API Documentation
VMS
Identity Provider (IDP)
Provisioning
Connectors
Enrichments
List IDP Alerts
List all the IDP alerts for a given connection. sort - supports severity:asc (eg. lowest to highest criticality) and severity:desc. If no direction is provided it will default to asc
Query Parameters
Sort by field
Enable cursor based pagination instead of default offset-based pagination
Datetime filter, only return items updated since this datetime. Example format: 2021-01-01T00:00:00+00:00
Limit size (page size)
x > 0Offset index (starting index of page)
x > 0Skips returning the total rows, total is set to null when true
Severity filter, comma separated
Response
Number of items return in the response
List of items returned in the response
Time of the alert
Activity ID of the alert
Activity name of the alert
Category name of the alert
Category UID of the alert
Class name of the alert
Class UID of the alert
Enrichments of the alert
The enrichment data associated with the attribute and value
The name of the attribute to which the enriched data pertains
The value of the attribute to which the enriched data pertains
The time when the enrichment data was generated
The time when the enrichment data was generated
A long description of the enrichment data
The enrichment data provider name
The reputation of the enrichment data
The reputation score as reported by the event source
The normalized reputation score identifier
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 99 The provider of the reputation information
The reputation score, normalized to the caption of the score_id value
UNKNOWN, VERY_SAFE, SAFE, PROBABLY_SAFE, LEANS_SAFE, MAY_NOT_BE_SAFE, EXERCISE_CAUTION, SUSPICIOUS_RISKY, POSSIBLY_MALICIOUS, PROBABLY_MALICIOUS, MALICIOUS, OTHER A short description of the enrichment data
The URL of the source of the enrichment data
The enrichment type. For example: location
Evidences of the alert
Details about the user/role/process that was the source
The client application or service that initiated the activity
The unique identifier of the client application or service that initiated the activity
Provides details about an authorization, such as authorization outcome, and any associated policies
Details about the Identity Provider used
The name of the service that invoked the activity (Deprecated since v1.2.0)
The process that initiated the activity
The user session from which the activity was initiated
The user that initiated the activity or the user context
The user's account or the account associated with the user
The unique identifier of the user's credential. For example, AWS Access Key ID
The domain where the user is defined. For example: the LDAP or Active Directory domain
The user's primary email address
The full name of the person, as per the LDAP Common Name attribute (cn)
The administrative groups to which the user belongs
The additional LDAP attributes that describe a person
The username. For example, janedoe1
Organization and org unit related to the user
The risk level, normalized to the caption of the risk_level_id value
The normalized risk level id
0, 1, 2, 3, 4, 99 The risk score as reported by the event source
The type of the user. For example, System, AWS IAM User, etc
The account type identifier
0, 1, 2, 3, 99 The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN
The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID
Details about the API call
Verb/Operation associated with the request
The information pertaining to the API group
Details pertaining to the API request
Details pertaining to the API response
The information pertaining to the API service
The version of the API service
Network connection information
The normalized identifier of the direction of the initiated connection, traffic, or email
0, 1, 2, 3, 99 The boundary of the connection, normalized to the caption of 'boundary_id'
The normalized identifier of the boundary of the connection
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 99 The direction of the initiated connection, traffic, or email
The TCP/IP protocol name in lowercase, as defined by IANA. For example: tcp or udp
The TCP/IP protocol number, as defined by IANA. Use -1 if not defined by IANA
The Internet Protocol version
The Internet Protocol version identifier
0, 4, 6, 99 The authenticated user or service session
The network connection TCP header flags (i.e., control bits)
The unique identifier of the connection
Container details
Commit hash of image created for docker or the SHA256 hash of the container
The container image used as a template to run the container
The container name
The network driver used by the container. For example, bridge, overlay, host, none, etc
The orchestrator managing the container, such as ECS, EKS, K8s, or OpenShift
The unique identifier of the pod (or equivalent) that the container is executing on
The backend running the container, such as containerd or cri-o
The size of the container image
The tag used by the container. It can indicate version, format, OS
The full container unique identifier for this instantiation of the container
Additional evidence data not covered by other fields
Database details
The normalized identifier of the database type
0, 1, 2, 3, 4, 5, 6, 99 The time when the database was known to have been created
The description of the database
The group names to which the database belongs
The most recent time when any changes, updates, or modifications were made within the database
The database name, ordinarily as assigned by a database administrator
The size of the database in bytes
The database type
The unique identifier of the database
