gateway log source. A gateway log source is essentially a standalone protocol configuration. The log source receives no events itself, instead it serves only as a host for a protocol configuration which retrieves event data to feed other log sources. It serves as a "gateway" for events from multiple systems to enter the event pipeline. Not all protocol types can support collecting event data from multiple sources, thus not all protocol types can be used for a gateway.

  • parameters - Array - The parameters of this protocol type.

  • parameter_groups - Array - The parameter groups of this protocol type.

A parameter contains the following fields:

  • id - Long - The ID of the parameter.

  • name - String - The internal name of the parameter.

  • label - String - The display name of the parameter.

  • description - String - The display description of the parameter.

  • type - Enumeration - The type of the parameter. Possible values are: STRING, TEXT, INTEGER, REAL, BOOLEAN, DATE, TIME, DATETIME, INTERVAL, HOST, PASSWORD, REGEX

  • group_id - Number - The optional id of the group that this parameter belongs to. This is a reference to one of the groups listed in the protocol type's parameter_groups field.

  • required - Boolean - Indicates whether the parameter is mandatory.

  • min_length - Integer - The optional minimum length of the parameter value. This is only applicable when 'type' is STRING, TEXT, HOST, PASSWORD, REGEX.

  • max_length - Integer - The optional maximum length of the parameter value. This is only applicable when 'type' is STRING, TEXT, HOST, PASSWORD, REGEX.

  • min_value - String - The optional minimum of the parameter value. This is only applicable when 'type' is INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL.

  • max_value - String - The optional maximum of the parameter value. This is only applicable when 'type' is INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL.

  • default_value - String - The optional default parameter value.

  • pattern - String - An optional Java regex pattern restriction on the parameter value. This is only applicable when 'type' is STRING, TEXT, HOST, PASSWORD.

  • pattern_error_message - String - An optional message to show when the 'pattern' restriction fails.

  • allowed_values - Array - A optional restrictive list of allowed parameter values. This is used to implement an enumeration parameter.

  • rules - Array - The parameter rules. This is used to manage parameter rules (e.g. Option A is only available when Option B is set to True, Option C is required whenever Option A is set to False, etc.) This is a list of ProtocolParameterRule structures. *

A parameter allowed value contains the following fields:

  • name - String - The user-friendly name of the value.

  • value - String - The value.

A parameter rule contains the following fields:

  • parameter_id - String - The parameter affected by the rule.

  • trigger_parameter_id - Long - The ID of the trigger parameter.

  • trigger_pattern - String - The pattern that will trigger the rule. If the value of trigger_parameter_id matches the regular expression of this field, the rule will trigger.

  • affected_property - String - The affected property. Possible values are:

    • AVAILABLE: Indicates that the parameter's availability will be affected by this rule

    • REQUIRED: Indicates that the required state of the parameter will be affected by this rule

    • DEFAULT: Indicates that the default value of the parameter will be affected by this rule.

  • affected_property_value - String - The value to be applied to the affected parameter when the rule is triggered. Here is how this field is interpreted based on the affected property:

    • AVAILABLE: This will be a boolean value indicating whether the affected parameter should be available. Since all fields are always available by default, setting this to 'true' does not make much sense.

    • REQUIRED: This will be a boolean value indicating whether the affected parameter should be required.

    • DEFAULT: This will be the default value to be used by the affected parameter.

A parameter group contains the following fields:

  • id - Long - The id of the group.

  • name - String - The name of the group.

  • required - Boolean - This indicates whether at least one of the fields in this group is required.

Response Sample

[ { "gateway_supported": true, "id": 42, "name": "String", "parameter_groups": [ { "id": 42, "name": "String", "required": true } ], "parameters": [ { "allowed_values": [ { "name": "String", "value": "String" } ], "default_value": "String", "description": "String", "group_id": 42, "id": 42, "label": "String", "max_length": 42, "max_value": "String", "min_length": 42, "min_value": "String", "name": "String", "pattern": "String", "pattern_description": "String", "required": true, "rules": [ { "affected_property": "String", "affected_property_value": "String", "parameter_id": 42, "trigger_parameter_id": 42, "trigger_pattern": "String" } ], "type": "String" } ], "version": "String" } ]

GET /config/event_sources/log_source_management/protocol_types/{id}

Retrieves a protocol type by ID.

Table 254: GET /config/event_sources/log_source_management/protocol_types/{id} Resource Details

MIME Type

application/json

Table 255: GET /config/event_sources/log_source_management/protocol_types/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the protocol type to retrieve.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 256: GET /config/event_sources/log_source_management/protocol_types/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The protocol type was retrieved successfully.

404

1002

A protocol type with the specified ID could not be found.

500

1020

An error occurred during the attempt to retrieve the protocol.

Response Description

The protocol type after it is retrieved. A protocol type contains the following fields:

  • id - Long - The ID of the protocol type.

  • name - String - The name of the protocol type.

  • version - String - The version of the protocol component.

  • gateway_supported - Boolean - Indicates whether this protocol can be configured for a gateway log source. A gateway log source is essentially a standalone protocol configuration. The log source receives no events itself, instead it serves only as a host for a protocol configuration which retrieves event data to feed other log sources. It serves as a "gateway" for events from multiple systems to enter the event pipeline. Not all protocol types can support collecting event data from multiple sources, thus not all protocol types can be used for a gateway.

  • parameters - Array - The parameters of this protocol type.

  • parameter_groups - Array - The parameter groups of this protocol type.

A parameter contains the following fields:

  • id - Long - The ID of the parameter.

  • name - String - The internal name of the parameter.

  • label - String - The display name of the parameter.

  • description - String - The display description of the parameter.

  • type - Enumeration - The type of the parameter. Possible values are: STRING, TEXT, INTEGER, REAL, BOOLEAN, DATE, TIME, DATETIME, INTERVAL, HOST, PASSWORD, REGEX

  • group_id - Number - The optional id of the group that this parameter belongs to. This is a reference to one of the groups listed in the protocol type's parameter_groups field.

  • required - Boolean - Indicates whether the parameter is mandatory.

  • min_length - Integer - The optional minimum length of the parameter value. This is only applicable when 'type' is STRING, TEXT, HOST, PASSWORD, REGEX.

  • max_length - Integer - The optional maximum length of the parameter value. This is only applicable when 'type' is STRING, TEXT, HOST, PASSWORD, REGEX.

  • min_value - String - The optional minimum of the parameter value. This is only applicable when 'type' is INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL.

