Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Data Classification Endpoints

 

Use the references for REST API V9.0 data classification endpoints.

GET /data_classification/dsm_event_mappings

Retrieve a list of DSM event mappings.

Table 1: GET /data_classification/dsm_event_mappings Resource Details

MIME Type

application/json

Table 2: GET /data_classification/dsm_event_mappings Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 3: GET /data_classification/dsm_event_mappings Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested list of DSM event mappings was retrieved.

500

1020

An error occurred during the attempt to retrieve the list of DSM event mappings.

Response Description

A list of DSM event mappings. A DSM event mapping contains the following fields:

  • id - Number - The ID of the DSM event mapping.

  • log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is associated with.

  • log_source_event_id - String - The primary identifying value parsed from an event to be used to look up the corresponding QID record.

  • log_source_event_category - String - The secondary identifying value parsed from an event to be used to look up the corresponding QID record.

  • custom_event - Boolean - Flag to identify if the DSM event mapping is system provided (custom_event=false) or user-provided (custom_event=true).

  • qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a mapping.

Response Sample

[ { "custom_event": true, "id": 42, "log_source_event_category": "String", "log_source_event_id": "String", "log_source_type_id": 42, "qid_record_id": 42 } ]

POST /data_classification/dsm_event_mappings

Creates a new custom DSM event mapping.

Table 4: POST /data_classification/dsm_event_mappings Resource Details

MIME Type

application/json

Table 5: POST /data_classification/dsm_event_mappings Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 6: POST /data_classification/dsm_event_mappings Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A DSM event mapping that contains the following fields:

  • log_source_type_id - Required - Number - The ID of the Log Source Type this DSM event mapping resource is associated with.

  • log_source_event_id - Required - String - The primary identifying value parsed from an event to be used to look up the corresponding QID record.

  • log_source_event_category - Required - String - The secondary identifying value parsed from an event to be used to look up the corresponding QID record.

  • qid_record_id - Required - Number - The ID of the QID record to which this DSM event mapping provides a mapping.

{ "log_source_event_category": "String", "log_source_event_id": "String", "log_source_type_id": 42, "qid_record_id": 42 }

Table 7: POST /data_classification/dsm_event_mappings Response Codes

HTTP Response Code

Unique Code

Description

201

 

The new custom DSM event mapping was created.

409

1008

There is an existing custom DSM event mapping with same the log_source_type_id, log_source_event_id and log_source_event_category combination. Cannot create duplicate DSM event mapping.

422

1005

Invalid parameter value provided for the new DSM event mapping.

500

1020

An error occurred during the attempt to create a new custom DSM event mapping.

Response Description

The newly created DSM event mapping that contains the following fields:

  • id - Number - The ID of the DSM event mapping.

  • log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is associated with.

  • log_source_event_id - String - The primary identifying value parsed from an event to be used to look up the corresponding QID record.

  • log_source_event_category - String - The secondary identifying value parsed from an event to be used to look up the corresponding QID record.

  • custom_event - Boolean - Flag to identify if the DSM event mapping is system provided (custom_event=false) or user-provided (custom_event=true).

  • qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a mapping.

Response Sample

{ "custom_event": true, "id": 42, "log_source_event_category": "String", "log_source_event_id": "String", "log_source_type_id": 42, "qid_record_id": 42 }

GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id}

Retrieves a DSM event mapping based on the supplied DSM event mapping ID.

Table 8: GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Resource Details

MIME Type

application/json

Table 9: GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

dsm_event_mapping_id

path

Required

Number (Integer)

text/plain

Required - The ID of the DSM event mapping.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 10: GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested DSM event mapping was retrieved.

404

1002

The requested DSM event mapping was not found.

500

1020

An error occurred during the attempt to retrieve the DSM event mapping.

Response Description

A DSM event mapping that contains the following fields:

  • id - Number - The ID of the DSM event mapping.

  • log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is associated with.

  • log_source_event_id - String - The primary identifying value parsed from an event to be used to look up the corresponding QID record.

  • log_source_event_category - String - The secondary identifying value parsed from an event to be used to look up the corresponding QID record.

