REST API V11.0 References

Each API reference provides information about the parameters, mime type, stability, and responses for each endpoint.

Access Endpoints

Use the references for REST API V11.0 access endpoints.

GET /access/login_attempts

Gets the list of login attempts.

For SAAS and single signon authentication modules, failed login attempts will not be tracked. The successful login attempts will be created when the JSA session is created, not necessarily when the user entered their credentials on the single sign on login page. Any users or authorized service can call this endpoint. If the caller has the ADMIN capability, login attempts for all users will be returned. For all other callers, only login attempts for the current caller will be returned.

Response Description

An array of login attempts. The attempt_time is used as the default sort input in descending order.

• attempt_time - Long - The time the login attempt happens. This time is in milliseconds since epoch.

• user_id - Long - ID of user who tried login attempt. Users are accessible through the /api/config/access/users APIs.

• remote_ip - String - The remote IP address that made the login attempt.

• attempt_result - Enum - The result of login attempt.

• attempt_method - Enum - The method of the login attempt. HTTP_BASIC is for API based HTTP basic, and LOGIN_PAGE is for UI login attempt.

Response Sample

[{"attempt_result": "String <one of: SUCCESS, FAILURE>", "attempt_time": 42, "remote_ip": "String", "user_id": 42, "attempt_method": "String <one of: LOGIN_PAGE, HTTP_BASIC>"}]

Analytics Endpoints

Use the references for REST API V11.0 analytics endpoints.

GET /analytics/ade_rules

Retrieves a list of ADE rules.

Response Description

An array of ADE Rule objects. An ADE Rule object contains the following fields:

• id - Long - The sequence ID of the ADE rule.

• name - String - The name of the ADE rule.

• ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.

• enabled - Boolean - True if the ADE rule is enabled.

• owner - String - The owner of the ADE rule.

• identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules.

• linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:

  • SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been overridden, the value will be null.

  • OVERRIDE - The identifier value of the system rule being overridden.

  • USER - The value will be null.

• creation_date - Long - The number of milliseconds since epoch when the rule was created.

• modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample

[ { "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "linked_rule_identifier": "String", "modification_date": 42, "name": "String", "owner": "String", "type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>" } ]

GET /analytics/ade_rules/{id}

Retrieves an ADE rule.

Response Description

The ADE rule after it is retrieved. An ADE Rule object contains the following fields:

• id - Long - The sequence ID of the ADE rule.

• name - String - The name of the ADE rule.

• ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.

• enabled - Boolean - True if the ADE rule is enabled.

• owner - String - The owner of the ADE rule.

• identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules.

• linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:

  • SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been overridden, the value will be null.

  • OVERRIDE - The identifier value of the system rule being overridden.

  • USER - The value will be null.

• creation_date - Long - The number of milliseconds since epoch when the rule was created.

• modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample

{ "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "linked_rule_identifier": "String", "modification_date": 42, "name": "String", "owner": "String", "type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>" }

POST /analytics/ade_rules/{id}

Updates the ADE rule owner or enabled/disabled only.

Response Description

The ADE rule after it is updated. An ADE Rule object contains the following fields:

• id - Long - The sequence ID of the ADE rule.

• name - String - The name of the ADE rule.

• ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL, THRESHOLD.

• enabled - Boolean - True if the ADE rule is enabled.

• owner - String - The owner of the ADE rule.

• identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules.

• linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:

  • SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been overridden, the value will be null.

  • OVERRIDE - The identifier value of the system rule being overridden.

  • USER - The value will be null.

• creation_date - Long - The number of milliseconds since epoch when the rule was created.

• modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample

{ "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "linked_rule_identifier": "String", "modification_date": 42, "name": "String", "owner": "String", "type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>" }

DELETE /analytics/ade_rules/{id}

Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out. The check might take some time. An asynchronous task is started to do this check.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/ade_rules/ade_rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state that the task is in.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /analytics/ade_rules/{id}/dependents

Retrieves the objects that depend on the ADE rule.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/ade_rules/ade_rule_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• cancelled_by - String - The name of the user who requested to cancel the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

• number_of_dependents - Long - The number of dependents found. the value is null until the task completes.

• maximum - Long - The maximum number of objects to check for dependency.

• progress - Long - The number of objects that were checked for dependency.

• task_components - Array - An array of task component objects. A task component object contains the following fields

  • message - String - The localized sub-task status message.

  • status - String - The current state of the sub-task.

  • sub_task_type - String - The type of the sub-task.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • created - Long - The time in milliseconds since epoch since the sub-task was created.

  • started - Long - The time in milliseconds since epoch since the sub-task was started.

  • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

  • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING, FIND_DEPENDENT_DOMAIN, FIND_DEPENDENT_NAMED_SERVICES, FIND_DEPENDENT_FORWARDING_PROFILE>" } ] }

GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id}

Retrieves the delete the ADE rule task status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/ade_rules/ade_rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}

Retrieves the dependent the ADE rule task status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• cancelled_by - String - The name of the user who requested to cancel the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

• number_of_dependents - Long - The number of dependents found. The value is null until task completes.

• maximum - Long - The maximum number of objects to check for dependency.

• progress - Long - The number of objects tha were checked for dependency.

• task_components - Array - An array of task component objects. A task component object contains the following fields

  • message - String - The localized sub-task status message.

  • status - String - The current state of the sub-task.

  • sub_task_type - String - The type of the sub-task.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects checked for dependency.

  • created - Long - The time in milliseconds since epoch since the sub-task was created.

  • started - Long - The time in milliseconds since epoch since the sub-task was started.

  • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

  • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING, FIND_DEPENDENT_DOMAIN, FIND_DEPENDENT_NAMED_SERVICES, FIND_DEPENDENT_FORWARDING_PROFILE>" } ] }

POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}

Cancels a dependent the ADE rule task.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• cancelled_by - String - The name of the user who requested to cancel the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

• number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

• maximum - Long - The maximum number of objects to check for dependency.