Databucket details
The normalized identifier of the databucket type
0, 1, 2, 3, 99 The time when the databucket was known to have been created
The description of the databucket
A file within a databucket
The group names to which the databucket belongs
The most recent time when any changes, updates, or modifications were made within the databucket
The databucket name
The size of the databucket in bytes
The databucket type
The unique identifier of the databucket
Addressable device/computer system details
The device type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 99 A list of agent objects associated with a device, endpoint, or resource
The unique identifier of the cloud autoscale configuration
The time the system was booted
The time when the device was known to have been created
The description of the device, ordinarily as reported by the operating system
The network domain where the device resides. For example: work.example.com
The initial discovery time of the device
The group names to which the device belongs. For example: ["Windows Laptops", "Engineering"]
The device hostname
The endpoint hardware information
The name of the hypervisor running on the device. For example, Xen, VMware, Hyper-V, VirtualBox, etc
The image used as a template to run the virtual machine
The International Mobile Station Equipment Identifier that is associated with the device
The unique identifier of a VM instance
The name of the network interface (e.g. eth2)
The unique identifier of the network interface
The device IP address, in either IPv4 or IPv6 format
The event occurred on a compliant device
The event occurred on a managed device
The event occurred on a personal device
The event occurred on a trusted device
The most recent discovery time of the device
The geographical location of the device
The Media Access Control (MAC) address of the endpoint
The time when the device was last known to have been modified
The alternate device name, ordinarily as assigned by an administrator
The network interfaces that are associated with the device
Organization and org unit related to the device
The endpoint operating system
The operating system name
The type identifier of the operating system
0, 100, 101, 200, 201, 300, 301, 302, 400, 401, 402, 99 The operating system build number
The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code)
The Common Platform Enumeration (CPE) name as described by (NIST)
The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64
The operating system edition. For example: Professional
The two letter lower case language codes, as defined by ISO 639-1
The name of the latest Service Pack
The version number of the latest Service Pack
The type of the operating system
The version of the OS running on the device that originated the event
The identity of the service or user account that owns the endpoint or was last logged into it
The region where the virtual machine is located. For example, an AWS Region
The risk level, normalized to the caption of the risk_level_id value
The normalized risk level id
The risk score as reported by the event source
The subnet mask
The unique identifier of a virtual subnet
The device type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other
The unique identifier of the device. For example the Windows TargetSID or AWS EC2 ARN
An alternate unique identifier of the device if any. For example the ActiveDirectory DN
The unique identifier of the Virtual LAN (VLAN)
The unique identifier of the Virtual Private Cloud (VPC)
The network zone or LAN segment
Destination network endpoint details
A list of agent objects associated with a device, endpoint, or resource
The Autonomous System details associated with an IP address
The information describing an instance of a container
The name of the domain
The fully qualified name of the endpoint
The endpoint hardware information
The unique identifier of a VM instance
The name of the network interface (e.g. eth2)
The unique identifier of the network interface
The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header
The IP address of the endpoint, in either IPv4 or IPv6 format
The geographical location of the endpoint
The Media Access Control (MAC) address of the endpoint
The short name of the endpoint
If running under a process namespace (such as in a container), the process identifier within that process namespace
The endpoint operating system
The operating system name
The type identifier of the operating system
0, 100, 101, 200, 201, 300, 301, 302, 400, 401, 402, 99 The operating system build number
The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code)
The Common Platform Enumeration (CPE) name as described by (NIST)
The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64
The operating system edition. For example: Professional
The two letter lower case language codes, as defined by ISO 639-1
The name of the latest Service Pack
The version number of the latest Service Pack
The type of the operating system
The version of the OS running on the device that originated the event
The identity of the service or user account that owns the endpoint or was last logged into it
The port used for communication within the network connection
The network proxy information pertaining to a specific endpoint
The unique identifier of a virtual subnet
The service name in service-to-service connections
The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other
The network endpoint type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 99 The unique identifier of the endpoint
The Virtual LAN identifier
The unique identifier of the Virtual Private Cloud (VPC)