  • max_value - String - The optional maximum of the parameter value. This is only applicable when 'type' is INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL.

  • default_value - String - The optional default parameter value.

  • pattern - String - An optional Java regex pattern restriction on the parameter value. This is only applicable when 'type' is STRING, TEXT, HOST, PASSWORD.

  • pattern_error_message - String - An optional message to show when the 'pattern' restriction fails.

  • allowed_values - Array - A optional restrictive list of allowed parameter values. This is used to implement an enumeration parameter.

  • rules - Array - The parameter rules. This is used to manage parameter rules (e.g. Option A is only available when Option B is set to True, Option C is required whenever Option A is set to False, etc.) This is a list of ProtocolParameterRule structures. *

A parameter allowed value contains the following fields:

  • name - String - The user-friendly name of the value.

  • value - String - The value.

A parameter rule contains the following fields:

  • parameter_id - String - The parameter affected by the rule.

  • trigger_parameter_id - Long - The ID of the trigger parameter.

  • trigger_pattern - String - The pattern that will trigger the rule. If the value of trigger_parameter_id matches the regular expression of this field, the rule will trigger.

  • affected_property - String - The affected property. Possible values are:

    • AVAILABLE: Indicates that the parameter's availability will be affected by this rule

    • REQUIRED: Indicates that the required state of the parameter will be affected by this rule

    • DEFAULT: Indicates that the default value of the parameter will be affected by this rule.

  • affected_property_value - String - The value to be applied to the affected parameter when the rule is triggered. Here is how this field is interpreted based on the affected property:

    • AVAILABLE: This will be a boolean value indicating whether the affected parameter should be available. Since all fields are always available by default, setting this to 'true' does not make much sense.

    • REQUIRED: This will be a boolean value indicating whether the affected parameter should be required.

    • DEFAULT: This will be the default value to be used by the affected parameter.

A parameter group contains the following fields:

  • id - Long - The id of the group.

  • name - String - The name of the group.

  • required - Boolean - This indicates whether at least one of the fields in this group is required.

Response Sample

{ "gateway_supported": true, "id": 42, "name": "String", "parameter_groups": [ { "id": 42, "name": "String", "required": true } ], "parameters": [ { "allowed_values": [ { "name": "String", "value": "String" } ], "default_value": "String", "description": "String", "group_id": 42, "id": 42, "label": "String", "max_length": 42, "max_value": "String", "min_length": 42, "min_value": "String", "name": "String", "pattern": "String", "pattern_description": "String", "required": true, "rules": [ { "affected_property": "String", "affected_property_value": "String", "parameter_id": 42, "trigger_parameter_id": 42, "trigger_pattern": "String" } ], "type": "String" } ], "version": "String" }

GET /config/event_sources/property_discovery_profiles

Gets all PropertyDiscoveryProfiles currently in the system.

Table 257: GET /config/event_sources/property_discovery_profiles Resource Details

MIME Type

application/json

Table 258: GET /config/event_sources/property_discovery_profiles Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 259: GET /config/event_sources/property_discovery_profiles Response Codes

HTTP Response Code

Unique Code

Description

500

1020

An internal server error has occurred.

Response Description

A List of PropertyDiscoveryProfiles currently in the system.

  • id - Integer - The ID of the property discovery profile.

  • property_discovery_type - String - The type of property discovery for this profile (JSON or NONE).

  • optimized - Boolean - Indicates whether this profile creates custom properties as optimized.

  • active - Boolean - Indicates whether this profile is enabled and actively being used.

  • threshold - Integer - How many events should be handling creating no custom-properties before this profile becomes inactive.

  • log_source_type_id - Integer - The ID of a log-source-type that this profile corresponds to (This is the basic filter property, it must be set for the profile to be used).

  • create_for_normalized - Boolean - If false, the property-discovery-engine will NOT create custom properties for any fields that match the name of a normalized system property. If true, it creates the properties, but with identifying tag on the name; for example a field that is called 'username' creates a custom-property that is named 'username_custom'.

Response Sample

[ { "active": true, "create_for_normalized": true, "id": 42, "log_source_type_id": 42, "property_discovery_type": "String", "threshold": 42, "use_for_rule_engine": true } ]

DELETE /config/event_sources/property_discovery_profiles/{id}

Deletes the specified PropertyDiscoveryProfile.

Table 260: DELETE /config/event_sources/property_discovery_profiles/{id} Resource Details

MIME Type

text/plain

Table 261: DELETE /config/event_sources/property_discovery_profiles/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the PropertyDiscoveryProfile to be deleted.

Table 262: DELETE /config/event_sources/property_discovery_profiles/{id} Response Codes

HTTP Response Code

Unique Code

Description

404

1002

If the supplied id does not correlate to an existing PropertyDiscoveryProfile.

500

1020

An internal server error has occurred.

Response Description

Response Sample

GET /config/event_sources/property_discovery_profiles/{id}

Gets a PropertyDiscoveryProfile based on the information supplied by the property_discovery_profile corresponding to the supplied ID.

Table 263: GET /config/event_sources/property_discovery_profiles/{id} Resource Details

MIME Type

application/json

Table 264: GET /config/event_sources/property_discovery_profiles/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the PropertyDiscoveryProfile.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 265: GET /config/event_sources/property_discovery_profiles/{id} Response Codes

HTTP Response Code

Unique Code

Description

404

1002

If the supplied id does not correlate to an existing PropertyDiscoveryProfile.

500

1020

An internal server error has occurred.

Response Description

A PropertyDiscoveryProfile corresponding to the supplied ID.

  • id - Integer - The ID of the property discovery profile.

  • property_discovery_type - String - The type of property discovery for this profile (JSON or NONE).

  • optimized - Boolean - Indicates whether this profile creates custom properties as optimized.

  • active - Boolean - Indicates whether this profile is enabled and actively being used.

  • threshold - Integer - How many events should be handling creating no custom-properties before this profile becomes inactive.

  • log_source_type_id - Integer - The ID of a log-source-type that this profile corresponds to (This is the basic filter property, it must be set for the profile to be used).

  • create_for_normalized - Boolean - If false, the property-discovery-engine will NOT create custom properties for any fields that match the name of a normalized system property. If true, it creates the properties, but with identifying tag on the name; for example a field that is called 'username' creates a custom-property that is named 'username_custom'.