• progress - Long - The number of objects that were checked for dependency.

• task_components - Array - An array of task component objects. A task component object contains the following fields:

  • message - String - The localized sub-task status message.

  • status - String - The current state of the sub-task.

  • sub_task_type - String - The type of the sub-task.

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • created - Long - The time in milliseconds since epoch since the sub-task was created.

  • started - Long - The time in milliseconds since epoch since the sub-task was started.

  • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

  • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING, FIND_DEPENDENT_DOMAIN, FIND_DEPENDENT_NAMED_SERVICES, FIND_DEPENDENT_FORWARDING_PROFILE>" } ] }

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results

Retrieves the ADE rule dependent task results.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

• dependent_id - String - The ID of the dependent resource.

• dependent_name - String - The name of the dependent resource (default resources can have localized names).

• dependent_owner - String - The owner of the dependent resource

• dependent_type - String - The type of the dependent resource

• dependent_database - String - The database of the dependent resource.

• dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

• user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit this dependent resource.

Response Sample

[ { "blocking": true, "dependent_database": "String <one of: EVENTS, FLOWS>", "dependent_group_ids": [ 42 ], "dependent_id": "String", "dependent_name": "String", "dependent_owner": "String", "dependent_type": "String <one of: APP, NAMED_SERVICE, ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SAVED_SEARCH, QRM_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, CUSTOM_RULE_GROUP, EVENT_ARIEL_SAVED_SEARCH_GROUP, FLOW_ARIEL_SAVED_SEARCH_GROUP, LOG_SOURCE_GROUP, MODEL_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QUESTION_GROUP, REPORT_GROUP, SIMULATION_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP, ASSIGNED_OFFENSE, ASSIGNED_VULNERABILITY, AUTHORIZED_SERVICE, BUILDING_BLOCK, CRE_RULE, CRE_ADE_RULE, EVENT_REGEX_PROPERTY, EVENT_REGEX_PROPERTY_DEPENDENCY, EVENT_CALCULATED_PROPERTY, FLOW_REGEX_PROPERTY, FLOW_REGEX_PROPERTY_DEPENDENCY, FLOW_CALCULATED_PROPERTY, DASHBOARD, GV_REFERENCE, REPORT, REFERENCE_DATA, REFERENCE_DATA_MAP_OF_SETS, REFERENCE_DATA_MAPS, REFERENCE_DATA_SETS, REFERENCE_DATA_TABLES, REFERENCE_DATA_RESPONSE, REFERENCE_SET_RESPONSE, EVENT_RETENTION_BUCKET, FLOW_RETENTION_BUCKET, ROUTING_RULE, STORE_AND_FORWARD_POLICY, USER, HISTORICAL_PROFILE, OFFENSE, EVENT_AQL_PROPERTY, FLOW_AQL_PROPERTY, OFFENSE_TYPE, SECURITY_PROFILE, ARIEL_INDEX, DOMAIN_MAPPING, FORWARDING_PROFILE, REGEX_EXPRESSION, JSON_EXPRESSION, LEEF_EXPRESSION, CEF_EXPRESSION>", "user_has_edit_permissions": true } ]

GET /analytics/building_blocks

Retrieves a list of building block rules.

Response Description

An array of Building Block Rule objects. An Building Block Rule object contains the following fields:

• id - Long - The sequence ID of the building block rule.

• name - String - The name of the building block rule.

• building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.

• enabled - Boolean - True if the building block rule is enabled.

• owner - String - The owner of the building block rule.

• origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.

• base_capacity - Long - The base capacity of the building block rule in events per second.

• base_host_id - Long - The ID of the host from which the building block rule's base capacity was determined

• average_capacity - Long - The moving average capacity, in EPS, of the building block rule across all hosts.

• capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the building block's capacity values were last updated.

• identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules.

• linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:

  • SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been overridden, the value will be null.

  • OVERRIDE - The identifier value of the system rule being overridden.

  • USER - The value will be null.

• creation_date - Long - The number of milliseconds since epoch when the rule was created.

• modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample

[ { "average_capacity": 42, "base_capacity": 42, "base_host_id": 42, "capacity_timestamp": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "linked_rule_identifier": "String", "modification_date": 42, "name": "String", "origin": "String <one of: SYSTEM, OVERRIDE, USER>", "owner": "String", "type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>" } ]

GET /analytics/building_blocks/building_block_delete_tasks/{task_id}

Retrieves the delete the building block rule task status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/building_blocks/building_block_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}

Retrieves the dependent the building block rule task status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/building_blocks/building_block_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• cancelled_by - String - The name of the user who requested to cancel the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

• number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

• maximum - Long - The maximum number of objects to check for dependency.

• progress - Long - The number of objects that were checked for dependency.

• task_components - Array - An array of task component objects. A task component object contains the following fields

  • message - String - The localized sub-task status message.

  • status - String - The current state of the sub-task.

  • sub_task_type - String - The type of the sub-task

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • created - Long - The time in milliseconds since epoch since the sub-task was created.

  • started - Long - The time in milliseconds since epoch since the sub-task was started.

  • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

  • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING, FIND_DEPENDENT_DOMAIN, FIND_DEPENDENT_NAMED_SERVICES, FIND_DEPENDENT_FORWARDING_PROFILE>" } ] }

POST /analytics/building_blocks/building_block_dependent_tasks/{task_id}

Cancels the dependent the building block rule task.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/building_blocks/building_block_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• cancelled_by - String - The name of the user who requested the cancellation of the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

• number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

• maximum - Long - The maximum number of objects to check for dependency.

• progress - Long - The number of objects that were checked for dependency.

• task_components - Array - An array of task component objects. A task component object contains the following fields

  • message - String - The localized sub-task status message.

