API Documentation
VMS
Identity Provider (IDP)
Provisioning
Connectors
Enrichments
List IDP Alerts
List all the IDP alerts for a given connection. sort - supports severity:asc (eg. lowest to highest criticality) and severity:desc. If no direction is provided it will default to asc
Sort by field
Datetime filter, only return items updated since this datetime. Example format: 2021-01-01T00:00:00+00:00
Limit size (page size)
Offset index (starting index of page)
Skips returning the total rows, total is set to null when true
Severity filter, comma separated
Query Parameters
Sort by field
Datetime filter, only return items updated since this datetime. Example format: 2021-01-01T00:00:00+00:00
Limit size (page size)
x > 0Offset index (starting index of page)
x > 0Skips returning the total rows, total is set to null when true
Severity filter, comma separated
Response
Number of items return in the response
List of items returned in the response
Activity ID of the alert
Activity name of the alert
Category name of the alert
Category UID of the alert
Class name of the alert
Class UID of the alert
Enrichments of the alert
The name of the attribute to which the enriched data pertains
The value of the attribute to which the enriched data pertains
The enrichment data associated with the attribute and value
The time when the enrichment data was generated
The enrichment data provider name
A short description of the enrichment data
The URL of the source of the enrichment data
The enrichment type. For example: location
The time when the enrichment data was generated
A long description of the enrichment data
The reputation of the enrichment data
The reputation score as reported by the event source
The normalized reputation score identifier
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 99 The provider of the reputation information
The reputation score, normalized to the caption of the score_id value
Evidences of the alert
Details about the user/role/process that was the source
The process that initiated the activity
The user that initiated the activity or the user context
The username. For example, janedoe1
The account type identifier
0, 1, 2, 3, 99 The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN
The user's account or the account associated with the user
The unique identifier of the user's credential. For example, AWS Access Key ID
The domain where the user is defined. For example: the LDAP or Active Directory domain
The user's primary email address
The full name of the person, as per the LDAP Common Name attribute (cn)
The administrative groups to which the user belongs
The additional LDAP attributes that describe a person
Organization and org unit related to the user
The risk level, normalized to the caption of the risk_level_id value
The normalized risk level id
0, 1, 2, 3, 4, 99 The risk score as reported by the event source
The type of the user. For example, System, AWS IAM User, etc
The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID
The unique identifier of the client application or service that initiated the activity
The client application or service that initiated the activity
Provides details about an authorization, such as authorization outcome, and any associated policies
Details about the Identity Provider used
The name of the service that invoked the activity (Deprecated since v1.2.0)
The user session from which the activity was initiated
Details about the API call
Verb/Operation associated with the request
Details pertaining to the API request
Details pertaining to the API response
The information pertaining to the API group
The information pertaining to the API service
The version of the API service
Network connection information
The normalized identifier of the direction of the initiated connection, traffic, or email
0, 1, 2, 3, 99 The TCP/IP protocol name in lowercase, as defined by IANA. For example: tcp or udp
The TCP/IP protocol number, as defined by IANA. Use -1 if not defined by IANA
The Internet Protocol version identifier
0, 4, 6, 99 The normalized identifier of the boundary of the connection
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 99 The unique identifier of the connection
The boundary of the connection, normalized to the caption of 'boundary_id'
The direction of the initiated connection, traffic, or email
The Internet Protocol version
The authenticated user or service session
The network connection TCP header flags (i.e., control bits)
Container details
Commit hash of image created for docker or the SHA256 hash of the container
The container image used as a template to run the container
The container name
The size of the container image
The full container unique identifier for this instantiation of the container
The tag used by the container. It can indicate version, format, OS
The network driver used by the container. For example, bridge, overlay, host, none, etc
The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift
The unique identifier of the pod (or equivalent) that the container is executing on
The backend running the container, such as containerd or cri-o
Database details
The normalized identifier of the database type
0, 1, 2, 3, 4, 5, 6, 99 The database name, ordinarily as assigned by a database administrator
The database type
The unique identifier of the database
The time when the database was known to have been created
The description of the database
The group names to which the database belongs
The most recent time when any changes, updates, or modifications were made within the database
The size of the database in bytes
Databucket details
The normalized identifier of the databucket type
0, 1, 2, 3, 99 The unique identifier of the databucket
The databucket type
The databucket name
The size of the databucket in bytes
The most recent time when any changes, updates, or modifications were made within the databucket
The group names to which the databucket belongs
A file within a databucket
The description of the databucket
The time when the databucket was known to have been created
Addressable device/computer system details
The device type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 99 The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN
The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other
The region where the virtual machine is located. For example, an AWS Region