Response Sample

{ "active": true, "create_for_normalized": true, "id": 42, "log_source_type_id": 42, "property_discovery_type": "String", "threshold": 42, "use_for_rule_engine": true }

POST /config/event_sources/property_discovery_profiles/{id}

Updates a PropertyDiscoveryProfile based on the information supplied via the property_discovery_profile JSON object.

Table 266: POST /config/event_sources/property_discovery_profiles/{id} Resource Details

MIME Type

application/json

Table 267: POST /config/event_sources/property_discovery_profiles/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The ID of the PropertyDiscoveryProfile to be updated.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 268: POST /config/event_sources/property_discovery_profiles/{id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

A PropertyDiscoveryProfileDTO instance that describes the profile to be updated.

{ "active": true, "create_for_normalized": true, "log_source_type_id": 42, "property_discovery_type": "String", "threshold": 42, "use_for_rule_engine": true }

Table 269: POST /config/event_sources/property_discovery_profiles/{id} Response Codes

HTTP Response Code

Unique Code

Description

404

1002

If one or more of the parameters cannot be correlated to an existing system entity.

409

1004

Log source type id is already in use by another property discovery profile.

422

1010

If one or more of the parameters cannot be validated correctly.

500

1020

An internal server error has occurred.

Response Description

A PropertyDiscoveryProfile as updated within the system.

  • id - Integer - The ID of the property discovery profile.

  • property_discovery_type - String - The type of property discovery for this profile (JSON or NONE).

  • optimized - Boolean - Indicates whether this profile creates custom properties as optimized.

  • active - Boolean - Indicates whether this profile is enabled and actively being used.

  • threshold - Integer - How many events should be handling creating no custom-properties before this profile becomes inactive.

  • log_source_type_id - Integer - The ID of a log-source-type that this profile corresponds to (This is the basic filter property, it must be set for the profile to be used).

  • create_for_normalized - Boolean - If false, the property-discovery-engine will NOT create custom properties for any fields that match the name of a normalized system property. If true, it creates the properties, but with identifying tag on the name; for example a field that is called 'username' creates a custom-property that is named 'username_custom'.

Response Sample

{ "active": true, "create_for_normalized": true, "id": 42, "log_source_type_id": 42, "property_discovery_type": "String", "threshold": 42, "use_for_rule_engine": true }

POST /config/event_sources/property_discovery_profiles

Creates a PropertyDiscoveryProfile based on the information supplied by the property_discovery_profile JSON object.

Table 270: POST /config/event_sources/property_discovery_profiles Resource Details

MIME Type

application/json

Table 271: POST /config/event_sources/property_discovery_profiles Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 272: POST /config/event_sources/property_discovery_profiles Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

A PropertyDiscoveryProfileCreatorDTO instance that describes the profile.

{ "active": true, "create_for_normalized": true, "log_source_type_id": 42, "property_discovery_type": "String", "threshold": 42, "use_for_rule_engine": true }

Table 273: POST /config/event_sources/property_discovery_profiles Response Codes

HTTP Response Code

Unique Code

Description

409

1004

Log source type id is already in use by another property discovery profile.

422

1010

If one or more of the parameters cannot be validated correctly.

500

1020

An internal server error has occurred.

Response Description

A PropertyDiscoveryProfile as created within the system.

  • id - Integer - The ID of the property discovery profile.

  • property_discovery_type - String - The type of property discovery for this profile (JSON or NONE).

  • optimized - Boolean - Indicates whether this profile creates custom properties as optimized.

  • active - Boolean - Indicates whether this profile is enabled and actively being used.

  • threshold - Integer - How many events should be handling creating no custom-properties before this profile becomes inactive.

  • log_source_type_id - Integer - The ID of a log-source-type that this profile corresponds to (This is the basic filter property, it must be set for the profile to be used).

  • create_for_normalized - Boolean - If false, the property-discovery-engine will NOT create custom properties for any fields that match the name of a normalized system property. If true, it creates the properties, but with identifying tag on the name; for example a field that is called 'username' creates a custom-property that is named 'username_custom'.

Response Sample

{ "active": true, "create_for_normalized": true, "id": 42, "log_source_type_id": 42, "property_discovery_type": "String", "threshold": 42, "use_for_rule_engine": true }

GET /config/event_sources/wincollect/wincollect_agents

Gets a list of WinCollectAgentDTO based on the rows in the ale_client table

Table 274: GET /config/event_sources/wincollect/wincollect_agents Resource Details

MIME Type

application/json

Table 275: GET /config/event_sources/wincollect/wincollect_agents Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 276: GET /config/event_sources/wincollect/wincollect_agents Response Codes

HTTP Response Code

Unique Code

Description

422

1010

The supplied filter is invalid

500

1020

An internal server error has occurred.

Response Description

A List of WinCollectAgentDTOs

  • id - Integer - The id of the WinCollect Agent.

  • name - String - Name of the WinCollect agent..

  • description - String - Description of the WinCollect agent..

  • host - String - IP address or hostname of WinCollect agent.

  • version - String - Version of WinCollect agent.

  • os_version - String - Operating system version of the host the agent is running on.

  • status - Enumeration - Status of the agent, from the perspective of JSA.

  • enabled - Boolean - True if the agent is enabled/running, false if it's been deliberately disabled/turned off.

  • autoupdates_enabled - Boolean - True if the agent is allowed to autonomously request configuration and software updates from JSA, false if it is not allowed to receive updates.

  • autodiscovered - Boolean - True if the agent entity was created as the result of an agent registering itself with JSA, false if a user manually created the agent entity before the agent initiated communication.

  • last_heartbeat_time - Long - The date/time (expressed as milliseconds since epoch) that a heartbeat signal from the agent was last received.

  • last_config_generation_time - Long - The date/time (expressed as milliseconds since epoch) that the agent's configuration file was last generated on JSA.

Response Sample

[ { "autodiscovered": true, "autoupdates_enabled": true, "description": "String", "enabled": true, "host": "String", "id": 42, "last_config_generation_time": 42, "last_heartbeat_time": 42, "name": "String", "os_version": "String", "status": "String <one of: NO_COMMUNICATION_FROM_AGENT, RUNNING, STOPPED, UNAVAILABLE, UNKNOWN>", "version": "String" } ]

GET /config/event_sources/wincollect/wincollect_agents/{id}

Gets a WinCollectAgentDTO based on the information supplied via the ale_client corresponding to the supplied id.

Table 277: GET /config/event_sources/wincollect/wincollect_agents/{id} Resource Details

MIME Type

application/json

Table 278: GET /config/event_sources/wincollect/wincollect_agents/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The id of the WinCollect Agent to retrieve

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 279: GET /config/event_sources/wincollect/wincollect_agents/{id} Response Codes

HTTP Response Code

Unique Code

Description

404

1010

The requested WinCollect Agent cannot be found.

