VMS
CSPM
Identity Provider (IDP)
TPRM
ITSM
Provisioning
- POSTCreate Organization
- GETList Organizations
- GETGet Organization by ID
- DELSoft Delete Organization By Id And Environment Id
- POSTCreate Connection
- GETList Connections
- GETGet Connection by ID
- GETList Jobs by Connection ID
- GETTest Connection Credentials by Connection ID
- DELDelete Connection
- PATCHUpdate Connection by ID and Organization ID
Connectors
Enrichments
Outbound Jobs
curl --request GET \
--url https://api.leen.dev/v1/edr/alerts \
--header 'X-API-KEY: <api-key>' \
--header 'X-CONNECTION-ID: <api-key>'{
"count": 123,
"items": [
{
"vendor_id": "<string>",
"title": "<string>",
"description": "<string>",
"assigned_user": "<string>",
"vendor_severity": "<string>",
"vendor_status": "<string>",
"first_event_time": "2023-11-07T05:31:56Z",
"last_event_time": "2023-11-07T05:31:56Z",
"resolved_time": "2023-11-07T05:31:56Z",
"vendor": "crowdstrike",
"verdict": "FALSE_POSITIVE",
"pid": "<string>",
"process_created_at": "2023-11-07T05:31:56Z",
"process_filename": "<string>",
"process_command_line": "<string>",
"process_filepath": "<string>",
"process_sha1": "<string>",
"process_sha256": "<string>",
"process_md5": "<string>",
"parent_pid": "<string>",
"user_name": "<string>",
"windows_sid": "<string>",
"active_directory_user_id": "<string>",
"active_directory_domain": "<string>",
"device": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"status": "active",
"last_seen": "2023-11-07T05:31:56Z",
"first_seen": "2023-11-07T05:31:56Z",
"source_vendors": [
{
"vendor": "<string>",
"vendor_id": "<string>",
"agent_info": {
"agent_version": "<string>",
"signature_version": "<string>",
"policies": [
{}
]
}
}
],
"installed_software": [
"<string>"
],
"ad_info": {
"org_unit": "<string>",
"site_name": "<string>",
"domain": "<string>",
"device_id": "<string>"
},
"platform": "mac",
"hostnames": [
"<string>"
],
"os_version": "<string>",
"os_major_version": "<string>",
"os_minor_version": "<string>",
"fqdns": [
"<string>"
],
"ipv4s": [
"<string>"
],
"ipv6s": [
"<string>"
],
"mac_addresses": [
"<string>"
],
"cloud_metadata": {
"cloud_provider": "aws",
"account_id": "<string>",
"region": "<string>",
"availability_zone": "<string>",
"instance_id": "<string>",
"instance_type": "<string>",
"image_id": "<string>",
"kernel_id": "<string>",
"vpc_id": "<string>",
"subnet_id": "<string>"
},
"tags": [
{
"key": "<string>",
"value": "<string>",
"source": "aws"
}
],
"identities": [
{
"username": "<string>",
"user_sid": "<string>"
}
],
"vendor_data": {}
},
"mitre": [
{
"techniques": [
{
"technique_name": "<string>",
"technique_id": "<string>",
"technique_link": "<string>"
}
],
"tactic_name": "<string>",
"tactic_id": "<string>",
"tactic_source": "<string>"
}
],
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"severity": "none",
"status": "unknown",
"observables": [
{
"name": "<string>",
"type_id": 0,
"type": "UNKNOWN",
"value": "<string>"
}
],
"vendor_data": {
"aggregate_id": "<string>",
"vendor": "CROWDSTRIKE",
"falcon_host_link": "<string>"
}
}
],
"total": 123
}List Alerts
List all the EDR alerts for a given connection.
