API Documentation
VMS
Identity Provider (IDP)
Provisioning
Connectors
Enrichments
List Alerts
List all the EDR alerts for a given connection.
curl --request GET \
--url https://api.leen.dev/v1/edr/alerts \
--header 'X-API-KEY: <api-key>' \
--header 'X-CONNECTION-ID: <api-key>'{
"count": 123,
"total": 123,
"items": [
{
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"vendor_id": "<string>",
"title": "<string>",
"description": "<string>",
"assigned_user": "<string>",
"severity": "none",
"vendor_severity": "<string>",
"status": "unknown",
"vendor_status": "<string>",
"first_event_time": "2023-11-07T05:31:56Z",
"last_event_time": "2023-11-07T05:31:56Z",
"resolved_time": "2023-11-07T05:31:56Z",
"vendor": "crowdstrike",
"pid": "<string>",
"process_created_at": "2023-11-07T05:31:56Z",
"process_filename": "<string>",
"process_command_line": "<string>",
"process_filepath": "<string>",
"process_sha1": "<string>",
"process_sha256": "<string>",
"process_md5": "<string>",
"parent_pid": "<string>",
"user_name": "<string>",
"windows_sid": "<string>",
"active_directory_user_id": "<string>",
"active_directory_domain": "<string>",
"device": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"status": "active",
"platform": "mac",
"hostnames": [
"<string>"
],
"os_version": "<string>",
"os_major_version": "<string>",
"os_minor_version": "<string>",
"fqdns": [
"<string>"
],
"ipv4s": [
"<string>"
],
"ipv6s": [
"<string>"
],
"mac_addresses": [
"<string>"
],
"last_seen": "2023-11-07T05:31:56Z",
"first_seen": "2023-11-07T05:31:56Z",
"source_vendors": [
{
"vendor": "<string>",
"vendor_id": "<string>",
"agent_info": {
"agent_version": "<string>",
"signature_version": "<string>",
"policies": [
{}
]
}
}
],
"installed_software": [
"<string>"
],
"ad_info": {
"org_unit": "<string>",
"site_name": "<string>",
"domain": "<string>",
"device_id": "<string>"
},
"cloud_metadata": {
"cloud_provider": "aws",
"account_id": "<string>",
"region": "<string>",
"availability_zone": "<string>",
"instance_id": "<string>",
"instance_type": "<string>",
"image_id": "<string>",
"kernel_id": "<string>",
"vpc_id": "<string>",
"subnet_id": "<string>"
},
"tags": [
{
"key": "<string>",
"value": "<string>",
"source": "aws"
}
],
"identities": [
{
"username": "<string>",
"user_sid": "<string>"
}
],
"vendor_data": {}
},
"mitre": [
{
"tactic_name": "<string>",
"tactic_id": "<string>",
"tactic_source": "<string>",
"techniques": [
{
"technique_name": "<string>",
"technique_id": "<string>",
"technique_link": "<string>"
}
]
}
],
"observables": [
{
"name": "<string>",
"type_id": 0,
"type": "UNKNOWN",
"value": "<string>"
}
]
}
]
}Query Parameters
Sort by field
Enable cursor based pagination instead of default offset-based pagination
Datetime filter, only return items updated since this datetime. Example format: 2021-01-01T00:00:00+00:00
Limit size (page size)
x > 0Offset index (starting index of page)
x > 0Skips returning the total rows, total is set to null when true
Include device groups in the devices attached to the vulnerability
Include observable data in the response
Response
Number of items return in the response
List of items returned in the response
Vendor's ID of the alert
Title of the alert, provided by the upstream vendor
Description of alert, provided by the upstream vendor
Assigned user
Vendor's severity
Vendor's status
First event time
Last event time
Resolved time
Source vendor
crowdstrike, ms_defender_endpoint, sentinelone Process ID
Process created at
Process filename
Process command line
Process filepath
Process SHA1
Process SHA256
Process MD5
Parent process ID
User name
Windows SID
Active Directory user ID
Active Directory domain