500

1020

An internal server error has occurred.

Response Description

A WinCollectAgentDTO represents the WinCollect Agent associated to the supplied id

  • id - Integer - The id of the WinCollect Agent.

  • name - String - Name of the WinCollect agent..

  • description - String - Description of the WinCollect agent..

  • host - String - IP address or hostname of WinCollect agent.

  • version - String - Version of WinCollect agent.

  • os_version - String - Operating system version of the host the agent is running on.

  • status - Enumeration - Status of the agent, from the perspective of JSA.

  • enabled - Boolean - True if the agent is enabled/running, false if it's been deliberately disabled/turned off.

  • autoupdates_enabled - Boolean - True if the agent is allowed to autonomously request configuration and software updates from JSA, false if it is not allowed to receive updates.

  • autodiscovered - Boolean - True if the agent entity was created as the result of an agent registering itself with JSA, false if a user manually created the agent entity before the agent initiated communication.

  • last_heartbeat_time - Long - The date/time (expressed as milliseconds since epoch) that a heartbeat signal from the agent was last received.

  • last_config_generation_time - Long - The date/time (expressed as milliseconds since epoch) that the agent's configuration file was last generated on JSA.

Response Sample

{ "autodiscovered": true, "autoupdates_enabled": true, "description": "String", "enabled": true, "host": "String", "id": 42, "last_config_generation_time": 42, "last_heartbeat_time": 42, "name": "String", "os_version": "String", "status": "String <one of: NO_COMMUNICATION_FROM_AGENT, RUNNING, STOPPED, UNAVAILABLE, UNKNOWN>", "version": "String" }

GET /config/event_sources/wincollect/wincollect_destinations

Gets a list of WinCollectDestinationDTO based on the rows in the ale_destination table

Table 280: GET /config/event_sources/wincollect/wincollect_destinations Resource Details

MIME Type

application/json

Table 281: GET /config/event_sources/wincollect/wincollect_destinations Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Table 282: GET /config/event_sources/wincollect/wincollect_destinations Response Codes

HTTP Response Code

Unique Code

Description

500

1020

An internal server error has occurred.

Response Description

A List of WinCollectAgentDTOs

  • id - Integer - The id of the WinCollect destination.

  • name - String - Name of the WinCollect destination.

  • host - String - IP address or hostname of WinCollect destination..

  • port - Integer - Listen port on the WinCollect destination.

  • transport_protocol - Enumeration - The protocol over which event data should be sent to this WinCollect destination.

  • event_rate_throttle - Integer - Event-per-second rate at which to throttle the event flow to this destination.

  • internal - Boolean - True if the destination corresponds to a JSA event collector process from this deployment, false if it is any other host.

Response Sample

[ { "event_rate_throttle": 42, "host": "String", "id": 42, "internal": true, "name": "String", "port": 42, "tls_certificate": "String", "transport_protocol": "String <one of: UDP, TCP, TLS, UNKNOWN>" } ]

GET /config/event_sources/wincollect/wincollect_destinations/{id}

Gets a WinCollectDestinationDTO based on the information supplied via the ale_destination corresponding to the supplied id.

Table 283: GET /config/event_sources/wincollect/wincollect_destinations/{id} Resource Details

MIME Type

application/json

Table 284: GET /config/event_sources/wincollect/wincollect_destinations/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

The id of the WinCollect Destination to retrieve

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 285: GET /config/event_sources/wincollect/wincollect_destinations/{id} Response Codes

HTTP Response Code

Unique Code

Description

404

1010

The requested WinCollect Destination cannot be found.

500

1020

An internal server error has occurred.

Response Description

A WinCollectDestinationDTO

  • id - Integer - The id of the WinCollect destination.

  • name - String - Name of the WinCollect destination.

  • host - String - IP address or hostname of WinCollect destination..

  • port - Integer - Listen port on the WinCollect destination.

  • transport_protocol - Enumeration - The protocol over which event data should be sent to this WinCollect destination.

  • event_rate_throttle - Integer - Event-per-second rate at which to throttle the event flow to this destination.

  • internal - Boolean - True if the destination corresponds to a JSA event collector process from this deployment, false if it is any other host.

Response Sample

{ "event_rate_throttle": 42, "host": "String", "id": 42, "internal": true, "name": "String", "port": 42, "tls_certificate": "String", "transport_protocol": "String <one of: UDP, TCP, TLS, UNKNOWN>" }

GET /config/extension_management/extensions

Retrieve a list of extensions.

Table 286: GET /config/extension_management/extensions Resource Details

MIME Type

application/json

Table 287: GET /config/extension_management/extensions Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

sort

query

Optional

String

text/plain

Optional - This parameter is used to sort the elements in a list.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 288: GET /config/extension_management/extensions Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested list of extensions has been retrieved.

422

22608

The supplied filter is invalid.

422

22615

Unknown status used in filter.

422

22610

The selected field cannot be utilized for sorting.

422

22609

Only top-level-elements of the root entity can be sorted on.

500

22602

An error has occurred while trying to retrieve the list of extensions.

Response Description

A list of extensions. Each extension contains the following fields:

  • id - Number - Unique ID of this extension within the JSA deployment.

  • name - String - The name of the extension.

  • description - String - The description of the extension.

  • author - String - The author (person who generated) the extension.

  • authored_by_email - String - The email of the author.

  • version - String - The version of the extension.

  • supported_languages - Array of strings - The language tags supported by this extension.

  • exported_jsa_version - String - The version of the JSA deployment this extension was exported from.

  • min_jsa_version - String - The minimum JSA version required for the extension to function properly.

  • file_location - String - The location of the extension file on disk.

  • size - Number - The size in bytes of the extension file.

  • signed - String - The state of the extension's signature.

  • beta - Boolean - True if the extension is considered to be beta or experimental.

  • added_by - String - The user or authorized service that added the extension to JSA.

  • installed_by - String The user or authorized service that installed the extension.

  • add_time - Number - The date/time at which the extension was added to JSA, represented as number of milliseconds since Unix epoch.

  • install_time - Number - The date/time at which the extension was installed, represented as number of milliseconds since Unix epoch.

  • full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.

  • status - String - The tag corresponding to the current status of the extension. Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.

  • contents - Array of objects representing an item contained within the extension. Each object has the following fields:

    • content_type_id - Number - The ID of the content type.