The identity of the service or user account that owns the endpoint or was last logged into it
The name of the network interface (e.g. eth2)
The unique identifier of the network interface
The unique identifier of a VM instance
The device hostname
The unique identifier of the Virtual Private Cloud (VPC)
The unique identifier of the Virtual LAN (VLAN)
A list of agent objects associated with a device, endpoint, or resource
An alternate unique identifier of the device if any. For example the ActiveDirectory DN
The unique identifier of the cloud autoscale configuration
The time the system was booted
The event occurred on a compliant device
The time when the device was known to have been created
The description of the device, ordinarily as reported by the operating system
The network domain where the device resides. For example: work.example.com
The initial discovery time of the device
The geographical location of the device
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"]
The endpoint hardware information
The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc
The International Mobile Station Equipment Identifier that is associated with the device
The device IP address, in either IPv4 or IPv6 format
The image used as a template to run the virtual machine
The most recent discovery time of the device
The Media Access Control (MAC) address of the endpoint
The event occurred on a managed device
The time when the device was last known to have been modified
The alternate device name, ordinarily as assigned by an administrator
The network interfaces that are associated with the device
The network zone or LAN segment
The endpoint operating system
The operating system name
The type identifier of the operating system
0, 100, 101, 200, 201, 300, 301, 302, 400, 401, 402, 99 The operating system build number
The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code)
The Common Platform Enumeration (CPE) name as described by (NIST)
The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64
The operating system edition. For example: Professional
The two letter lower case language codes, as defined by ISO 639-1
The name of the latest Service Pack
The version number of the latest Service Pack
The type of the operating system
The version of the OS running on the device that originated the event
Organization and org unit related to the device
The event occurred on a personal device
The risk level, normalized to the caption of the risk_level_id value
The normalized risk level id
The risk score as reported by the event source
The subnet mask
The unique identifier of a virtual subnet
The event occurred on a trusted device
Destination network endpoint details
The information describing an instance of a container
The fully qualified name of the endpoint
The unique identifier of a VM instance
The name of the network interface (e.g. eth2)
The unique identifier of the network interface
The IP address of the endpoint, in either IPv4 or IPv6 format
The short name of the endpoint
If running under a process namespace (such as in a container), the process identifier within that process namespace
The identity of the service or user account that owns the endpoint or was last logged into it
The port used for communication within the network connection
The service name in service-to-service connections
The network endpoint type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 99 The unique identifier of the endpoint
A list of agent objects associated with a device, endpoint, or resource
The Autonomous System details associated with an IP address
The name of the domain
The endpoint hardware information
The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header
The geographical location of the endpoint
The Media Access Control (MAC) address of the endpoint
The endpoint operating system
The operating system name
The type identifier of the operating system
0, 100, 101, 200, 201, 300, 301, 302, 400, 401, 402, 99 The operating system build number
The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code)
The Common Platform Enumeration (CPE) name as described by (NIST)
The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64
The operating system edition. For example: Professional
The two letter lower case language codes, as defined by ISO 639-1
The name of the latest Service Pack
The version number of the latest Service Pack
The type of the operating system
The version of the OS running on the device that originated the event
The network proxy information pertaining to a specific endpoint
The unique identifier of a virtual subnet
The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other
The Virtual LAN identifier
The unique identifier of the Virtual Private Cloud (VPC)
The network zone or LAN segment
Email object details
The email header From values, as defined by RFC 5322
The email header To values, as defined by RFC 5322
The email header Message-Id value, as defined by RFC 5322
The email header Reply-To values, as defined by RFC 5322
The size in bytes of the email, including attachments
The value of the SMTP MAIL FROM command
The value of the SMTP envelope RCPT TO command
The email header Subject value, as defined by RFC 5322
The email unique identifier
The email header Cc values, as defined by RFC 5322
The Delivered-To email header field
The email authentication header
The X-Originating-IP header identifying the emails originating IP address(es)
File details
Scheduled job details
Process details
DNS query details
Registry key details (Windows-specific)
Registry value details (Windows-specific)
Source network endpoint details
The information describing an instance of a container
The fully qualified name of the endpoint
The unique identifier of a VM instance
The name of the network interface (e.g. eth2)
The unique identifier of the network interface
The IP address of the endpoint, in either IPv4 or IPv6 format
The short name of the endpoint
If running under a process namespace (such as in a container), the process identifier within that process namespace
The identity of the service or user account that owns the endpoint or was last logged into it
The port used for communication within the network connection
The service name in service-to-service connections
The network endpoint type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 99 The unique identifier of the endpoint