curl --request GET \
--url https://api.leen.dev/v1/edr/alerts \
--header 'X-API-KEY: <api-key>' \
--header 'X-CONNECTION-ID: <api-key>'{
"count": 123,
"items": [
{
"vendor_id": "<string>",
"title": "<string>",
"description": "<string>",
"assigned_user": "<string>",
"vendor_severity": "<string>",
"vendor_status": "<string>",
"first_event_time": "2023-11-07T05:31:56Z",
"last_event_time": "2023-11-07T05:31:56Z",
"resolved_time": "2023-11-07T05:31:56Z",
"vendor": "crowdstrike",
"verdict": "FALSE_POSITIVE",
"pid": "<string>",
"process_created_at": "2023-11-07T05:31:56Z",
"process_filename": "<string>",
"process_command_line": "<string>",
"process_filepath": "<string>",
"process_sha1": "<string>",
"process_sha256": "<string>",
"process_md5": "<string>",
"parent_pid": "<string>",
"user_name": "<string>",
"windows_sid": "<string>",
"active_directory_user_id": "<string>",
"active_directory_domain": "<string>",
"device": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"status": "active",
"last_seen": "2023-11-07T05:31:56Z",
"first_seen": "2023-11-07T05:31:56Z",
"source_vendors": [
{
"vendor": "<string>",
"vendor_id": "<string>",
"agent_info": {
"agent_version": "<string>",
"signature_version": "<string>",
"policies": [
{}
]
}
}
],
"installed_software": [
"<string>"
],
"ad_info": {
"org_unit": "<string>",
"site_name": "<string>",
"domain": "<string>",
"device_id": "<string>"
},
"platform": "mac",
"hostnames": [
"<string>"
],
"os_version": "<string>",
"os_major_version": "<string>",
"os_minor_version": "<string>",
"fqdns": [
"<string>"
],
"ipv4s": [
"<string>"
],
"ipv6s": [
"<string>"
],
"mac_addresses": [
"<string>"
],
"cloud_metadata": {
"cloud_provider": "aws",
"account_id": "<string>",
"region": "<string>",
"availability_zone": "<string>",
"instance_id": "<string>",
"instance_type": "<string>",
"image_id": "<string>",
"kernel_id": "<string>",
"vpc_id": "<string>",
"subnet_id": "<string>"
},
"tags": [
{
"key": "<string>",
"value": "<string>",
"source": "aws"
}
],
"identities": [
{
"username": "<string>",
"user_sid": "<string>"
}
],
"vendor_data": {}
},
"mitre": [
{
"techniques": [
{
"technique_name": "<string>",
"technique_id": "<string>",
"technique_link": "<string>"
}
],
"tactic_name": "<string>",
"tactic_id": "<string>",
"tactic_source": "<string>"
}
],
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"severity": "none",
"status": "unknown",
"observables": [
{
"name": "<string>",
"type_id": 0,
"type": "UNKNOWN",
"value": "<string>"
}
],
"vendor_data": {
"aggregate_id": "<string>",
"vendor": "CROWDSTRIKE",
"falcon_host_link": "<string>"
}
}
],
"total": 123
}Query Parameters
Sort by field
Enable cursor based pagination instead of default offset-based pagination
Datetime filter, only return items updated since this datetime. Example format: 2021-01-01T00:00:00+00:00
Limit size (page size)
x >= 0Offset index (starting index of page)
x >= 0Skips returning the total rows, total is set to null when true
Skip token to continue from the last item in the previous page
Include device groups in the devices attached to the vulnerability
Include observable data in the response
Response
Successful Response
- OffsetPaginatedResponse[ScopedEDRAlertRespModel]
- KeySetPaginatedResponse[ScopedEDRAlertRespModel]
Number of items return in the response
List of items returned in the response
Show child attributes
Show child attributes
Vendor's ID of the alert
Title of the alert, provided by the upstream vendor
Description of alert, provided by the upstream vendor
Assigned user
Vendor's severity
Vendor's status
First event time
Last event time
Resolved time
Source vendor
crowdstrike, ms_defender_endpoint, sentinelone Analyst verdict
FALSE_POSITIVE, TRUE_POSITIVE, SUSPICIOUS, IGNORED, UNKNOWN Process ID
Process created at
Process filename
Process command line
Process filepath
Process SHA1
Process SHA256
Process MD5
Parent process ID
User name
Windows SID
Active Directory user ID
Active Directory domain
Device attached to the alert, include device groups with includeDeviceGroups query parameter
- Device
- DeviceWithGroups
Show child attributes
Show child attributes
active, offline, quarantined, unknown, deleted Show child attributes
Show child attributes
mac, windows, linux, unknown CloudMetadata, currently only AWS is supported
Show child attributes
Show child attributes
aws "aws"Vendor specific pass through data, values can vary based on vendor
MITRE Tactics associated with the alert
Show child attributes
Show child attributes
Tactic name
Tactic ID
Tactic source
Alert severity
none, low, medium, high, critical, info Alert status
unknown, new, in_progress, unresolved, resolved Observable data associated with the alert
Show child attributes
Show child attributes
The full name of the observable attribute
The observable value type identifier
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 99 The observable data type string representation
UNKNOWN, HOSTNAME, IP_ADDRESS, MAC_ADDRESS, USER_NAME, EMAIL_ADDRESS, URL_STRING, FILE_NAME, HASH, PROCESS_NAME, RESOURCE_UID, PORT, SUBNET, COMMAND_LINE, COUNTRY, PROCESS_ID, HTTP_USER_AGENT, CWE_UID, CVE_UID, USER_CREDENTIAL_ID, ENDPOINT, USER, EMAIL, URL, FILE, PROCESS, GEO_LOCATION, CONTAINER, REGISTRY_KEY, REGISTRY_VALUE, FINGERPRINT, OTHER The value associated with the observable attribute. The meaning of the value depends on the observable type
Vendor specific pass through data, values can vary based on vendor
- CrowdStrikeEDRVendorData
- MSDefenderEDRVendorData
- SentinelOneEDRVendorData
Total number of items that can be returned