    • content_type_name - String - The name of the content type.

    • identifier - String - The descriptive name/identifier of the item.

Response Sample

[ { "file_location": "/store/cmt/exports/custom_rule.zip", "supported_languages": [ "en_US" ], "contents": [ { "content_type_id": 3, "identifier": "No Description Supplied", "content_type_name": "custom_rule" }, { "content_type_id": 28, "identifier": "Asset Reconciliation IPv4 Blacklist", "content_type_name": "reference_data" }, { "content_type_id": 28, "identifier": "Asset Reconciliation IPv4 Whitelist", "content_type_name": "reference_data" }, { "content_type_id": 32, "identifier": "No Description Supplied", "content_type_name": "reference_data_rules" } ], "status": "INSTALLED", "signed": "NOT_SIGNED", "full_uninstall": false, "min_qradar_version": null, "beta": false, "version": "7.2.6.20150825133843", "size": 8575, "id": 59, "author": "admin", "authored_by_email": "account@company.com", "description": null, "exported_qradar_version": null, "name": "custom_rule.xml", "install_time": 1440788704856, "installed_by": "admin", "added_by": "admin", "add_time": 1440693660702 }, { "file_location": "/store/cmt/exports/qidmap.xml", "supported_languages": [ "en_US" ], "contents": [ { "content_type_id": 27, "identifier": "", "content_type_name": "qidmap" } ], "status": "INSTALLED", "signed": "NOT_SIGNED", "full_uninstall": false, "min_qradar_version": null, "beta": false, "version": "7.2.6.20150821144442", "size": 675, "id": 2, "author": "admin", "authored_by_email": "account@company.com", "description": null, "exported_qradar_version": null, "name": "qidmap.xml", "install_time": 1440612194941, "installed_by": "admin", "added_by": "admin", "add_time": 1440555001236 } ]

POST /config/extension_management/extensions

Uploads the supplied extension file to the JSA system.

Table 289: POST /config/extension_management/extensions Resource Details

MIME Type

application/json

Table 290: POST /config/extension_management/extensions Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 291: POST /config/extension_management/extensions Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

file

File

application/x-gzip

Required - The Extension file. Must be a properly-formed JSA extension/content export, either an XML file or an XML within a ZIP or TAR.GZ archive. Must be provided with MIME type application/xml, application/zip, application/x-gzip or multipart/form-data

File

Table 292: POST /config/extension_management/extensions Response Codes

HTTP Response Code

Unique Code

Description

201

 

The supplied extension file has been uploaded.

409

22613

The supplied extension file can not be uploaded because it shares the same hub_id and version as one of the extensions in the system.

412

22619

null

422

22607

The supplied extension could not be validated successfully

422

22616

The supplied manifest for the extension is invalid.

500

22602

An error has occurred while trying to upload the extension file.

Response Description

An extension containing the following fields:

  • id - Number - Unique ID of this extension within the JSA deployment.

  • name - String - The name of the extension.

  • description - String - The description of the extension.

  • author - String - The author (person who generated) the extension.

  • authored_by_email - String - The email of the author.

  • version - String - The version of the extension.

  • supported_languages - Array of strings - The language tags supported by this extension.

  • exported_jsa_version - String - The version of the JSA deployment this extension was exported from.

  • min_jsa_version - String - The minimum JSA version required for the extension to function properly.

  • file_location - String - The location of the extension file on disk.

  • size - Number - The size in bytes of the extension file.

  • signed - String - The state of the extension's signature.

  • beta - Boolean - True if the extension is considered to be beta or experimental.

  • added_by - String - The user or authorized service that added the extension to JSA.

  • installed_by - String The user or authorized service that installed the extension.

  • add_time - Number - The date/time at which the extension was added to JSA, represented as number of milliseconds since Unix epoch.

  • install_time - Number - The date/time at which the extension was installed, represented as number of milliseconds since Unix epoch.

  • full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.

  • status - String - The tag corresponding to the current status of the extension. Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.

  • contents - Array of objects representing an item contained within the extension. Each object has the following fields:

    • content_type_id - Number - The ID of the content type.

    • content_type_name - String - The name of the content type.

    • identifier - String - The descriptive name/identifier of the item.

Response Sample

{ "file_location": "/store/cmt/exports/qidmaps.xml", "supported_languages": [ "en_US" ], "contents": [ { "content_type_id": 27, "identifier": "", "content_type_name": "qidmap" } ], "status": "INSTALLED", "signed": "NOT_SIGNED", "full_uninstall": false, "min_qradar_version": null, "beta": false, "version": "7.2.6.20150821144442", "size": 675, "id": 2, "author": "admin", "authored_by_email": "account@company.com", "description": null, "exported_qradar_version": null, "name": "qidmaps.xml", "install_time": 1440612194941, "installed_by": "admin", "added_by": "admin", "add_time": 1440555001236 }

GET /config/extension_management/extensions/{extension_id}

Retrieves an extension based on the supplied extension_id.

Table 293: GET /config/extension_management/extensions/{extension_id} Resource Details

MIME Type

application/json

Table 294: GET /config/extension_management/extensions/{extension_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

extension_id

path

Required

Number (Integer)

text/plain

Required - The id of the extension.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 295: GET /config/extension_management/extensions/{extension_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested extension has been retrieved.

404

22603

The requested extension cannot be found.

422

22606

A supplied numeric parameter was not positive.

500

22602

An error has occurred while trying to retrieve the requested extension.

Response Description

An extension containing the following fields:

  • id - Number - Unique ID of this extension within the JSA deployment.

  • name - String - The name of the extension.

  • description - String - The description of the extension.

  • author - String - The author (person who generated) the extension.

  • authored_by_email - String - The email of the author.

  • version - String - The version of the extension.

  • supported_languages - Array of strings - The language tags supported by this extension.

  • exported_jsa_version - String - The version of the JSA deployment this extension was exported from.

  • min_jsa_version - String - The minimum JSA version required for the extension to function properly.

  • file_location - String - The location of the extension file on disk.

  • size - Number - The size in bytes of the extension file.

  • signed - String - The state of the extension's signature.

  • beta - Boolean - True if the extension is considered to be beta or experimental.

  • added_by - String - The user or authorized service that added the extension to JSA.

  • installed_by - String The user or authorized service that installed the extension.

  • add_time - Number - The date/time at which the extension was added to JSA, represented as number of milliseconds since Unix epoch.