  • status - String - The current state of the the sub-task.

  • sub_task_type - String - The type of the sub-task

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • created - Long - The time in milliseconds since epoch since the sub-task was created.

  • started - Long - The time in milliseconds since epoch since the sub-task was started.

  • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

  • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING, FIND_DEPENDENT_DOMAIN, FIND_DEPENDENT_NAMED_SERVICES, FIND_DEPENDENT_FORWARDING_PROFILE>" } ] }

GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results

Retrieves the building block rule dependent task results.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

• dependent_id - String - The ID of the dependent resource.

• dependent_name - String - The name of the dependent resource (default resources can have localized names).

• dependent_owner - String - The owner of the dependent resource.

• dependent_type - String - The type of the dependent resource.

• dependent_database - String - The database of the dependent resource.

• dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

• user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit this dependent resource.

Response Sample

[ { "blocking": true, "dependent_database": "String <one of: EVENTS, FLOWS>", "dependent_group_ids": [ 42 ], "dependent_id": "String", "dependent_name": "String", "dependent_owner": "String", "dependent_type": "String <one of: APP, NAMED_SERVICE, ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SAVED_SEARCH, QRM_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, CUSTOM_RULE_GROUP, EVENT_ARIEL_SAVED_SEARCH_GROUP, FLOW_ARIEL_SAVED_SEARCH_GROUP, LOG_SOURCE_GROUP, MODEL_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QUESTION_GROUP, REPORT_GROUP, SIMULATION_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP, ASSIGNED_OFFENSE, ASSIGNED_VULNERABILITY, AUTHORIZED_SERVICE, BUILDING_BLOCK, CRE_RULE, CRE_ADE_RULE, EVENT_REGEX_PROPERTY, EVENT_REGEX_PROPERTY_DEPENDENCY, EVENT_CALCULATED_PROPERTY, FLOW_REGEX_PROPERTY, FLOW_REGEX_PROPERTY_DEPENDENCY, FLOW_CALCULATED_PROPERTY, DASHBOARD, GV_REFERENCE, REPORT, REFERENCE_DATA, REFERENCE_DATA_MAP_OF_SETS, REFERENCE_DATA_MAPS, REFERENCE_DATA_SETS, REFERENCE_DATA_TABLES, REFERENCE_DATA_RESPONSE, REFERENCE_SET_RESPONSE, EVENT_RETENTION_BUCKET, FLOW_RETENTION_BUCKET, ROUTING_RULE, STORE_AND_FORWARD_POLICY, USER, HISTORICAL_PROFILE, OFFENSE, EVENT_AQL_PROPERTY, FLOW_AQL_PROPERTY, OFFENSE_TYPE, SECURITY_PROFILE, ARIEL_INDEX, DOMAIN_MAPPING, FORWARDING_PROFILE, REGEX_EXPRESSION, JSON_EXPRESSION, LEEF_EXPRESSION, CEF_EXPRESSION>", "user_has_edit_permissions": true } ]

GET /analytics/building_blocks/{id}

Retrieves a building block rule.

Response Description

The building block rule after it is retrieved. An Building Block Rule object contains the following fields:

• id - Long - The sequence ID of the building block rule.

• name - String - The name of the building block rule.

• building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.

• enabled - Boolean - True if the building block rule is enabled.

• owner - String - The owner of the building block rule.

• origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.

• base_capacity - Long - The base capacity of the building block rule in events per second.

• base_host_id - Long - The ID of the host from which the building block rule's base capacity was determined

• average_capacity - Long - The moving average capacity, in EPS, of the building block rule across all hosts.

• capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the building block's capacity values were last updated.

• identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules.

• linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:

  • SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been overridden, the value will be null.

  • OVERRIDE - The identifier value of the system rule being overridden.

  • USER - The value will be null.

• creation_date - Long - The number of milliseconds since epoch when the rule was created.

• modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample

{ "average_capacity": 42, "base_capacity": 42, "base_host_id": 42, "capacity_timestamp": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "linked_rule_identifier": "String", "modification_date": 42, "name": "String", "origin": "String <one of: SYSTEM, OVERRIDE, USER>", "owner": "String", "type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>" }

POST /analytics/building_blocks/{id}

Updates the building block rule owner or enabled/disabled only.

Response Description

The building block rule after it is updated. A building block rule object contains the following fields:

• id - Long - The sequence ID of the building block rule.

• name - String - The name of the building block rule.

• building_block_type - String - The type of building block rule: EVENT, FLOW, COMMON, USER.

• enabled - Boolean - True if the building block rule is enabled.

• owner - String - The owner of the building block rule.

• origin - String - The origin of the building block rule: SYSTEM, OVERRIDE, USER.

• base_capacity - Long - The base capacity of the building block rule in events per second.

• base_host_id - Long - The ID of the host from which the building block rule's base capacity was determined

• average_capacity - Long - The moving average capacity, in EPS, of the building block rule across all hosts.

• capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the building block's capacity values were last updated.

• identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules.

• linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:

  • SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been overridden, the value will be null.

  • OVERRIDE - The identifier value of the system rule being overridden.

  • USER - The value will be null.

• creation_date - Long - The number of milliseconds since epoch when the rule was created.

• modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample

{ "average_capacity": 42, "base_capacity": 42, "base_host_id": 42, "capacity_timestamp": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "linked_rule_identifier": "String", "modification_date": 42, "name": "String", "origin": "String <one of: SYSTEM, OVERRIDE, USER>", "owner": "String", "type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>" }

DELETE /analytics/building_blocks/{id}

Deletes the building block rule. To ensure safe deletion, a dependency check is carried out. This check might take some time. An asynchronous task to do is started for this check.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/building_blocks/building_block_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state that the task is in.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /analytics/building_blocks/{id}/dependents

Retrieves the objects that depend on the building block rule.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/building_blocks/building_block_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• cancelled_by - String - The name of the user who requested to cancel the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

• number_of_dependents - Long - The number of dependents found. the value is null until the task completes.