  • custom_event - Boolean - Flag to identify if the DSM event mapping is system provided (custom_event=false) or user-provided (custom_event=true).

  • qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a mapping.

Response Sample

{ "custom_event": true, "id": 42, "log_source_event_category": "String", "log_source_event_id": "String", "log_source_type_id": 42, "qid_record_id": 42 }

POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}

Updates an existing custom DSM event mapping.

Table 11: POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Resource Details

MIME Type

application/json

Table 12: POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

dsm_event_mapping_id

path

Required

Number (Integer)

text/plain

Required - The ID of the DSM event mapping.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 13: POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - The DSM event mapping to be updated that might contain the following field:

  • qid_record_id - Number - Required - The ID of the QID record to which this DSM event mapping provides a mapping.

{ "qid_record_id": 42 }

Table 14: POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The DSM event mapping was updated.

404

1002

The requested DSM event mapping was not found.

422

1005

Invalid parameter provided while updating the DSM event mapping.

500

1020

An error occurred during the attempt to update a DSM event mapping.

Response Description

The updated DSM event mapping that contains the following fields:

  • id - Number - The ID of the DSM event mapping.

  • log_source_type_id - Number - The ID of the Log Source Type this DSM event mapping resource is associated with.

  • log_source_event_id - String - The primary identifying value parsed from an event to be used to look up the corresponding QID record.

  • log_source_event_category - String - The secondary identifying value parsed from an event to be used to look up the corresponding QID record.

  • custom_event - Boolean - Flag to identify if the DSM event mapping is system provided (custom_event=false) or user-provided (custom_event=true).

  • qid_record_id - Number - The ID of the QID record to which this DSM event mapping provides a mapping.

Response Sample

{ "custom_event": true, "id": 42, "log_source_event_category": "String", "log_source_event_id": "String", "log_source_type_id": 42, "qid_record_id": 42 }

GET /data_classification/high_level_categories

Retrieves a list of high level categories.

Table 15: GET /data_classification/high_level_categories Resource Details

MIME Type

application/json

Table 16: GET /data_classification/high_level_categories Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

sort

query

Optional

String

text/plain

Optional - This parameter is used to sort the elements in a list.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 17: GET /data_classification/high_level_categories Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested list of high level categories was retrieved.

422

23003

Sorting is only supported for fields "id" or "name".

422

23004

The sort field that was provided does not exist.

422

23005

Sorting on multiple fields is not supported.

500

1020

An error occurred during the attempt to retrieve the list of high level categories.

Response Description

A list of high level categories. A high level category contains the following fields:

  • id - Number - The ID of the high level category.

  • name - String - The name of the high level category.

  • description - String - The description of the high level category.

Response Sample

[ { "id": 19000, "name": "Audit", "description": "Audit" }, { "id": 20000, "name": "Risk", "description": "Risk" } ]

GET /data_classification/high_level_categories/{high_level_category_id}

Retrieves a high level category based on the supplied high level category ID.

Table 18: GET /data_classification/high_level_categories/{high_level_category_id} Resource Details

MIME Type

application/json

Table 19: GET /data_classification/high_level_categories/{high_level_category_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

high_level_category_id

path

Required

Number (Integer)

text/plain

Required - the ID of the high level category.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 20: GET /data_classification/high_level_categories/{high_level_category_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested high level category was retrieved.

404

1002

The requested high level category was not found.

422

1005

High level category ID must be a positive integer.

500

1020

An error occurred during the attempt to retrieve the high level category.

Response Description

A high level category that contains the following fields:

  • id - Number - The ID of the high level category.

  • name - String - The name of the high level category.

  • description - String - The description of the high level category.

Response Sample

{ "id": 19000, "name": "Audit", "description": "Audit", }

GET /data_classification/low_level_categories

Retrieves a list of low level categories.

Table 21: GET /data_classification/low_level_categories Resource Details

MIME Type

application/json

Table 22: GET /data_classification/low_level_categories Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

sort

query

Optional

String

text/plain

Optional - This parameter is used to sort the elements in a list.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 23: GET /data_classification/low_level_categories Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested list of low level categories was retrieved.

422

23053

Sorting is only supported for fields "id" or "name"

422

23054

The sort field that was provided does not exist.