The network zone or LAN segment
Email object details
The email header From values, as defined by RFC 5322
The email header To values, as defined by RFC 5322
The email header Cc values, as defined by RFC 5322
The Delivered-To email header field
The email header Message-Id value, as defined by RFC 5322
The email authentication header
The email header Reply-To values, as defined by RFC 5322
The size in bytes of the email, including attachments
The value of the SMTP MAIL FROM command
The value of the SMTP envelope RCPT TO command
The email header Subject value, as defined by RFC 5322
The email unique identifier
The X-Originating-IP header identifying the emails originating IP address(es)
File details
Scheduled job details
Process details
DNS query details
Registry key details (Windows-specific)
Registry value details (Windows-specific)
Source network endpoint details
A list of agent objects associated with a device, endpoint, or resource
The Autonomous System details associated with an IP address
The information describing an instance of a container
The name of the domain
The fully qualified name of the endpoint
The endpoint hardware information
The unique identifier of a VM instance
The name of the network interface (e.g. eth2)
The unique identifier of the network interface
The intermediate IP Addresses. For example, the IP addresses in the HTTP X-Forwarded-For header
The IP address of the endpoint, in either IPv4 or IPv6 format
The geographical location of the endpoint
The Media Access Control (MAC) address of the endpoint
The short name of the endpoint
If running under a process namespace (such as in a container), the process identifier within that process namespace
The endpoint operating system
The operating system name
The type identifier of the operating system
0, 100, 101, 200, 201, 300, 301, 302, 400, 401, 402, 99 The operating system build number
The operating system country code, as defined by the ISO 3166-1 standard (Alpha-2 code)
The Common Platform Enumeration (CPE) name as described by (NIST)
The cpu architecture, the number of bits used for addressing in memory. For example: 32 or 64
The operating system edition. For example: Professional
The two letter lower case language codes, as defined by ISO 639-1
The name of the latest Service Pack
The version number of the latest Service Pack
The type of the operating system
The version of the OS running on the device that originated the event
The identity of the service or user account that owns the endpoint or was last logged into it
The port used for communication within the network connection
The network proxy information pertaining to a specific endpoint
The unique identifier of a virtual subnet
The service name in service-to-service connections
The network endpoint type. For example: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, or other
The network endpoint type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 99 The unique identifier of the endpoint
The Virtual LAN identifier
The unique identifier of the Virtual Private Cloud (VPC)
The network zone or LAN segment
URL object details
User details
The user's account or the account associated with the user
The list of labels/tags associated to the account
The name of the account (e.g. GCP Account Name)
The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source
The normalized account type identifier
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 99 The unique identifier of the account (e.g. AWS Account ID)
The unique identifier of the user's credential. For example, AWS Access Key ID
The domain where the user is defined. For example: the LDAP or Active Directory domain
The user's primary email address
The full name of the person, as per the LDAP Common Name attribute (cn)
The administrative groups to which the user belongs
The additional LDAP attributes that describe a person
The username. For example, janedoe1
Organization and org unit related to the user
The risk level, normalized to the caption of the risk_level_id value
The normalized risk level id
0, 1, 2, 3, 4, 99 The risk score as reported by the event source
The type of the user. For example, System, AWS IAM User, etc
The account type identifier
0, 1, 2, 3, 99 The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN
The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID
Windows service details (Windows-specific)
Finding info of the alert
A title or a brief phrase summarizing the reported finding
The unique identifier of the reported finding
The analytic technique used to analyze and derive insights from the data or information that led to the finding or conclusion
The analytic type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 99 The analytic category
The description of the analytic that generated the finding
The name of the analytic that generated the finding
The analytic type
The unique identifier of the analytic that generated the finding
The analytic version. For example: 1.1
The MITRE ATT&CK® technique and associated tactics related to the finding
The time when the finding was created
A list of data sources utilized in generation of the finding
The description of the reported finding
The time when the finding was first observed. e.g. The time when a vulnerability was first observed. It can differ from the created_time timestamp, which reflects the time this finding was created
The Cyber Kill Chain® provides a detailed description of each phase and its associated activities within the broader context of a cyber attack