• maximum - Long - The maximum number of objects to check for dependency.

• progress - Long - The number of objects that were checked for dependency.

• task_components - Array - An array of task component objects. A task component object contains the following fields

  • message - String - The localized sub-task status message.

  • status - String - The current state of the sub-task.

  • sub_task_type - String - The type of the sub-task

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • created - Long - The time in milliseconds since epoch since the sub-task was created.

  • started - Long - The time in milliseconds since epoch since the sub-task was started.

  • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

  • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING, FIND_DEPENDENT_DOMAIN, FIND_DEPENDENT_NAMED_SERVICES, FIND_DEPENDENT_FORWARDING_PROFILE>" } ] }

GET /analytics/custom_actions/actions

Retrieves a list of available custom actions.

Response Description

Array of available custom actions which in turn contain the following fields:

• id - Number - Unique ID of the custom action within the JSA deployment.

• name - String - Unique name of the custom action within the JSA deployment.

• description - String - Optional description attached to the custom action.

• interpreter - Number - Unique ID of the custom action interpreter used by the custom action.

• script - Number - Unique ID of the custom action script used by the custom action.

• parameters - Array - Array of custom action parameters contained within the custom action. Each Custom action parameter has the following fields:

  • name - String - Name of the custom action parameter. Unique in the context of the parent custom action.

  • parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.

  • encrypted - Boolean - Designates whether the custom action parameter value field is stored in an encrypted state.True if encrypted, false otherwise.

  • value - String - Value of the custom action parameter.

Response Sample

[ { "description": "String", "id": 42, "interpreter": 42, "name": "String", "parameters": [ { "encrypted": true, "name": "String", "parameter_type": "String", "value": "String" } ], "script": 42 } ]

POST /analytics/custom_actions/actions

Creates a new custom action with the supplied fields.

The custom action must contain the following fields:

• name - Required - String - Unique name of the custom action within the JSA deployment.

• description - Optional - String - Description of the custom action.

• interpreter - Required - Number - Unique ID of the custom action interpreter used by the custom action.

• script - Required - Number - Unique ID of the custom action script used by the custom action.

• parameters - Required - Array - Array of custom action parameters contained within the custom action. Each Custom action parameter must have the following fields:

  • name - Required - String - Name of the custom action parameter. Unique in the context of the parent custom action.

  • parameter_type - Required - String - Custom action parameter type. Can be either fixed or dynamic.

  • encrypted - Required - Boolean - Designates whether the custom action parameter value field is stored in an encrypted state.True if encrypted, false otherwise.

  • value - Required - String - Value of the custom action parameter. Custom action parameters with parameter_type fixed can have any value. Custom action parameters with parameter_type dynamic must have values corresponding to column names in an Ariel database, for example sourceip. Ariel database column names are available through the /api/ariel/databases/{database_name} endpoint.

Response Description

The newly created custom action with the following fields:

• id - Number - Unique ID of the custom action within the JSA deployment.

• name - String - Unique name of the custom action within the JSA deployment.

• description - String - Optional description attached to the custom action.

• interpreter - Number - Unique ID of the custom action interpreter used by the custom action.

• script - Number - Unique ID of the custom action script used by the custom action.

• parameters - Array - Array of custom action parameters contained within the custom action. Each Custom action parameter has the following fields:

  • name - String - Name of the custom action parameter. Unique in the context of the parent custom action.

  • parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.

  • encrypted - Boolean - Designates whether the custom action parameter value field is stored in an encrypted state.True if encrypted, false otherwise.

  • value - String - Value of the custom action parameter.

Response Sample

{ "description": "String", "id": 42, "interpreter": 42, "name": "String", "parameters": [ { "encrypted": true, "name": "String", "parameter_type": "String", "value": "String" } ], "script": 42 }

GET /analytics/custom_actions/actions/{action_id}

Retrieves a custom action based on the supplied action_id.

Response Description

A custom action with containing following fields:

• id - Number - Unique ID of the custom action within the JSA deployment.

• name - String - Unique name of the custom action within the JSA deployment.

• description - String - Optional description attached to the custom action.

• interpreter - Number - Unique ID of the custom action interpreter used by the custom action.

• script - Number - Unique ID of the custom action script used by the custom action.

• parameters - Array - Array of custom action parameters contained within the custom action. Each Custom action parameter has the following fields:

  • name - String - Name of the custom action parameter. Unique in the context of the parent custom action.

  • parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.

  • encrypted - Boolean - Designates whether the custom action parameter value field is stored in an encrypted state.True if encrypted, false otherwise.

  • value - String - Value of the custom action parameter.

Response Sample

{ "description": "String", "id": 42, "interpreter": 42, "name": "String", "parameters": [ { "encrypted": true, "name": "String", "parameter_type": "String", "value": "String" } ], "script": 42 }

POST /analytics/custom_actions/actions/{action_id}

Updates an existing custom action.

The custom action should contain the following fields:

• id - Required - Number - Unique ID of the custom action within the JSA deployment.

• name - Optional - String - Unique name of the custom action within the JSA deployment.

• description - Optional - String - Description of the custom action.

• interpreter - Required - Number - Unique ID of the custom action interpreter used by the custom action.

• script - Required - Number - Unique ID of the custom action script used by the custom action.

• parameters - Required - Array - Array of custom action parameters contained within the custom action. Each Custom action parameter must have the following fields:

  • name - Required - String - Name of the custom action parameter. Unique in the context of the parent custom action.

  • parameter_type - Optional - String - Custom action parameter type. Can be either fixed or dynamic.

  • encrypted - Optional - Boolean - Designates whether the custom action parameter value field is stored in an encrypted state.True if encrypted, false otherwise.