Device attached to the alert, include device groups with includeDeviceGroups query parameter
active, offline, quarantined mac, windows, linux, unknown CloudMetadata, currently only AWS is supported
aws Vendor specific pass through data, values can vary based on vendor
MITRE Tactics associated with the alert
Tactic name
Tactic ID
Tactic source
Alert severity
none, low, medium, high, critical, info Alert status
unknown, new, in_progress, unresolved, resolved Observable data associated with the alert
The full name of the observable attribute
The observable value type identifier
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 99 The observable data type string representation
UNKNOWN, HOSTNAME, IP_ADDRESS, MAC_ADDRESS, USER_NAME, EMAIL_ADDRESS, URL_STRING, FILE_NAME, HASH, PROCESS_NAME, RESOURCE_UID, PORT, SUBNET, COMMAND_LINE, COUNTRY, PROCESS_ID, HTTP_USER_AGENT, CWE_UID, CVE_UID, USER_CREDENTIAL_ID, ENDPOINT, USER, EMAIL, URL, FILE, PROCESS, GEO_LOCATION, CONTAINER, REGISTRY_KEY, REGISTRY_VALUE, FINGERPRINT, OTHER The value associated with the observable attribute. The meaning of the value depends on the observable type
Total number of items that can be returned
curl --request GET \
--url https://api.leen.dev/v1/edr/alerts \
--header 'X-API-KEY: <api-key>' \
--header 'X-CONNECTION-ID: <api-key>'{
"count": 123,
"total": 123,
"items": [
{
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"vendor_id": "<string>",
"title": "<string>",
"description": "<string>",
"assigned_user": "<string>",
"severity": "none",
"vendor_severity": "<string>",
"status": "unknown",
"vendor_status": "<string>",
"first_event_time": "2023-11-07T05:31:56Z",
"last_event_time": "2023-11-07T05:31:56Z",
"resolved_time": "2023-11-07T05:31:56Z",
"vendor": "crowdstrike",
"pid": "<string>",
"process_created_at": "2023-11-07T05:31:56Z",
"process_filename": "<string>",
"process_command_line": "<string>",
"process_filepath": "<string>",
"process_sha1": "<string>",
"process_sha256": "<string>",
"process_md5": "<string>",
"parent_pid": "<string>",
"user_name": "<string>",
"windows_sid": "<string>",
"active_directory_user_id": "<string>",
"active_directory_domain": "<string>",
"device": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"status": "active",
"platform": "mac",
"hostnames": [
"<string>"
],
"os_version": "<string>",
"os_major_version": "<string>",
"os_minor_version": "<string>",
"fqdns": [
"<string>"
],
"ipv4s": [
"<string>"
],
"ipv6s": [
"<string>"
],
"mac_addresses": [
"<string>"
],
"last_seen": "2023-11-07T05:31:56Z",
"first_seen": "2023-11-07T05:31:56Z",
"source_vendors": [
{
"vendor": "<string>",
"vendor_id": "<string>",
"agent_info": {
"agent_version": "<string>",
"signature_version": "<string>",
"policies": [
{}
]
}
}
],
"installed_software": [
"<string>"
],
"ad_info": {
"org_unit": "<string>",
"site_name": "<string>",
"domain": "<string>",
"device_id": "<string>"
},
"cloud_metadata": {
"cloud_provider": "aws",
"account_id": "<string>",
"region": "<string>",
"availability_zone": "<string>",
"instance_id": "<string>",
"instance_type": "<string>",
"image_id": "<string>",
"kernel_id": "<string>",
"vpc_id": "<string>",
"subnet_id": "<string>"
},
"tags": [
{
"key": "<string>",
"value": "<string>",
"source": "aws"
}
],
"identities": [
{
"username": "<string>",
"user_sid": "<string>"
}
],
"vendor_data": {}
},
"mitre": [
{
"tactic_name": "<string>",
"tactic_id": "<string>",
"tactic_source": "<string>",
"techniques": [
{
"technique_name": "<string>",
"technique_id": "<string>",
"technique_link": "<string>"
}
]
}
],
"observables": [
{
"name": "<string>",
"type_id": 0,
"type": "UNKNOWN",
"value": "<string>"
}
]
}
]
}