422

23055

Sorting on multiple fields is not supported.

500

1020

An error occurred during the attempt to retrieve the list of low level categories.

Response Description

A list of low level category objects. A low level category contains the following fields:

  • id - Number - The ID of the low level category.

  • name - String - The name of the low level category.

  • description - String - The description of the low level category.

  • severity - Number - The severity of the low level category.

  • high_level_category_id - Number - The ID of the parent high level category.

Response Sample

[ { "id": 19001, "name": "General Audit Event", "description": "General Audit Event", "high_level_category_id": 19000, "severity" : 0 }, { "id": 19002, "name": "Built-in Execution", "description": " Built-in Execution", "high_level_category_id": 19000, "severity" : 0 } ]

GET /data_classification/low_level_categories/{low_level_category_id}

Retrieves a low level category based on the supplied low level category ID.

Table 24: GET /data_classification/low_level_categories/{low_level_category_id} Resource Details

MIME Type

application/json

Table 25: GET /data_classification/low_level_categories/{low_level_category_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

low_level_category_id

path

Required

Number (Integer)

text/plain

Required - The id of the low level category.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 26: GET /data_classification/low_level_categories/{low_level_category_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested low level category was retrieved.

404

1002

The requested low level category was not found.

422

1005

Low level category ID must be a positive integer.

500

1020

An error occurred during the attempt to retrieve the low level category.

Response Description

A low level category that contains the following fields:

  • id - Number - The ID of the low level category.

  • name - String - The name of the low level category.

  • description - String - The description of the low level category.

  • severity - Number - The severity of the low level category.

  • high_level_category_id - Number - The ID of the parent high level category.

Response Sample

{ "id": 19001, "name": "General Audit Event", "description": "General Audit Event", "high_level_category_id": 19000, "severity" : 0 }

GET /data_classification/qid_records

Retrieves a list of QID records.

Table 27: GET /data_classification/qid_records Resource Details

MIME Type

application/json

Table 28: GET /data_classification/qid_records Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Range

header

Optional

String

text/plain

Optional - Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

filter

query

Optional

String

text/plain

Optional - This parameter is used to restrict the elements in a list base on the contents of various fields.

Table 29: GET /data_classification/qid_records Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested list of QID records was retrieved.

500

1020

An error occurred during the attempt to retrieve the list of QID records.

Response Description

A list of QID records. A QID record contains the following fields:

  • id - Number - The ID of the QID record.

  • qid - Number - The QID of the QID record.

  • name - String - The name of the QID record.

  • description - String - The description of the QID record.

  • severity - Number - The severity of the QID record.

  • low_level_category_id - Number - The low level category ID of the QID record.

  • log_source_type_id - Number - A placeholder with null value to ensure data structure consistency among endpoints.

Response Sample

[ { "id": 64280, "qid": 2500283, "name": "DELETED WEB-MISC O'Reilly args.bat access", "description": "DELETED WEB-MISC O'Reilly args.bat access", "severity": 2 , "low_level_category_id": 1011, "log_source_type_id": null }, { "id": 64297, "qid": 2500300, "name": "DELETED WEB-MISC Cisco Web DOS attempt", "description": "DELETED WEB-MISC Cisco Web DOS attempt", "severity": 8, "low_level_category_id": 2009 "log_source_type_id": null } ]

POST /data_classification/qid_records

Creates a new QID record.

Table 30: POST /data_classification/qid_records Resource Details

MIME Type

application/json

Table 31: POST /data_classification/qid_records Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 32: POST /data_classification/qid_records Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

data

Object

application/json

Required - A QID record containing the following fields:

  • log_source_type_id - Required - Number - The ID of the log source type which the QID record is created for.

  • name - Required - String - The name of the QID record.

  • description - Optional - String - The description of the QID record.

  • severity - Optional - Number - The severity of the QID record. If not provided, the severity of the corresponding low level category is used as the default value.

  • low_level_category_id - Required - Number - The low level category ID of the QID record.

{ "log_source_type_id": 199, "name": "spp_portscan: Portscan Detected", "description": "spp_portscan: Portscan Detected", "severity": 4, "low_level_category_id":1008 }

Table 33: POST /data_classification/qid_records Response Codes

HTTP Response Code

Unique Code

Description

201

 

The new QID record was created.