  • value - Optional - String - Value of the custom action parameter. Custom action parameters with parameter_type fixed can have any value. Custom action parameters with parameter_type dynamic must have values corresponding to column names in an Ariel database, for example sourceip. Ariel database column names are available through the /api/ariel/databases/{database_name} endpoint.

Response Description

The updated custom action with the following fields:

• id - Number - Unique ID of the custom action within the JSA deployment.

• name - String - Unique name of the custom action within the JSA deployment.

• description - String - Optional description attached to the custom action.

• interpreter - Number - Unique ID of the custom action interpreter used by the custom action.

• script - Number - Unique ID of the custom action script used by the custom action.

• parameters - Array - Array of custom action parameters contained within the custom action. Each Custom action parameter has the following fields:

  • name - String - Name of the custom action parameter. Unique in the context of the parent custom action.

  • parameter_type - String - Custom action parameter type. Can be either fixed or dynamic.

  • encrypted - Boolean - Designates whether the custom action parameter value field is stored in an encrypted state.True if encrypted, false otherwise.

  • value - String - Value of the custom action parameter.

Response Sample

{ "description": "String", "id": 42, "interpreter": 42, "name": "String", "parameters": [ { "encrypted": true, "name": "String", "parameter_type": "String", "value": "String" } ], "script": 42 }

DELETE /analytics/custom_actions/actions/{action_id}

Deletes an existing custom action.

Response Description

Empty response with 204 successful response code.

Response Sample

GET /analytics/custom_actions/interpreters

Retrieves a list of available custom action interpreters.

Response Description

Array of available custom action interpreters, each with the following fields:

• id - Number - Unique ID of the custom action interpreter within the JSA deployment.

• name - String - Name of the custom action interpreter.

Response Sample

[ { "id": 42, "name": "String" } ]

GET /analytics/custom_actions/interpreters/{interpreter_id}

Retrieves a custom action interpreter based on supplied interpreter_id.

Response Description

A custom action interpreter with the following fields:

• id - Number - Unique ID of the custom action interpreter within the JSA deployment.

• name - String - Name of the custom action interpreter.

Response Sample

{ "id": 42, "name": "String" }

GET /analytics/custom_actions/scripts

Retrieves a list of meta-data for available custom action script files.

Response Description

Array of available custom action script file meta-data, each with the following fields:

• id - Number - Unique ID of the custom action script file within the JSA deployment.

• name - String - Name of the custom action script file.

Response Sample

[ { "file_name": "String", "id": 42 } ]

POST /analytics/custom_actions/scripts

Creates a new custom action script file. Newly created custom action script files require a deployment before using.

Users can include an optional HTTP header file_name containing the custom action script file name. If not specified this is defaulted to the script id of the uploaded file.

Response Description

Custom action script file meta-data with the following fields:

• id - Number - Unique ID of the custom action script within the JSA deployment.

• name - String - Name of the custom action script.

Response Sample

{ "file_name": "String", "id": 42 }

GET /analytics/custom_actions/scripts/{script_id}

Retrieves meta-data of a custom action script file based on supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

• id - Number - Unique ID of the custom action script file within the JSA deployment.

• name - String - Name of the custom action script file.

Response Sample

{ "file_name": "String", "id": 42 }

POST /analytics/custom_actions/scripts/{script_id}

Updates an existing custom action script file. Updated custom action script files require a deployment before using.

Users can include an optional HTTP header file_name containing the custom action script file name. If not specified this is defaulted to the script id of the uploaded file.

Response Description

Custom action script file meta-data with the following fields:

• id - Number - Unique ID of the custom action script file within the JSA deployment.

• name - String - Name of the custom action script file.

Response Sample

{ "file_name": "String", "id": 42 }

DELETE /analytics/custom_actions/scripts/{script_id}

Deletes an existing custom action script file.

Response Description

Empty response with a 204 successful response code.

Response Sample

GET /analytics/rule_groups

Retrieves a list of the rule groups.

Response Description

List of the Group objects. A Group object contains the following fields:

• id - Long - The ID of the group.

• parent_id - Long - The ID of the parent group (default resources can have localized names).

• type - String - The type of the group.

• level - Long - The depth of the group in the group hierarchy.

• name - String - The name of the group (default resources can have localized names).

• description - String - The description of the group (default resources can have localized names).

• owner - String - The owner of the group.

• modified_time - Long - The time in milliseconds since epoch since the group was last modified.

• child_group_ids - Array of Longs - List of the child group IDs.

Response Sample

[ { "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" } ]

GET /analytics/rule_groups/{group_id}

Retrieves a rule group.

Response Description

A single Group object. A Group object contains the following fields:

• id - Long - The ID of the group.

• parent_id - Long - The ID of the parent group (default resources can have localized names).

• type - String - The type of the group.

• level - Long - The depth of the group in the group hierarchy.

• name - String - The name of the group (default resources can have localized names).

• description - String - The description of the group (default resources can have localized names).

• owner - String - The owner of the group.

• modified_time - Long - The time in milliseconds since epoch since the group was last modified.

• child_group_ids - Array of Longs - List of the child group IDs.

Response Sample

{ "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" }

POST /analytics/rule_groups/{group_id}

Updates the owner of a rule group.

Response Description

The updated Group object. A Group object contains the following fields:

• id - Long - The ID of the group.

• parent_id - Long - The ID of the parent group (default resources can have localized names).

• type - String - The type of the group.

• level - Long - The depth of the group in the group hierarchy.

• name - String - The name of the group (default resources can have localized names).

• description - String - The description of the group (default resources can have localized names).

• owner - String - The owner of the group.

• modified_time - Long - The time in milliseconds since epoch since the group was last modified.

• child_group_ids - Array of Longs - List of the child group IDs.

Response Sample

{ "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" }

DELETE /analytics/rule_groups/{group_id}

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This check might take some time. An asynchronous task to do is started for this check.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

GET /analytics/rules

Retrieves a list of rules.