The time when the finding was most recently observed. e.g. The time when a vulnerability was most recently observed. It can differ from the modified_time timestamp, which reflects the time this finding was last modified
The time when the finding was last modified
The unique identifier of the product that reported the finding
Other analytics related to this finding
The analytic type ID
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 99 The analytic category
The description of the analytic that generated the finding
The name of the analytic that generated the finding
The analytic type
The unique identifier of the analytic that generated the finding
The analytic version. For example: 1.1
Describes events and/or other findings related to the finding as identified by the security product
The URL pointing to the source of the finding
One or more types of the reported finding
Message of the alert
Metadata of the alert
The product that reported the event
The name of the vendor of the product
The Common Platform Enumeration (CPE) name as described by (NIST) For example: cpe:/a:apple:safari:16.2
The feature that reported the event
The two letter lower case language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French)
The name of the product
The installation path of the product
The unique identifier of the product
The URL pointing towards the product
The version of the product, as defined by the event source. For example: 2013.1.3-beta
The unique identifier used to correlate events
The Event ID or Code that the product uses to describe the event
The schema extensions used to create the event
The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time
The audit level at which an event was generated
The event log name. For example, syslog file name or Windows logging subsystem: Security
The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing
The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version
The time when the logging system collected and logged the event
An array of Logger objects that describe the devices and logging products between the event source and its eventual destination
The time when the event was last modified or enriched
The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs
The event processed time, such as an ETL operation
The list of profiles used to create the event. Profiles should be referenced by their name attribute for core profiles, or extension/name for profiles from extensions
Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision
The unique tenant identifier
The logging system-assigned unique identifier of an event instance
The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes
Describes details about resources that were the target of the activity that triggered the finding
A list of agents associated with the resource.
The name of the agent.
A list of policies associated with the agent.
A description of the policy.
The group associated with the policy.
Indicates whether the policy is applied.
The name of the policy.
The unique identifier of the policy.
The version of the policy.
The type of the agent.
The type identifier for the agent.
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 99 The unique identifier of the agent.
An alternate identifier for the agent.
The name of the agent vendor.
The version of the agent.
The criticality level of the resource.
Additional data related to the resource.
The group associated with the resource.
A description of the group.
The domain associated with the group.
The name of the group.
Privileges associated with the group.
The type of the group.
The unique identifier of the group.
Labels or tags associated with the resource.
The name of the resource.
The namespace the resource belongs to.
The owner of the resource.
The user's account or the account associated with the user
The list of labels/tags associated to the account
The name of the account (e.g. GCP Account Name)
The account type, normalized to the caption of 'account_type_id'. In the case of 'Other', it is defined by the event source
The normalized account type identifier
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 99 The unique identifier of the account (e.g. AWS Account ID)
The unique identifier of the user's credential. For example, AWS Access Key ID
The domain where the user is defined. For example: the LDAP or Active Directory domain
The user's primary email address
The full name of the person, as per the LDAP Common Name attribute (cn)
The administrative groups to which the user belongs
The additional LDAP attributes that describe a person
The username. For example, janedoe1
Organization and org unit related to the user
The risk level, normalized to the caption of the risk_level_id value
The normalized risk level id
0, 1, 2, 3, 4, 99 The risk score as reported by the event source
The type of the user. For example, System, AWS IAM User, etc
The account type identifier
0, 1, 2, 3, 99 The unique user identifier. For example, the Windows user SID, ActiveDirectory DN or AWS user ARN
The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID
The type of the resource.
The unique identifier of the resource.
The version of the resource.
Severity name of the alert based on OCSF schema
UNKNOWN, INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL, FATAL, OTHER Severity ID of the alert based on OCSF schema
0, 1, 2, 3, 4, 5, 6, 99 Type name of the alert event/finding based on OCSF schema
Detection Finding: Unknown, Detection Finding: Create, Detection Finding: Update, Detection Finding: Close, Detection Finding: Other Type UID of the alert event/finding based on OCSF schema
200400, 200401, 200402, 200403, 200499 Total number of items that can be returned