422

1005

Invalid parameter value provided for the new QID record.

500

1020

An error occurred during the attempt to create a new QID record.

Response Description

The newly created QID record containing the following fields:

  • id - Number - The ID of the QID record.

  • qid - Number - The QID of the QID record.

  • name - String - The name of the QID record.

  • description - String - The description of the QID record.

  • severity - Number - The severity of the QID record.

  • low_level_category_id - Number - The low level category ID of the QID record.

  • log_source_type_id - Number - A placeholder with null value to ensure data structure consistency among endpoints.

Response Sample

{ "id": 63998, "qid": 2500001, "name": "spp_portscan: Portscan Detected", "description": "spp_portscan: Portscan Detected", "severity": 4, "low_level_category_id": 1008, "log_source_type_id": null }

GET /data_classification/qid_records/{qid_record_id}

Retrieves a QID record that is based on the supplied qid_record_id.

Table 34: GET /data_classification/qid_records/{qid_record_id} Resource Details

MIME Type

application/json

Table 35: GET /data_classification/qid_records/{qid_record_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

qid_record_id

path

Required

Number (Integer)

text/plain

Required - the ID of the QID record.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 36: GET /data_classification/qid_records/{qid_record_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The requested QID record was retrieved.

404

1002

The requested QID record was not found.

422

1005

qid_record_id must be a positive integer.

500

1020

An error occurred during the attempt to retrieve the QID record.

Response Description

A QID record containing the following fields:

  • id - Number - The ID of the QID record.

  • qid - Number - The QID of the QID record.

  • name - String - The name of the QID record.

  • description - String - The description of the QID record.

  • severity - Number - The severity of the QID record.

  • low_level_category_id - Number - The low level category ID of the QID record.

  • log_source_type_id - Number - A placeholder with null value to ensure data structure consistency among endpoints.

Response Sample

{ "id": 63998, "qid": 2500001, "name": "spp_portscan: Portscan Detected", "description": "spp_portscan: Portscan Detected", "severity": 4, "low_level_category_id": 1008, "log_source_type_id": null }

POST /data_classification/qid_records/{qid_record_id}

Updates an existing QID record.

Table 37: POST /data_classification/qid_records/{qid_record_id} Resource Details

MIME Type

application/json

Table 38: POST /data_classification/qid_records/{qid_record_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

qid_record_id

path

Required

Number (Integer)

text/plain

Required - The ID of the QID record.

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 39: POST /data_classification/qid_records/{qid_record_id} Request Body Details

Parameter

Data Type

MIME Type

Description

Sample

qid_record

Object

application/json

Required - The QID record to be updated, which may contain the following fields:

  • name - Optional - String - The name of the QID record.

  • description - Optional - String - The description of the QID record.

  • severity - Optional - Number - The severity of the QID record.

  • low_level_category_id - Optional - Number - The low level category ID of the QID record.

{ "name": "spp_portscan: Portscan Detected", "description": "spp_portscan: Portscan Detected", "severity": 4, "low_level_category_id":1008 }

Table 40: POST /data_classification/qid_records/{qid_record_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The QID record was updated.

404

1002

The requested QID record was not found.

409

1008

The QID record that was provided cannot be updated because it is a system-provided QID.

422

1005

Invalid parameter was provided during the update to the QID record.

500

1020

An error occurred during the attempt to update a QID record.

Response Description

The updated QID record containing the following fields:

  • id - Number - The ID of the QID record.

  • qid - Number - The QID of the QID record.

  • name - String - The name of the QID record.

  • description - String - The description of the QID record.

  • severity - Number - The severity of the QID record.

  • low_level_category_id - Number - The low level category ID of the QID record.

  • log_source_type_id - Number - A placeholder with null value to ensure data structure consistency among endpoints.

Response Sample

{ "id": 63998, "qid": 2500001, "name": "spp_portscan: Portscan Detected", "description": "spp_portscan: Portscan Detected", "severity": 4, "low_level_category_id": 1008, "log_source_type_id": null }