A list of agent objects associated with a device, endpoint, or resource
The Autonomous System details associated with an IP address
The name of the domain
The endpoint hardware information
The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header
The geographical location of the endpoint
The Media Access Control (MAC) address of the endpoint
The endpoint operating system
The operating system name
The type identifier of the operating system
0, 100, 101, 200, 201, 300, 301, 302, 400, 401, 402, 99 The operating system build number
The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code)
The Common Platform Enumeration (CPE) name as described by (NIST)
The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64
The operating system edition. For example: Professional
The two letter lower case language codes, as defined by ISO 639-1
The name of the latest Service Pack
The version number of the latest Service Pack
The type of the operating system
The version of the OS running on the device that originated the event
The network proxy information pertaining to a specific endpoint
The unique identifier of a virtual subnet
The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other
The Virtual LAN identifier
The unique identifier of the Virtual Private Cloud (VPC)
The network zone or LAN segment
URL object details
User details
The username. For example, janedoe1
The account type identifier
0, 1, 2, 3, 99 The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN
The user's account or the account associated with the user
The name of the account (e.g. GCP Account Name)
The normalized account type identifier
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 99 The unique identifier of the account (e.g. AWS Account ID)
The list of labels/tags associated to the account
The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source
The unique identifier of the user's credential. For example, AWS Access Key ID
The domain where the user is defined. For example: the LDAP or Active Directory domain
The user's primary email address
The full name of the person, as per the LDAP Common Name attribute (cn)
The administrative groups to which the user belongs
The additional LDAP attributes that describe a person
Organization and org unit related to the user
The risk level, normalized to the caption of the risk_level_id value
The normalized risk level id
0, 1, 2, 3, 4, 99 The risk score as reported by the event source
The type of the user. For example, System, AWS IAM User, etc
The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID
Windows service details (Windows-specific)
Additional evidence data not covered by other fields
Finding info of the alert
A title or a brief phrase summarizing the reported finding
The unique identifier of the reported finding
The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion
The analytic type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 99 The name of the analytic that generated the finding
The unique identifier of the analytic that generated the finding
The analytic category
The description of the analytic that generated the finding
The analytic type
The analytic version. For example: 1.1
The MITRE ATT&CKĀ® technique and associated tactics related to the finding
The time when the finding was created
A list of data sources utilized in generation of the finding
The description of the reported finding
The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the created_time timestamp, which reflects the time this finding was created
The Cyber Kill ChainĀ® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. It can differ from the modified_time timestamp, which reflects the time this finding was last modified
The time when the finding was last modified
The unique identifier of the product that reported the finding
Other analytics related to this finding
The analytic type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 99 The name of the analytic that generated the finding
The unique identifier of the analytic that generated the finding
The analytic category
The description of the analytic that generated the finding
The analytic type
The analytic version. For example: 1.1
Describes events and/or other findings related to the finding as identified by the security product
The URL pointing to the source of the finding
One or more types of the reported finding
Metadata of the alert
The product that reported the event
The name of the vendor of the product
The name of the product
The unique identifier of the product
The version of the product, as defined by the event source. For example: 2013.1.3-beta
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
The feature that reported the event
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French)
The installation path of the product
The URL pointing towards the product
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes
The event log name. For example, syslog file name or Windows logging subsystem: Security
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs
The unique tenant identifier
The unique identifier used to correlate events
The Event ID or Code that the product uses to describe the event
The logging system-assigned unique identifier of an event instance
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time
The audit level at which an event was generated
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version
The time when the logging system collected and logged the event
An array of Logger objects that describe the devices and logging products between the event source and its eventual destination
The time when the event was last modified or enriched
The event processed time, such as an ETL operation
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions
The schema extensions used to create the event
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision
Message of the alert
Severity name of the alert based on OCSF schema
UNKNOWN, INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL, FATAL, OTHER Severity ID of the alert based on OCSF schema
0, 1, 2, 3, 4, 5, 6, 99 Type UID of the alert event/finding based on OCSF schema
200401 Type name of the alert event/finding based on OCSF schema
Detection Finding: Create Time of the alert
Total number of items that can be returned