  • install_time - Number - The date/time at which the extension was installed, represented as number of milliseconds since Unix epoch.

  • full_uninstall - Boolean - True if the extension and all of its contents can be fully uninstalled.

  • status - String - The tag corresponding to the current status of the extension. Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING, INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED, NOT_INSTALLED, PREVIEWING, NONE.

  • contents - Array of objects representing an item contained within the extension. Each object has the following fields:

    • content_type_id - Number - The ID of the content type.

    • content_type_name - String - The name of the content type.

    • identifier - String - The descriptive name/identifier of the item.

Response Sample

{ "file_location": "/store/cmt/exports/qidmaps.xml", "supported_languages": [ "en_US" ], "contents": [ { "content_type_id": 27, "identifier": "", "content_type_name": "qidmap" } ], "status": "INSTALLED", "signed": "NOT_SIGNED", "full_uninstall": false, "min_qradar_version": null, "beta": false, "version": "7.2.6.20150821144442", "size": 675, "id": 2, "author": "admin", "authored_by_email": "account@company.com", "description": null, "exported_qradar_version": null, "name": "qidmaps.xml", "install_time": 1440612194941, "installed_by": "admin", "added_by": "admin", "add_time": 1440555001236 }

POST /config/extension_management/extensions/{extension_id}/metadata

Adds metadata to the Extension corresponding to the supplied extension_id.

Table 296: POST /config/extension_management/extensions/{extension_id}/metadata Resource Details

MIME Type

application/json

Table 297: POST /config/extension_management/extensions/{extension_id}/metadata Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

extension_id

path

Required

Number (Integer)

text/plain

Required - The id of the extension.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 298: POST /config/extension_management/extensions/{extension_id}/metadata Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

metadata

Object

application/json

Required - Metadata to be added to the extension.

{ "app_oauth_users": [ {"app_name": "TestApp1", "user_id": 5} ] }

Table 299: POST /config/extension_management/extensions/{extension_id}/metadata Response Codes

HTTP Response Code

Unique Code

Description

404

22603

The requested extension cannot be found.

422

22606

A supplied numeric parameter was not positive.

500

22602

An error occurred while trying to add the metadata.

Response Description

the metadata that was added.

Response Sample

{ "app_oauth_users": [ {"app_name": "TestApp1", "user_id": 5} ] }

POST /config/extension_management/extensions/{extension_id}

Installs the Extension corresponding to the supplied extension_id. Alternatively can be used to preview an Extension, showing what values would be applied if the Extension was installed.

Table 300: POST /config/extension_management/extensions/{extension_id} Resource Details

MIME Type

application/json

Table 301: POST /config/extension_management/extensions/{extension_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

extension_id

path

Required

Number (Integer)

text/plain

Required - The id of the extension.

action_type

query

Required

String

text/plain

Required - The desired action to take on the Extension (INSTALL or PREVIEW)

overwrite

query

Optional

Boolean

text/plain

Optional - If true, any existing items on the importing system will be overwritten if the extension contains the same items. If false, existing items will be preserved, and the corresponding items in the extension will be skipped.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 302: POST /config/extension_management/extensions/{extension_id} Response Codes

HTTP Response Code

Unique Code

Description

202

 

The requested install or preview task has been started.

404

22603

The requested extension cannot be found.

404

22604

The task status for status_id cannot be found.

409

22612

The supplied extension cannot be installed/previewed because it is already installed

409

22611

The supplied extension cannot be installed/previewed because it is already in the process of being installed/previewed.

409

22618

The requested task can not be initiated because another preview/install task is already in progress.

422

22605

The supplied action type is invalid

422

22606

A supplied numeric parameter was not positive.

500

22602

An error has occurred while trying to install or preview the requested extension.

Response Description

A JSON string depicting the accepted task for previewing/installing an extension:

  • status_id - Number - id of the task status.

  • message - String - description of the accepted task.

  • status_location - String - the url of the task status.

Response Sample

{ "status_id": 25, "message": "Installing an extension", "status_location": "https://10.10.10.10/console/restapi/api/config/extension_management/extensions_task_status/25" }

DELETE /config/extension_management/extensions/{extension_id}

Uninstall an extension based on the supplied extension ID. This is an asynchronous action.

Table 303: DELETE /config/extension_management/extensions/{extension_id} Resource Details

MIME Type

application/json

Table 304: DELETE /config/extension_management/extensions/{extension_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

extension_id

path

Required

Number (Integer)

text/plain

Required - The id of the extension to be uninstalled.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 305: DELETE /config/extension_management/extensions/{extension_id} Response Codes

HTTP Response Code

Unique Code

Description

202

 

The requested uninstall task has been started.

404

22603

The requested extension cannot be found.

404

22604

The task status for status_id cannot be found.

409

22611

The supplied extension cannot be uninstalled because it is already in the process of being uninstalled.

409

22617

The extension can not be uninstalled because it is already in the process of being previewed/installed.

422

22606

A supplied numeric parameter was not positive.

500

22602

An error has occurred while trying to uninstall an extension.

Response Description

A JSON string depicting the accepted task for uninstalling an extension:

  • message - String - description of the accepted task.

  • status_location - String - the url of the task status.

  • current_status - String - a JSON object depicting the current status of the task.

Response Sample

{ "message": "Uninstalling an extension", "status_location": "https://1.1.1.1/console/restapi/api/config/extension_management/ extensions_task_status/101", "current_status": { "progress": 0, "result_url": null, "cancelled_by": null, "status": "QUEUED", "task_components": null, "modified": 1440891410849, "id": 101, "message": "Queued Extension uninstallation task for extension id 2", "created_by": "admin", "created": 1440891410629, "maximum": 0, "cancel_requested": false, "name": "Extension uninstallation task", "child_tasks": null, "started": 1440891410847, "completed": null } }

GET /config/extension_management/extensions_task_status/{status_id}

Retrieves the tasks status based on the status_id.

Table 306: GET /config/extension_management/extensions_task_status/{status_id} Resource Details

MIME Type

application/json

Table 307: GET /config/extension_management/extensions_task_status/{status_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

status_id

path

Required

Number (Integer)

text/plain

Required - the id of the task status.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 308: GET /config/extension_management/extensions_task_status/{status_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested task status has been retrieved.

404

22604

The task status for status_id cannot be found.

422

22606

A supplied numeric parameter was not positive.

500

22602

An error has occurred while trying to retrieve the task status.

Response Description

A task status containing the following fields:

  • id - Number - The ID of the task status.