Response Description

An array of rule objects. A rule object contains the following fields:

• id - Long - The sequence ID of the rule.

• name - String - The name of the rule.

• type - String - The type of rule: EVENT, FLOW, COMMON, USER.

• enabled - Boolean - True if the rule is enabled.

• owner - String - The owner of the rule.

• origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.

• base_capacity - Long - The base capacity of the rule in events per second.

• base_host_id - Long - The ID of the host from which the rule's base capacity was determined

• average_capacity - Long - The moving average capacity, in EPS, of the rule across all hosts.

• capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the rule's capacity values were last updated.

• identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules.

• linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:

  • SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been overridden, the value will be null.

  • OVERRIDE - The identifier value of the system rule being overridden.

  • USER - The value will be null.

• creation_date - Long - The number of milliseconds since epoch when the rule was created.

• modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample

[ { "average_capacity": 42, "base_capacity": 42, "base_host_id": 42, "capacity_timestamp": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "linked_rule_identifier": "String", "modification_date": 42, "name": "String", "origin": "String <one of: SYSTEM, OVERRIDE, USER>", "owner": "String", "type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>" } ]

GET /analytics/rules/rule_delete_tasks/{task_id}

Retrieves the delete the rule task status.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /analytics/rules/rule_dependent_tasks/{task_id}

Retrieves the dependent rule task status.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/rules/rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• cancelled_by - String - The name of the user who requested the cancellation of the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

• number_of_dependents - Long - The number of dependents found. the value is null until the task completes.

• maximum - Long - The maximum number of objects to check for dependency.

• progress - Long - The number of objects that were checked for dependency.

• task_components - Array - An array of task component objects. A task component object contains the following fields:

  • message - String - The localized sub-task status message.

  • status - String - The current state of the sub-task.

  • sub_task_type - String - The type of the sub-task

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • created - Long - The time in milliseconds since epoch since the sub-task was created.

  • started - Long - The time in milliseconds since epoch since the sub-task was started.

  • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

  • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING, FIND_DEPENDENT_DOMAIN, FIND_DEPENDENT_NAMED_SERVICES, FIND_DEPENDENT_FORWARDING_PROFILE>" } ] }

POST /analytics/rules/rule_dependent_tasks/{task_id}

Cancels the dependent the rule task.

Response Description

A Dependent Task Status object and the location header set to the task status url "/api/analytics/rules/rule_dependent_tasks/{task_id}". A Dependent Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• cancelled_by - String - The name of the user who requested cancellation of the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

• number_of_dependents - Long - The number of dependents found. The value is null until the task completes.

• maximum - Long - The maximum number of objects to check for dependency.

• progress - Long - The number of objects that were checked for dependency.

• task_components - Array - An array of task component objects. A task component object contains the following fields:

  • message - String - The localized sub-task status message.

  • status - String - The current state of the sub-task.

  • sub_task_type - String - The type of the sub-task

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • created - Long - The time in milliseconds since epoch since the sub-task was created.

  • started - Long - The time in milliseconds since epoch since the sub-task was started.

  • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

  • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING, FIND_DEPENDENT_DOMAIN, FIND_DEPENDENT_NAMED_SERVICES, FIND_DEPENDENT_FORWARDING_PROFILE>" } ] }

GET /analytics/rules/rule_dependent_tasks/{task_id}/results

Retrieves the rule dependent task results.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

• dependent_id - String - The ID of the dependent resource.

• dependent_name - String - The name of the dependent resource (default resources can have localized names).

• dependent_owner - String - The owner of the dependent resource.

• dependent_type - String - The type of the dependent resource.

• dependent_database - String - The database of the dependent resource.

• dependent_group_ids - Array of Longs - List of groups that the dependent resource belongs to.

• user_has_edit_permissions - Boolean - The true if the user who created the task has permission to edit this dependent resource.

Response Sample

[ { "blocking": true, "dependent_database": "String <one of: EVENTS, FLOWS>", "dependent_group_ids": [ 42 ], "dependent_id": "String", "dependent_name": "String", "dependent_owner": "String", "dependent_type": "String <one of: APP, NAMED_SERVICE, ARIEL_SAVED_SEARCH, ASSET_SAVED_SEARCH, OFFENSE_SAVED_SEARCH, VULNERABILITY_SAVED_SEARCH, QRM_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, CUSTOM_RULE_GROUP, EVENT_ARIEL_SAVED_SEARCH_GROUP, FLOW_ARIEL_SAVED_SEARCH_GROUP, LOG_SOURCE_GROUP, MODEL_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QUESTION_GROUP, REPORT_GROUP, SIMULATION_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP, ASSIGNED_OFFENSE, ASSIGNED_VULNERABILITY, AUTHORIZED_SERVICE, BUILDING_BLOCK, CRE_RULE, CRE_ADE_RULE, EVENT_REGEX_PROPERTY, EVENT_REGEX_PROPERTY_DEPENDENCY, EVENT_CALCULATED_PROPERTY, FLOW_REGEX_PROPERTY, FLOW_REGEX_PROPERTY_DEPENDENCY, FLOW_CALCULATED_PROPERTY, DASHBOARD, GV_REFERENCE, REPORT, REFERENCE_DATA, REFERENCE_DATA_MAP_OF_SETS, REFERENCE_DATA_MAPS, REFERENCE_DATA_SETS, REFERENCE_DATA_TABLES, REFERENCE_DATA_RESPONSE, REFERENCE_SET_RESPONSE, EVENT_RETENTION_BUCKET, FLOW_RETENTION_BUCKET, ROUTING_RULE, STORE_AND_FORWARD_POLICY, USER, HISTORICAL_PROFILE, OFFENSE, EVENT_AQL_PROPERTY, FLOW_AQL_PROPERTY, OFFENSE_TYPE, SECURITY_PROFILE, ARIEL_INDEX, DOMAIN_MAPPING, FORWARDING_PROFILE, REGEX_EXPRESSION, JSON_EXPRESSION, LEEF_EXPRESSION, CEF_EXPRESSION>", "user_has_edit_permissions": true } ]

GET /analytics/rules/{id}

Retrieves a rule.

