Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

POST /siem/offenses/{offense_id}

Update an offense.

Update an offense.

Table 1: POST /siem/offenses/{offense_id} Resource Details

MIME Type

application/json

Table 2: POST /siem/offenses/{offense_id} Request Parameter Details

Parameter

Type

Optionality

Data Type

MIME Type

Description

offense_id

path

Required

Number (Integer)

text/plain

Required - The ID of the offense to update.

protected

query

Optional

Boolean

text/plain

Optional - Set to true to protect the offense.

follow_up

query

Optional

Boolean

text/plain

Optional - Set to true to set the follow up flag on the offense.

status

query

Optional

String

text/plain

Optional - The new status for the offense. Set to one of: OPEN, HIDDEN, CLOSED. When the status of an offense is being set to CLOSED, a valid closing_reason_id must be provided. To hide an offense, use the HIDDEN status. To show a previously hidden offense, use the OPEN status.

closing_

reason_id

query

Optional

Number (Integer)

text/plain

Optional - The ID of a closing reason. You must provide a valid closing_reason_id when you close an offense.

assigned_to

query

Optional

String

text/plain

Optional - A user to assign the offense to.

fields

query

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.

Table 3: POST /siem/offenses/{offense_id} Response Codes

HTTP Response Code

Unique Code

Description

200

 

The offense was updated.

403

1009

User does not have the required capability to perform the action.

404

1002

No offense was found for the provided offense_id.

409

1008

Request cannot be completed due to the state of the offense.

422

1005

A request parameter is not valid.

500

1020

An error occurred while the offense was being updated.

Response Description

An updated Offense object. An Offense object contains the following fields:

  • id - Number - The ID of the offense.

  • description - String - The description of the offense.

  • assigned_to - String - The user the offense is assigned to.

  • categories - Array of strings - Event categories that are associated with the offense.

  • category_count - Number - The number of event categories that are associated with the offense.

  • policy_category_count - Number - The number of policy event categories that are associated with the offense.

  • security_category_count - Number - The number of security event categories that are associated with the offense.

  • close_time - Number - The number of milliseconds since epoch when the offense was closed.

  • closing_user - String - The user that closed the offense.

  • closing_reason_id - Number - The ID of the offense closing reason. The reason the offense was closed.

  • credibility - Number - The credibility of the offense.

  • relevance - Number - The relevance of the offense.

  • severity - Number - The severity of the offense.

  • magnitude - Number - The magnitude of the offense.

  • destination_networks - Array of strings - The destination networks that are associated with the offense.

  • source_network - String - The source network that is associated with the offense.

  • device_count - Number - The number of devices that are associated with the offense.

  • event_count - Number - The number of events that are associated with the offense.

  • flow_count - Number - The number of flows that are associated with the offense.

  • inactive - Boolean - True if the offense is inactive.

  • last_updated_time - Number - The number of milliseconds since epoch when the last event contributing to the offense was seen.

  • local_destination_count - Number - The number of local destinations that are associated with the offense.

  • offense_source - String - The source of the offense.

  • offense_type - Number - A number that represents the offense type. Use GET /siem/offense_types to retrieve the list.

  • protected - Boolean - True if the offense is protected.

  • follow_up - Boolean - True if the offense is marked for follow up.

  • remote_destination_count - Number - The number of remote destinations that are associated wit the offense.

  • source_count - Number - The number of sources that are associated with the offense.

  • start_time - Number - The number of milliseconds since epoch when the offense was started.

  • status - String - The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".

  • username_count - The number of usernames that are associated with the offense.

  • source_address_ids - Array of numbers -The source address IDs that are associated with the offense.

  • local_destination_address_ids - Array of numbers - The local destination address IDs that are associated with the offense.

  • domain_id - Number - Optional. ID of associated domain if the offense is associated with a single domain.

  • last_persisted_time - Number - The number of milliseconds since epoch when an offense field was last updated.

  • first_persisted_time - Number - The number of milliseconds since epoch at the time when the offense was created.

  • rules - Array - An array of rules that contributed to the offense:

    • id - Long - The id of the rule.

    • type - String - The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE".

Response Sample