  • name - String - The name of the task status.

  • status - String - A string that represents the current state of the task status.

  • message - String - A message regarding the current state of the task.

  • progress - Number - The current progress of the task

  • minimum - Number - The minimum progress of the task.

  • maximum - Number - The maximum progress of the task.

  • created_by - String - The username of the user who created the task.

  • cancelled_by - String - The username of the user who cancelled the task.

  • created - Number - The date/time at which this task was created, represented as number of milliseconds since Unix epoch.

  • started - Number - The date/time at which this task was started, represented as number of milliseconds since Unix epoch.

  • modified - Number - The date/time at which this task was last modified, represented as number of milliseconds since Unix epoch.

  • completed - Number - The date/time at which this task was completed, represented as number of milliseconds since Unix epoch.

  • result_url - String - The url where the result can be viewed.

  • cancel_requested - Boolean - True if cancel has been requested.

  • child_tasks - Array - Array of child task id's that are executed asynchronously from this task.

  • task_components - Array - Array of task components that are executed sequentially.

Response Sample

{ "progress": 0, "result_url": "", "cancelled_by": "", "status": "COMPLETED", "task_components": null, "modified": 1440891517961, "id": 102, "message": "Completed Extension uninstallation task for extension id 56", "created_by": "admin", "created": 1440891514006, "maximum": 0, "cancel_requested": false, "name": "Extension uninstallation task", "child_tasks": null, "started": 1440891514041, "completed": 1440891515224 }

GET /config/extension_management/extensions_task_status/{status_id}/results

Retrieves the tasks status results based on the status ID.

Table 309: GET /config/extension_management/extensions_task_status/{status_id}/results Resource Details

MIME Type

application/json

Table 310: GET /config/extension_management/extensions_task_status/{status_id}/results Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

status_id

path

Required

Number (Integer)

text/plain

Required - The id of the task status.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 311: GET /config/extension_management/extensions_task_status/{status_id}/results Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested results of the task status have been retrieved.

404

22604

The task status for status_id cannot be found.

404

22614

The task results are not available.

422

22606

A supplied numeric parameter was not positive.

500

22602

An error has occurred while trying to retrieve the results of a task status.

Response Description

A JSON object representing the result of an Extension preview, install or uninstall task. It contains the following fields:

  • id - Number - The ID of the extension.

  • task_type - String - The type of task that was issued against the Extension.

  • content - Array - An array of JSON objects representing the contents of the extension and what action is associated with each content item for the task that was executed. Each content item contains the following fields:

    • name - String - The name of the content item.

    • content_type_id - Number - The ID of the type of the content item.

    • content_type_name - String - The name of the type of the content item.

    • action - String - The action taken for the content item.

Response Sample

{ "id": 56, "task_type": "UNINSTALL", "content": [ { "content_type_id": 3, "name": "SYSTEM-1607", "action": "SKIP", "content_type_name": "custom_rule" }, { "content_type_id": 28, "name": "Asset Reconciliation IPv4 Whitelist", "action": "SKIP", "content_type_name": "reference_data" } ] }

GET /config/flow_retention_buckets

Retrieves a list of flow retention buckets.

Table 312: GET /config/flow_retention_buckets Resource Details

MIME Type

application/json

Table 313: GET /config/flow_retention_buckets Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the following fields:

  • id - Integer - The ID of the retention bucket.

  • bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )

  • priority - Integer - The priority of the retention bucket. ( 0 - 10 ).

  • name - String - The name of the retention bucket.

  • database - String - The database of the retention bucket, EVENTS or FLOWS.

  • description - String - The description of the retention bucket.

  • period - Integer - The retention period in hours.

  • delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.

  • created - Long - The time in milliseconds since epoch since the retention bucket was created.

  • modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.

  • saved_search_id - String - The ID of the saved search used by the retention bucket.

  • enabled - Boolean - True if the retention bucket is enabled.

Response Sample

[ { "bucket_id": 42, "created": 42, "database": "String", "deletion": "String <one of: ON_DEMAND, IMMEDIATELY>", "description": "String", "enabled": true, "id": 42, "modified": 42, "name": "String", "period": 42, "priority": 42, "saved_search_id": "String" } ]

DELETE /config/flow_retention_buckets/{id}

Deletes a flow retention bucket.

Table 314: DELETE /config/flow_retention_buckets/{id} Resource Details

MIME Type

text/plain

Table 315: DELETE /config/flow_retention_buckets/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

Table 316: DELETE /config/flow_retention_buckets/{id} Response Codes

HTTP Response Code

Unique Code

Description

204

 

The flow retention bucket was deleted.

403

1009

You do not have the proper capabilities to delete the flow retention bucket.

404

1002

The flow retention bucket does not exist.

500

1020

An error occurred during the attempt to delete the flow retention bucket.

Response Description

Response Sample

GET /config/flow_retention_buckets/{id}

Retrieves a flow retention bucket.

Table 317: GET /config/flow_retention_buckets/{id} Resource Details

MIME Type

application/json

Table 318: GET /config/flow_retention_buckets/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 319: GET /config/flow_retention_buckets/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The flow retention bucket was retrieved.

404

1002

The flow retention bucket does not exist.

500

1020

An error occurred during the attempt to retrieve the flow retention bucket.

Response Description

The retention bucket after it is retrieved. An Retention Bucket object contains the following fields:

  • id - Integer - The ID of the retention bucket.

  • bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )

  • priority - Integer - The priority of the retention bucket. ( 0 - 10 ).

  • name - String - The name of the retention bucket.

  • database - String - The database of the retention bucket, EVENTS or FLOWS.

  • description - String - The description of the retention bucket.

  • period - Integer - The retention period in hours.

  • delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.

  • created - Long - The time in milliseconds since epoch since the retention bucket was created.

  • modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.

  • saved_search_id - String - The ID of the saved search that is used by the retention bucket.

  • enabled - Boolean - True if the retention bucket is enabled.

Response Sample

{ "bucket_id": 42, "created": 42, "database": "String", "deletion": "String <one of: ON_DEMAND, IMMEDIATELY>", "description": "String", "enabled": true, "id": 42, "modified": 42, "name": "String", "period": 42, "priority": 42, "saved_search_id": "String" }

POST /config/flow_retention_buckets/{id}

Updates the flow retention bucket owner, or enabled/disabled only.