Response Description

The rule after it is retrieved. A rule object contains the following fields:

• id - Long - The sequence ID of the rule.

• name - String - The name of the rule.

• type - String - The type of rule: EVENT, FLOW, COMMON, USER.

• enabled - Boolean - True if the rule is enabled.

• owner - String - The owner of the rule.

• origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.

• base_capacity - Long - The base capacity of the rule in events per second.

• base_host_id - Long - The ID of the host from which the rule's base capacity was determined

• average_capacity - Long - The moving average capacity, in EPS, of the rule across all hosts.

• capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the rule's capacity values were last updated.

• identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules.

• linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:

  • SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been overridden, the value will be null.

  • OVERRIDE - The identifier value of the system rule being overridden.

  • USER - The value will be null.

• creation_date - Long - The number of milliseconds since epoch when the rule was created.

• modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample

{ "average_capacity": 42, "base_capacity": 42, "base_host_id": 42, "capacity_timestamp": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "linked_rule_identifier": "String", "modification_date": 42, "name": "String", "origin": "String <one of: SYSTEM, OVERRIDE, USER>", "owner": "String", "type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>" }

POST /analytics/rules/{id}

Updates the rule owner or enabled/disabled only.

Response Description

The rule after it is updated. An Rule object contains the following fields:

• id - Long - The sequence ID of the rule.

• name - String - The name of the rule.

• type - String - The type of rule: EVENT, FLOW, COMMON, USER.

• enabled - Boolean - True if the rule is enabled.

• owner - String - The owner of the rule.

• origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.

• base_capacity - Long - The base capacity of the rule in events per second.

• base_host_id - Long - The ID of the host from which the rule's base capacity was determined

• average_capacity - Long - The moving average capacity, in EPS, of the rule across all hosts.

• capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the rule's capacity values were last updated.

• identifier - String - The unique ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules.

• linked_rule_identifier - String - The linked ID of the rule. This value is typically in the form of a UUID, with the exception of legacy system rules, and varies depending on the rule's origin as follows:

  • SYSTEM - The identifier value of the override rule, if one exists. If the system rule has not been overridden, the value will be null.

  • OVERRIDE - The identifier value of the system rule being overridden.

  • USER - The value will be null.

• creation_date - Long - The number of milliseconds since epoch when the rule was created.

• modification_date - Long - The number of milliseconds since epoch when the rule was last modified.

Response Sample

{ "average_capacity": 42, "base_capacity": 42, "base_host_id": 42, "capacity_timestamp": 42, "creation_date": 42, "enabled": true, "id": 42, "identifier": "String", "linked_rule_identifier": "String", "modification_date": 42, "name": "String", "origin": "String <one of: SYSTEM, OVERRIDE, USER>", "owner": "String", "type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>" }

DELETE /analytics/rules/{id}

Delete the rule. To ensure safe deletion, a dependency check is carried out. This check might take some time. An asynchronous task to do is started for this check.

Response Description

A Delete Task Status object and the location header set to the task status url "/api/analytics/rules/rule_delete_tasks/{task_id}". A Delete Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

Response Sample

{ "completed": 42, "created": 42, "created_by": "String", "id": 42, "message": "String", "modified": 42, "name": "String", "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>" }

GET /analytics/rules/{id}/dependents

Retrieves the objects that depend on the rule.

Response Description

A Dependents Task Status object and the location header set to the task status url "/api/analytics/rules/rule_dependents_tasks/{task_id}". A Dependent Task Status object contains the following fields:

• id - Long - The ID of the task.

• message - String - The localized task message.

• status - String - The current state of the task.

• name - String - The name of the task.

• created_by - String - The name of the user who started the task.

• cancelled_by - String - The name of the user who requested the cancellation of the task.

• created - Long - The time in milliseconds since epoch since the task was created.

• started - Long - The time in milliseconds since epoch since the task was started.

• modified - Long - The time in milliseconds since epoch since the task was modified.

• completed - Long - The time in milliseconds since epoch since the task was completed.

• number_of_dependents - Long - The number of dependents found. the value is null until the task completes.

• maximum - Long - The maximum number of objects to check for dependency.

• progress - Long - The number of objects that were checked for dependency.

• task_components - Array - An array of Task Component objects. A Task Component object contains the following fields:

  • message - String - The localized sub-task status message.

  • status - String - The current state of the sub-task.

  • sub_task_type - String - The type of the sub-task

  • maximum - Long - The maximum number of objects to check for dependency.

  • progress - Long - The number of objects that were checked for dependency.

  • created - Long - The time in milliseconds since epoch since the sub-task was created.

  • started - Long - The time in milliseconds since epoch since the sub-task was started.

  • modified - Long - The time in milliseconds since epoch since the sub-task was modified.

  • completed - Long - The time in milliseconds since epoch since the sub-task was completed.

Response Sample

{ "cancelled_by": "String", "completed": 42, "created": 42, "created_by": "String", "id": 42, "maximum": 42, "message": "String", "modified": 42, "name": "String", "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_components": [ { "completed": 42, "created": 42, "maximum": 42, "message": "String", "modified": 42, "number_of_dependents": 42, "progress": 42, "started": 42, "status": "String <one of: CANCELLED, CANCELING, CANCEL_REQUESTED, COMPLETED, CONFLICT, EXCEPTION, INITIALIZING, INTERRUPTED, PAUSED, PROCESSING, QUEUED, RESUMING>", "task_sub_type": "String <one of: FIND_DEPENDENT_ARIEL_SAVED_SEARCHES, FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES, FIND_DEPENDENT_ASSET_SAVED_SEARCHES, FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES, FIND_DEPENDENT_ADE_RULES, FIND_DEPENDENT_RULES, FIND_DEPENDENT_CALCULATED_PROPERTIES, FIND_DEPENDENT_AQL_PROPERTIES, FIND_DEPENDENT_LOG_SOURCE_GROUPS, FIND_DEPENDENT_CUSTOM_PROPERTIES, FIND_DEPENDENT_REPORTS, FIND_DEPENDENT_DASHBOARDS, FIND_DEPENDENT_STORE_AND_FORWARD_POLOCIES, FIND_DEPENDENT_AUTHORIZED_SERVICES, FIND_DEPENDENT_OFFENSE_TYPES, FIND_DEPENDENT_ASSIGNED_OFFENSES, FIND_DEPENDENT_VULNERABILITIES, FIND_DEPENDENT_GROUPS, FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES, FIND_DEPENDENT_SECURITY_PROFILES, FIND_DEPENDENT_ARIEL_INDEXING, FIND_DEPENDENT_DOMAIN, FIND_DEPENDENT_NAMED_SERVICES, FIND_DEPENDENT_FORWARDING_PROFILE>" } ] }

Ariel Endpoints

Use the references for REST API V11.0 Ariel endpoints.

GET /ariel/databases

Retrieves a list of available Ariel database names

Response Description

The names of the available Ariel databases.

Response Sample

[ "String" ]

GET /ariel/databases/{database_name}

Retrieve the columns that are defined for a specific Ariel database.

This is the set of columns that can be explicitly named in the column list of a SELECT query.

Response Description

A list of columns that are defined for the specified database. Multiple properties of each column are returned. For example, the column name or an indication that the column is indexable.

Response Sample

{ "columns": [ { "argument_type": "String", "indexable": true, "name": "String", "nullable": true, "object_value_type": "String <one of: NULL, STRUCT, Byte, Short, Integer, Long, UnsignedByte, UnsignedShort, UnsignedInt, UnsignedLong, BigInteger, Double, Float, Port, Host, HostV4V6, HostV6, MACAddress, String, ByteArray, UnsignedIntHex, Boolean, Binary>", "provider_name": "String" } ] }

GET /ariel/event_saved_search_groups

Retrieves a list the event Ariel saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:

• id - Long - The ID of the group.

• parent_id - Long - The ID of the parent group (default resources can have localized names).

• type - String - The type of the group.

• level - Long - The depth of the group in the group hierarchy.

• name - String - The name of the group (default groups can have localized names).

• description - String - The description of the group (default groups can have localized names).

• owner - String - The owner of the group.

• modified_time - Long - The time in milliseconds since epoch since the group was last modified.

• child_group_ids - Array of Longs - List of the child group ids.

Response Sample

[ { "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" } ]

GET /ariel/event_saved_search_groups/{group_id}

Retrieves an event Ariel saved search group.

Response Description

A single Group object. A Group object contains the following fields:

• id - Long - The ID of the group.

• parent_id - Long - The ID of the parent group (default resources can have localized names).

• type - String - The type of the group.

• level - Long - The depth of the group in the group hierarchy.

• name - String - The name of the group (default resources can have localized names).

• description - String - The description of the group (default resources can have localized names).

• owner - String - The owner of the group.

• modified_time - Long - The time in milliseconds since epoch since the group was last modified.

• child_group_ids - Array of Longs - List of the child group IDs.

Response Sample

{ "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" }

POST /ariel/event_saved_search_groups/{group_id}

Updates the owner of an event Ariel saved search group.

Response Description

The updated Group object. A Group object contains the following fields:

• id - Long - The ID of the group.

• parent_id - Long - The id of the parent group (default resources can have localized names).

• type - String - The type of the group.

• level - Long - The depth of the group in the group hierarchy.

• name - String - The name of the group (default resources can have localized names).

• description - String - The description of the group (default resources can have localized names).

• owner - String - The owner of the group.

• modified_time - Long - The time in milliseconds since epoch since the group was last modified.

• child_group_ids - Array of Longs - List of the child group ids.

Response Sample

{ "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" }

DELETE /ariel/event_saved_search_groups/{group_id}

Deletes an event Ariel saved search group.

Response Description

Response Sample

GET /ariel/flow_saved_search_groups

Retrieves a list of flow Ariel saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:

• id - Long - The ID of the group.

• parent_id - Long - The ID of the parent group (default resources can have localized names).

• type - String - The type of the group.

• level - Long - The depth of the group in the group hierarchy.

• name - String - The name of the group (default resources can have localized names).

• description - String - The description of the group (default resources can have localized names).

• owner - String - The owner of the group.

• modified_time - Long - The time in milliseconds since epoch since the group was last modified.

• child_group_ids - Array of Longs - List of the child group IDs.

Response Sample

[ { "child_groups": [ 42 ], "child_items": [ "String" ], "description": "String", "id": 42, "level": 42, "modified_time": 42, "name": "String", "owner": "String", "parent_id": 42, "type": "String <one of: LOG_SOURCE_GROUP, REPORT_GROUP, RULE_GROUP, EVENT_SAVED_SEARCH_GROUP, FLOW_SAVED_SEARCH_GROUP, OFFENSE_SAVED_SEARCH_GROUP, QRM_SAVED_SEARCH_GROUP, MODEL_SAVED_SEARCH_GROUP, QUESTION_SAVED_SEARCH_GROUP, SIMULATION_SAVED_SEARCH_GROUP, TOPOLOGY_SAVED_SEARCH_GROUP, ASSET_SAVED_SEARCH_GROUP, VULNERABILITY_SAVED_SEARCH_GROUP>" } ]

GET /ariel/flow_saved_search_groups/{group_id}

Retrieves a flow Ariel saved search group.