Table 320: POST /config/flow_retention_buckets/{id} Resource Details

MIME Type

application/json

Table 321: POST /config/flow_retention_buckets/{id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

id

path

Required

Number (Integer)

text/plain

null

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 322: POST /config/flow_retention_buckets/{id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

retention_bucket

Object

application/json

null

{ "bucket_id": 42, "database": "String", "description": "String", "enabled": true, "id": 42, "name": "String", "period": 42, "priority": 42, "saved_search_id": "String" }

Table 323: POST /config/flow_retention_buckets/{id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The flow retention bucket was updated.

404

1002

The Flow Retention Bucket does not exist.

409

1004

The provided user does not have the required capabilities to own the flow retention bucket.

422

1005

A request parameter is not valid.

500

1020

An error occurred during the attempt to update the flow retention bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the following fields:

  • id - Integer - The ID of the retention bucket.

  • bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 ).

  • priority - Integer - The priority of the retention bucket ( 0 - 10 ).

  • name - String - The name of the retention bucket.

  • database - String - The database of the retention bucket, EVENTS or FLOWS.

  • description - String - The description of the retention bucket.

  • period - Integer - The retention period in hours.

  • delete - String - The delete protocol of the retention bucket, IMMEDIATELY or ON_DEMAND.

  • created - Long - The time in milliseconds since epoch since the retention bucket was created.

  • modified - Long - The time in milliseconds since epoch since the retention bucket was last modified.

  • saved_search_id - String - The ID of the saved search used by the retention bucket.

  • enabled - Boolean - True if the retention bucket is enabled.

Response Sample

{ "bucket_id": 42, "created": 42, "database": "String", "deletion": "String <one of: ON_DEMAND, IMMEDIATELY>", "description": "String", "enabled": true, "id": 42, "modified": 42, "name": "String", "period": 42, "priority": 42, "saved_search_id": "String" }

DELETE /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}

Deletes the flow calculated property. To ensure safe deletion, a dependency check is carried out. This check might take some time. An asynchronous task to do is started for this check.

Table 324: DELETE /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} Resource Details

MIME Type

application/json

Table 325: DELETE /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

calculated_property_id

path

Required

Number (Integer)

text/plain

Required - String - The ID of the flow calculated property to delete.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 326: DELETE /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} Response Codes

HTTP Response Code

Unique Code

Description

202

 

The calculated flow property deletion task was accepted and is in progress.

403

1009

The requested delete action is unauthorized.

404

1002

The requested calculated flow property cannot be found.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to delete a calculated flow property.

Response Description

A Delete Task Status object and the location header set to the task status URL "/api/config/flow_sources/custom_properties/calculated_property_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents

Retrieves the objects that depend on the flow calculated property.

Table 327: GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents Resource Details

MIME Type

application/json

Table 328: GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

calculated_property_id

path

Required

Number (Integer)

text/plain

Required - The ID of the flow calculated property to get the dependents for.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 329: GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}/dependents Response Codes

HTTP Response Code

Unique Code

Description

202

 

The calculated flow property dependents retrieval was accepted and is in progress.

403

1009

The user does not have the required authorization to start the task for finding dependents of calculated flow property.

404

1002

The requested calculated flow property cannot be found.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to initiate the calculated flow property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL "/api/config/flow_sources/custom_properties/calculated_property_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:

  • id - Long - The ID of the task.

  • message - String - The localized task message.

  • status - String - The current state of the task.

  • name - String - The name of the task.

  • created_by - String - The name of the user who started the task.

  • cancelled_by - String - The name of the user who requested to cancel the task.

  • created - Long - The time in milliseconds since epoch since the task was created.

  • started - Long - The time in milliseconds since epoch since the task was started.

  • modified - Long - The time in milliseconds since epoch since the task was modified.

  • completed - Long - The time in milliseconds since epoch since the task was completed.

  • number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • task_components - Array - An array of task component objects. A task component object contains the following fields:

    • message - String - The localized sub-task status message.

    • status - String - The current state of the sub-task.

    • sub_task_type - String - The type of the sub-task

    • maximum - Long - The maximum number of objects to check for dependency.

    • progress - Long - The number of objects that were checked for dependency.

    • created - Long - The time in milliseconds since epoch since the sub-task was created.

    • started - Long - The time in milliseconds since epoch since the sub-task was started.

    • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

    • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING>" } ] }

GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}

Retrieves a calculated flow property based on the supplied calculated property ID.

Table 330: GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} Resource Details

MIME Type

application/json

Table 331: GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

calculated_property_id

path

Required

Number (Integer)

text/plain

Required - String - The ID of the calculated flow property.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 332: GET /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested calculated flow property was retrieved.

404

1002

The requested calculated flow property cannot be found.

422

1005

One or more parameters are invalid in the request.

500

1020

An error occurred during the attempt to retrieve the requested calculated flow property.

Response Description

A calculated flow property that contains the following fields:

  • id - Number - A sequence id for the calculated flow property.

  • identifier - String - A string that uniquely identifies the calculated flow property.

  • name - String - The name of the calculated flow property.

  • description - String - The description of the calculated flow property.

  • enabled - Boolean - Whether the calculated flow property is enabled.

  • first_operand - String - An operand object describing the first operand in the expression.

  • second_operand - String - An operand object describing the second operand in the expression.

  • operator - String - A string that represents one of the basic arithmetic operations in the expression.

  • username - String - The username of the creator of the calculated flow property.

  • creation_date - Number - The time stamp for when the calculated flow property is created in milliseconds since epoch.

  • modification_date - Number - The time stamp for when the calculated flow property is last modified in milliseconds since epoch.

An operand object contains the following fields:

  • type - String - can be "STATIC" (for numeric operand) or "PROPERTY" (for operand that is a property).

  • numeric_value - Number - when property_type is "STATIC", this is the value of the operand; otherwise, it is suppressed.

  • property_name - String - when property_type is "PROPERTY", this is the name of the property that is being used as the operand; otherwise, it is suppressed.

Response Sample

{ "creation_date": 42, "description": "String", "enabled": true, "first_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "id": 42, "identifier": "String", "modification_date": 42, "name": "String", "operator": "String <one of: ADD, SUBTRACT, MULTIPLY, DIVIDE>", "second_operand": { "numeric_value": 42.5, "property_name": "String", "type": "String <one of: STATIC, PROPERTY>" }, "username": "String" }

POST /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id}

Updates an existing calculated flow property.

Table 333: POST /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} Resource Details

MIME Type

application/json

Table 334: POST /config/flow_sources/custom_properties/calculated_properties/{calculated_property_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

calculated_property_id

path

Required